I would like to allow chromium within a sandbox to access KWallet
running in KDE outside the sandbox, so that
(a) my website passwords cannot be directly read from within a sandbox
- access must be mediated by KWallet, which can prompt me for my
KWallet password to confirm. So if I am prompted by KWallet while on a
web page without a saved password, I will know something is amiss.
(b) my website passwords are shared between sandboxes
I say chromium because Firefox does not use an external wallet service.
I've got part-way there. Here is what I've done so far:
I found out that KWallet uses dbus to communicate (specifically, the
session bus, because it's a desktop daemon). Because the dbus session
bus is by default a unix socket in /tmp, which would be hidden by
seunshare, I created /etc/dbus-1/session-local.conf as follows:
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>unix:tmpdir=/dev/shm</listen>
</busconfig>
and logged out and logged back in again in order to restart the session bus.
I then passed the dbus socket name into the sandbox at creation time using
env
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
xterm
as the command for sandbox to run.
To run chromium I used
chromium-browser --no-sandbox --password-store=kwallet
A couple of iterations of audit2allow and semodule -i later, I had
this policy module installed:
allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto;
allow sandbox_web_client_t config_usr_t:dir read;
allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
but chromium is still outputting to the terminal this when it tries to
communicate with KWallet:
** (exe:9107): WARNING **:
GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy
prevents this sender from sending this message to this recipient, 0
matched rules; type="method_call", sender="(null)" (inactive)
interface="org.freedesktop.DBus" member="Hello" error
name="(unset)"
requested_reply="0" destination="org.freedesktop.DBus" (bus)
I can't find relevant entries in /var/log/audit.log at first glance,
so maybe these are checks done by the dbus daemon itself, rather than
the kernel.