[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

writing a firefox policy


I want to write a policy for firefox, as to me, it is almost an
always-on always-running network daemon.

I think there will always be another vulnerability leading to remote
code execution. But how can a policy protect against that?

Using policygentool, I created a policy for firefox-bin. It created a
domain. And I labeled the starter script /usr/bin/firefox as
"initrc_exec_t" . The ".mozilla" dir became the log dir. I also
created a dir labeled "download_t" so I can save files there. I think
I should take away "read" for "user_home_t" too.

So I guess the new domain will prevent transition into bin_t, sbin_t
and others. But I notice the generated te allows exec of all "lib_t"
libraries.  That is an awful lot of libraries with lots of functions
and probably a lot of bugs. Should I be worried? If I follow the
doctrine of whitelisting everything and least privilege, I ought to
label and specifically permit only the libraries that are needed,
right? I am starting on identifying and labelling, but I have a
feeling that it will become a maintenance nightmare.

Maybe I don't fully understand "remote code execution". To me, it just
means being able to conjure up a shell and running some hacker magic
to gain root. Maybe the exploit doesn't even require a shell, and can
wiggle its way through the vast lib_t for its own end. :(

Apart from minimal library usage, what other correct behaviours should
I restrict firefox to?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]