On Mon, 2012-08-13 at 06:33 +0100, Robin Green wrote:
I would like to allow chromium within a sandbox to access KWallet
running in KDE outside the sandbox, so that
(a) my website passwords cannot be directly read from within a sandbox
- access must be mediated by KWallet, which can prompt me for my
KWallet password to confirm. So if I am prompted by KWallet while on a
web page without a saved password, I will know something is amiss.
(b) my website passwords are shared between sandboxes
I say chromium because Firefox does not use an external wallet service.
I've got part-way there. Here is what I've done so far:
I found out that KWallet uses dbus to communicate (specifically, the
session bus, because it's a desktop daemon). Because the dbus session
bus is by default a unix socket in /tmp, which would be hidden by
seunshare, I created /etc/dbus-1/session-local.conf as follows:
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>unix:tmpdir=/dev/shm</listen>
</busconfig>
and logged out and logged back in again in order to restart the session bus.
I then passed the dbus socket name into the sandbox at creation time using
env
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/dev/shm/dbus-wyOMqiEGrR,guid=8e741d603eb65ed7bf138cac00060be0
xterm
as the command for sandbox to run.
To run chromium I used
chromium-browser --no-sandbox --password-store=kwallet
A couple of iterations of audit2allow and semodule -i later, I had
this policy module installed:
allow sandbox_web_client_t unconfined_dbusd_t:unix_stream_socket connectto;
allow sandbox_web_client_t config_usr_t:dir read;
allow sandbox_web_client_t unconfined_t:unix_stream_socket connectto;
but chromium is still outputting to the terminal this when it tries to
communicate with KWallet:
** (exe:9107): WARNING **:
GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy
prevents this sender from sending this message to this recipient, 0
matched rules; type="method_call", sender="(null)" (inactive)
interface="org.freedesktop.DBus" member="Hello" error
name="(unset)"
requested_reply="0" destination="org.freedesktop.DBus" (bus)
I can't find relevant entries in /var/log/audit.log at first glance,
so maybe these are checks done by the dbus daemon itself, rather than
the kernel.
Also check /var/log/messages, dbus related avc denials go all over the
place.
If you allow this then you probably allow your sandbox to dbus chat to
any user application running in the user domain
If you confine kwallet then you should be able to restrict your sandbox
to only chat to kwallet via dbus.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux