In FC8 I would like to start playing with trusted X.

In FC8 I would like to start playing with trusted X.

[Daniel J Walsh]

Supposedly The SELinux XExtensions are in FC7 and beyond so time to 
start using them.

But lets start simple ...

Some of you are looking at using Trusted X for MLS, but I want to look 
at this from a targeted policy point of view.  What are the security 
goals of a normal Fedora user. 

Lets establish two tangible goals.

1. Only the application with focus can get keyboard input.  So if I am 
on a web page that is asking me for a password (On Line Banking) Only 
Firefox can read the input.  Not Thunderbird.
Theoretically I could run this with all apps mostly unconfined.
firefox_t can capture input on firefox_t.  While unconfined_t can not.

2. No apps except gimp can do a screen capture.  Again I want all apps 
mostly unconfined
My goal is to get  a policy that prevents any app from screen capture 
including
unconfined_t.  Bug gimp_t in the unconfined domain can.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Joshua Brindle]

Daniel J Walsh wrote:
> Supposedly The SELinux XExtensions are in FC7 and beyond so time to 
> start using them.
>
> But lets start simple ...
>
> Some of you are looking at using Trusted X for MLS, but I want to look 
> at this from a targeted policy point of view.  What are the security 
> goals of a normal Fedora user.
> Lets establish two tangible goals.
>
> 1. Only the application with focus can get keyboard input.  So if I am 
> on a web page that is asking me for a password (On Line Banking) Only 
> Firefox can read the input.  Not Thunderbird.
> Theoretically I could run this with all apps mostly unconfined.
> firefox_t can capture input on firefox_t.  While unconfined_t can not.
>

how many apps are you planning on confining for this goal? There are 
very important ones (like gnome-agent) and less important ones (firefox 
passwords that are stored on disk can be read by unconfined anyway)

> 2. No apps except gimp can do a screen capture.  Again I want all apps 
> mostly unconfined
> My goal is to get  a policy that prevents any app from screen capture 
> including
> unconfined_t.  Bug gimp_t in the unconfined domain can.
>

I think you might run into some resistance here, there are dozens of 
programs that do screen captures (screensavers, any of the many screen 
capture programs, vnc server, etc)

And I bet (though I'm not sure) that an unconfined program could run 
gimp with the right command options to take a screen capture and save it 
to a file that would be accessible by said program.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Supposedly The SELinux XExtensions are in FC7 and beyond so time to 
>> start using them.
>>
>> But lets start simple ...
>>
>> Some of you are looking at using Trusted X for MLS, but I want to 
>> look at this from a targeted policy point of view.  What are the 
>> security goals of a normal Fedora user.
>> Lets establish two tangible goals.
>>
>> 1. Only the application with focus can get keyboard input.  So if I 
>> am on a web page that is asking me for a password (On Line Banking) 
>> Only Firefox can read the input.  Not Thunderbird.
>> Theoretically I could run this with all apps mostly unconfined.
>> firefox_t can capture input on firefox_t.  While unconfined_t can not.
>>
>
> how many apps are you planning on confining for this goal? There are 
> very important ones (like gnome-agent) and less important ones 
> (firefox passwords that are stored on disk can be read by unconfined 
> anyway)
I am looking to experiment.  Right now we supposedly have technology 
that no one is using.  If I can prevent the case of entering my password 
for my online banking from any other app capturing keyboard input.  I 
will sleep slightly better.  I don't tell Firefox to recode this password.

gnome-agent would be another.   I would like to be able to disallow all 
apps from capturing keyboard input without having focus, if possible. 
>
>> 2. No apps except gimp can do a screen capture.  Again I want all 
>> apps mostly unconfined
>> My goal is to get  a policy that prevents any app from screen capture 
>> including
>> unconfined_t.  Bug gimp_t in the unconfined domain can.
>>
>
> I think you might run into some resistance here, there are dozens of 
> programs that do screen captures (screensavers, any of the many screen 
> capture programs, vnc server, etc)
>
> And I bet (though I'm not sure) that an unconfined program could run 
> gimp with the right command options to take a screen capture and save 
> it to a file that would be accessible by said program.
Yes, but at least we could begin to isolate these apps into 
unconfined_screencapture apps, and then certification people could start 
to eliminate these apps from being installed.

In order to get Trusted X to work for the Black opps people, we have to 
get it working for the targeted policy.  Whether it is a small fence or 
a large fence... 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 1356 bytes --]

On Tue, 2007-05-15 at 14:44 -0400, Daniel J Walsh wrote:
> Supposedly The SELinux XExtensions are in FC7 and beyond so time to 
> start using them.
> 
> But lets start simple ...
> 
> Some of you are looking at using Trusted X for MLS, but I want to look 
> at this from a targeted policy point of view.  What are the security 
> goals of a normal Fedora user. 
> 
> Lets establish two tangible goals.
> 
> 1. Only the application with focus can get keyboard input.  So if I am 
> on a web page that is asking me for a password (On Line Banking) Only 
> Firefox can read the input.  Not Thunderbird.
> Theoretically I could run this with all apps mostly unconfined.
> firefox_t can capture input on firefox_t.  While unconfined_t can not.

 This might go well, I'm not sure, and if it does would be a big plus :)

> 2. No apps except gimp can do a screen capture.  Again I want all apps 
> mostly unconfined
> My goal is to get  a policy that prevents any app from screen capture 
> including
> unconfined_t.  Bug gimp_t in the unconfined domain can.

 You will need to include gnome-screenshot as well as gimp here though,
or a lot of people will complain (PrintScreen). With those two, this
might be able to work (None of the gnome-screensaver actions try to take
shots now, IIRC).

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: In FC8 I would like to start playing with trusted X.

[Daniel J Walsh]

James Antill wrote:
> On Tue, 2007-05-15 at 14:44 -0400, Daniel J Walsh wrote:
>   
>> Supposedly The SELinux XExtensions are in FC7 and beyond so time to 
>> start using them.
>>
>> But lets start simple ...
>>
>> Some of you are looking at using Trusted X for MLS, but I want to look 
>> at this from a targeted policy point of view.  What are the security 
>> goals of a normal Fedora user. 
>>
>> Lets establish two tangible goals.
>>
>> 1. Only the application with focus can get keyboard input.  So if I am 
>> on a web page that is asking me for a password (On Line Banking) Only 
>> Firefox can read the input.  Not Thunderbird.
>> Theoretically I could run this with all apps mostly unconfined.
>> firefox_t can capture input on firefox_t.  While unconfined_t can not.
>>     
>
>  This might go well, I'm not sure, and if it does would be a big plus :)
>
>   
>> 2. No apps except gimp can do a screen capture.  Again I want all apps 
>> mostly unconfined
>> My goal is to get  a policy that prevents any app from screen capture 
>> including
>> unconfined_t.  Bug gimp_t in the unconfined domain can.
>>     
>
>  You will need to include gnome-screenshot as well as gimp here though,
> or a lot of people will complain (PrintScreen). With those two, this
> might be able to work (None of the gnome-screensaver actions try to take
> shots now, IIRC).
>
>   

Ok now I was hoping the NSA guys would hop in and say.  Hey here is how 
you would do it.  :^)
Because I have no idea.  Any help would be appreciated.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Eamon Walsh]

Daniel J Walsh wrote:
> Ok now I was hoping the NSA guys would hop in and say.  Hey here is how 
> you would do it.  :^)
> Because I have no idea.  Any help would be appreciated.

I've been slowly reviewing all of the 35 X protocol extensions of which 
I'm aware, trying to revise the set of object classes and permissions. 
I have about 8 more extensions to go.  I'm hoping to do a major release 
of the security framework and Flask module before FC8.

I think the two goals you have set forth are a reasonable target.  The 
input goal I don't think is possible with the current implementation, 
because the input extensions (XKB, XInput) are not covered by the 
security hooks.  The screenshot goal should be possible.  There are many 
screenshot apps but they all should call XCopyImage or similar, which 
are controllable.  The problem is that the screenshot app gets a 
BadAccess error from the denial and Xlib calls abort; it's not very 
graceful.



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Daniel J Walsh]

Eamon Walsh wrote:
> Daniel J Walsh wrote:
>> Ok now I was hoping the NSA guys would hop in and say.  Hey here is 
>> how you would do it.  :^)
>> Because I have no idea.  Any help would be appreciated.
>
> I've been slowly reviewing all of the 35 X protocol extensions of 
> which I'm aware, trying to revise the set of object classes and 
> permissions. I have about 8 more extensions to go.  I'm hoping to do a 
> major release of the security framework and Flask module before FC8.
>
> I think the two goals you have set forth are a reasonable target.  The 
> input goal I don't think is possible with the current implementation, 
> because the input extensions (XKB, XInput) are not covered by the 
> security hooks.  The screenshot goal should be possible.  There are 
> many screenshot apps but they all should call XCopyImage or similar, 
> which are controllable.  The problem is that the screenshot app gets a 
> BadAccess error from the denial and Xlib calls abort; it's not very 
> graceful.
>
That is what I figured.  And in order to get upstream of Xorg to fix 
these problems, we have to start showing usefulness of the access control.


>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Eamon Walsh]

Daniel J Walsh wrote:
> Eamon Walsh wrote:
>> Daniel J Walsh wrote:
>>> Ok now I was hoping the NSA guys would hop in and say.  Hey here is 
>>> how you would do it.  :^)
>>> Because I have no idea.  Any help would be appreciated.
>> I've been slowly reviewing all of the 35 X protocol extensions of 
>> which I'm aware, trying to revise the set of object classes and 
>> permissions. I have about 8 more extensions to go.  I'm hoping to do a 
>> major release of the security framework and Flask module before FC8.
>>
>> I think the two goals you have set forth are a reasonable target.  The 
>> input goal I don't think is possible with the current implementation, 
>> because the input extensions (XKB, XInput) are not covered by the 
>> security hooks.  The screenshot goal should be possible.  There are 
>> many screenshot apps but they all should call XCopyImage or similar, 
>> which are controllable.  The problem is that the screenshot app gets a 
>> BadAccess error from the denial and Xlib calls abort; it's not very 
>> graceful.
>>
> That is what I figured.  And in order to get upstream of Xorg to fix 
> these problems, we have to start showing usefulness of the access control.


I have some ideas for demos to show the usefulness of the controls. 
Basically bring up a graffiti program that draws on other windows and 
show how it can be selectively stopped.  Same thing with a program that 
monitors keyboard input.  This doesn't have to be SELinux-based, it 
could be a simple DAC module with permission buttons on the window title 
bar.  Just as soon as I finish my Big Spreadsheet of X Protocol and 
implement the support for the extensions...

Upstream Xorg is not really the problem though.  The new XCB libraries 
have support for proper error handling.  The problem is getting the 
toolkits and applications, GTK+ etc. to switch over from Xlib and/or 
actually check for errors on every request.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Ted X Toth]

Eamon Walsh wrote:
> Daniel J Walsh wrote:
>> Eamon Walsh wrote:
>>> Daniel J Walsh wrote:
>>>> Ok now I was hoping the NSA guys would hop in and say.  Hey here is 
>>>> how you would do it.  :^)
>>>> Because I have no idea.  Any help would be appreciated.
>>> I've been slowly reviewing all of the 35 X protocol extensions of 
>>> which I'm aware, trying to revise the set of object classes and 
>>> permissions. I have about 8 more extensions to go.  I'm hoping to do 
>>> a major release of the security framework and Flask module before FC8.
>>>
>>> I think the two goals you have set forth are a reasonable target.  
>>> The input goal I don't think is possible with the current 
>>> implementation, because the input extensions (XKB, XInput) are not 
>>> covered by the security hooks.  The screenshot goal should be 
>>> possible.  There are many screenshot apps but they all should call 
>>> XCopyImage or similar, which are controllable.  The problem is that 
>>> the screenshot app gets a BadAccess error from the denial and Xlib 
>>> calls abort; it's not very graceful.
>>>
>> That is what I figured.  And in order to get upstream of Xorg to fix 
>> these problems, we have to start showing usefulness of the access 
>> control.
>
>
> I have some ideas for demos to show the usefulness of the controls. 
> Basically bring up a graffiti program that draws on other windows and 
> show how it can be selectively stopped.  Same thing with a program 
> that monitors keyboard input.  This doesn't have to be SELinux-based, 
> it could be a simple DAC module with permission buttons on the window 
> title bar.  Just as soon as I finish my Big Spreadsheet of X Protocol 
> and implement the support for the extensions...
>
> Upstream Xorg is not really the problem though.  The new XCB libraries 
> have support for proper error handling.  The problem is getting the 
> toolkits and applications, GTK+ etc. to switch over from Xlib and/or 
> actually check for errors on every request.
>
>
What is the current status of the xserver policy? Has it been upstreamed?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: In FC8 I would like to start playing with trusted X.

[Eamon Walsh]

Ted X Toth wrote:
> What is the current status of the xserver policy? Has it been upstreamed?

I did post refpolicy patches some months back but Chris identified some 
issues with them and since I am revisiting the object class/permission 
set I have not done further work on them.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.