Trying to figure out the signature of a screen capture.

Trying to figure out the signature of a screen capture.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wanted to see if we could prevent nsplugin_t from screen capturing
random parts of the Desktop.

So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
AVC's, when capturing a screen image, sadly no AVC's were generated, so
nsplugin_t can capture screen images.

I Wanted to see what avc's are created when you screen capture that are
different from running a standard X App, so I labeled /usr/bin/gimp and
put the machine in permissive mode.  Ran gimp to the point of capturing
the screen capture, and cleared the log files.

When capturing the image I got the following allow rules.

allow gpg_t focus_xevent_t:x_event receive;
allow gpg_t input_xevent_t:x_event receive;
allow gpg_t self:x_cursor destroy;
allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };


Is there anything we could eliminate from common X Apps, to prevent
nsplgugin from screen capture.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkj2HGoACgkQrlYvE4MpobNXJQCeJZe3VURACUU/l6IEfPjkI0i/
3WgAn3C/7F9YLlXYvpK64CJduYzyemHw
=HXwO
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trying to figure out the signature of a screen capture.

[Eamon Walsh]

Daniel J Walsh wrote:
> I wanted to see if we could prevent nsplugin_t from screen capturing
> random parts of the Desktop.
>
> So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
> AVC's, when capturing a screen image, sadly no AVC's were generated, so
> nsplugin_t can capture screen images.
>
> I Wanted to see what avc's are created when you screen capture that are
> different from running a standard X App, so I labeled /usr/bin/gimp and
> put the machine in permissive mode.  Ran gimp to the point of capturing
> the screen capture, and cleared the log files.
>
> When capturing the image I got the following allow rules.
>
> allow gpg_t focus_xevent_t:x_event receive;
> allow gpg_t input_xevent_t:x_event receive;
> allow gpg_t self:x_cursor destroy;
> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
> allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };
>
>
> Is there anything we could eliminate from common X Apps, to prevent
> nsplgugin from screen capture.

It's "read" permission on the root window.  Remember that if you can
read a window, you can read all of its children as well.  So having read
on the root means you can see everything.

Most apps shouldn't have this, and I don't see it granted in the current
policy.  Actually I think GIMP launches a helper app to actually do the
screencap.  I remember seeing its path in the AVC message.  So maybe
that's why it's not working for you.



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trying to figure out the signature of a screen capture.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eamon Walsh wrote:
> Daniel J Walsh wrote:
>> I wanted to see if we could prevent nsplugin_t from screen capturing
>> random parts of the Desktop.
>>
>> So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
>> AVC's, when capturing a screen image, sadly no AVC's were generated, so
>> nsplugin_t can capture screen images.
>>
>> I Wanted to see what avc's are created when you screen capture that are
>> different from running a standard X App, so I labeled /usr/bin/gimp and
>> put the machine in permissive mode.  Ran gimp to the point of capturing
>> the screen capture, and cleared the log files.
>>
>> When capturing the image I got the following allow rules.
>>
>> allow gpg_t focus_xevent_t:x_event receive;
>> allow gpg_t input_xevent_t:x_event receive;
>> allow gpg_t self:x_cursor destroy;
>> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
>> allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };
>>
>>
>> Is there anything we could eliminate from common X Apps, to prevent
>> nsplgugin from screen capture.
> 
> It's "read" permission on the root window.  Remember that if you can
> read a window, you can read all of its children as well.  So having read
> on the root means you can see everything.
> 
> Most apps shouldn't have this, and I don't see it granted in the current
> policy.  Actually I think GIMP launches a helper app to actually do the
> screencap.  I remember seeing its path in the AVC message.  So maybe
> that's why it's not working for you.
> 
> 
> 
So are you saying.

allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };

If, I don't allow this to apps, it would be blocked?

Or some other
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkj2SRQACgkQrlYvE4MpobPeBgCfQZwoo+XXlzwvhXnuPTBV20ND
8M0AniTBiEEGiVr9Q6tz8exg1tXa7kX/
=MQpK
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trying to figure out the signature of a screen capture.

[Eamon Walsh]

Daniel J Walsh wrote:
> Eamon Walsh wrote:
> > Daniel J Walsh wrote:
> >> I wanted to see if we could prevent nsplugin_t from screen capturing
> >> random parts of the Desktop.
> >>
> >> So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
> >> AVC's, when capturing a screen image, sadly no AVC's were generated, so
> >> nsplugin_t can capture screen images.
> >>
> >> I Wanted to see what avc's are created when you screen capture that are
> >> different from running a standard X App, so I labeled /usr/bin/gimp and
> >> put the machine in permissive mode.  Ran gimp to the point of capturing
> >> the screen capture, and cleared the log files.
> >>
> >> When capturing the image I got the following allow rules.
> >>
> >> allow gpg_t focus_xevent_t:x_event receive;
> >> allow gpg_t input_xevent_t:x_event receive;
> >> allow gpg_t self:x_cursor destroy;
> >> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
> >> allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };
> >>
> >>
> >> Is there anything we could eliminate from common X Apps, to prevent
> >> nsplgugin from screen capture.
> > It's "read" permission on the root window.  Remember that if you can
> > read a window, you can read all of its children as well.  So having read
> > on the root means you can see everything.
>
> > Most apps shouldn't have this, and I don't see it granted in the current
> > policy.  Actually I think GIMP launches a helper app to actually do the
> > screencap.  I remember seeing its path in the AVC message.  So maybe
> > that's why it's not working for you.
>
>
>
> So are you saying.
>
> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
>
> If, I don't allow this to apps, it would be blocked?
>
> Or some other


Yes, if you disallow the "read" above then it should bomb out with a
"BadAccess" error when you try to do the screenshot.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trying to figure out the signature of a screen capture.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eamon Walsh wrote:
> Daniel J Walsh wrote:
>> Eamon Walsh wrote:
>>> Daniel J Walsh wrote:
>>>> I wanted to see if we could prevent nsplugin_t from screen capturing
>>>> random parts of the Desktop.
>>>>
>>>> So I relabeled /usr/bin/gimp as nsplugin_exec_t, then ran it to get
>>>> AVC's, when capturing a screen image, sadly no AVC's were generated, so
>>>> nsplugin_t can capture screen images.
>>>>
>>>> I Wanted to see what avc's are created when you screen capture that are
>>>> different from running a standard X App, so I labeled /usr/bin/gimp and
>>>> put the machine in permissive mode.  Ran gimp to the point of capturing
>>>> the screen capture, and cleared the log files.
>>>>
>>>> When capturing the image I got the following allow rules.
>>>>
>>>> allow gpg_t focus_xevent_t:x_event receive;
>>>> allow gpg_t input_xevent_t:x_event receive;
>>>> allow gpg_t self:x_cursor destroy;
>>>> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
>>>> allow gpg_t xdm_xserver_t:x_device { freeze force_cursor bell };
>>>>
>>>>
>>>> Is there anything we could eliminate from common X Apps, to prevent
>>>> nsplgugin from screen capture.
>>> It's "read" permission on the root window.  Remember that if you can
>>> read a window, you can read all of its children as well.  So having read
>>> on the root means you can see everything.
>>> Most apps shouldn't have this, and I don't see it granted in the current
>>> policy.  Actually I think GIMP launches a helper app to actually do the
>>> screencap.  I remember seeing its path in the AVC message.  So maybe
>>> that's why it's not working for you.
>>
>>
>> So are you saying.
>>
>> allow gpg_t xdm_rootwindow_t:x_drawable { read setattr };
>>
>> If, I don't allow this to apps, it would be blocked?
>>
>> Or some other
> 
> 
> Yes, if you disallow the "read" above then it should bomb out with a
> "BadAccess" error when you try to do the screenshot.
> 
> 

Sadly flashplugin required this in order to watch Sarah Palin on
Saturday Night Live.

allow nsplugin_t xdm_rootwindow_t:x_drawable read;

Maybe some one is trying to take a screen capture of Sarah?  :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkj84rsACgkQrlYvE4MpobPXWACfYDPg7LUgt++9hljqEIBtvx9o
Cp0AnAiMy3d5lX+G/G7TzMLGjGdr0Alg
=Wuog
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.