Monthly Archives: February 2009

Locking down your browser plugins in F10

With the recent news of multiple vulnerabilities in Adobe flash and PDF software, folk running Fedora 10 may wish to consider using SELinux to confine browser plugins.

Dan Walsh has previously implemented SELinux lockdown for browser plugins via nspluginwrapper, as discussed here. Unfortunately, this has been disabled by default, due to a clash with the mozplugger package, which uses nspluginwrapper to launch applications inside the browser.

Personally, I’m happy to have OpenOffice or similar open up in a separate window, using the standard Firefox mechanism for doing so, especially if it means I’m able to keep browser plugin confinement enabled.

Here’s what I did:

# yum remove mozplugger

# setsebool -P allow_unconfined_nsplugin_transition=on

# setsebool -P allow_nsplugin_execmem=off

# setsebool -P nsplugin_can_network=off

This of course removes mozplugger, but I don’t seem to need it. When downloading a PDF, for example, Firefox prompts if I want to open it with evince, and provides me with an option to always do that without further prompting. YMMV.

The setsebool commands change several nspluginwrapper options in SELinux, while the -P option ensures that the changes persist across reboots (see setsebool(8)).

Detailed explanation:

  • Enabling allow_unconfined_nsplugin_transition ensures that nspluginwrapper transitions to a new security label when running a plugin, so that special security policy can be applied to it. This is required for any useful effect.
  • Disabling allow_nsplugin_execmem ensures that memory protections are being enforced to prevent plugins from executing code on the stack and in mapped memory.
  • Disabling nsplugin_can_network prevents plugins from connecting to anything other than reserved ports. Apparently, this may upset some flash code which wants to call home (you’d be surprised how much of this goes on, or perhaps not), so you may want to leave this as-is, or at least keep an eye on the messages from setroubleshoot.

Note that if you do run into problems, you can put SELinux into permissive mode rather than disabling it, which will at least provide some useful logging information (and feel free to post questions to the fedora-selinux-list).

Btw, here’s how to configure SELinux for permissive mode:

SELinux administration in Fedora 10

System -> Administration -> SELinux Management

Setting SELinux enforcing mode in Fedora 10

Set ‘System Default Enforcing Mode’ to ‘Permissive’

And you’re done.

A bugzilla ticket has been opened on the issue of finding a long-term solution which allows both mozplugger and plugin confinement to co-exist, but unfortunately, users currently need to decide whether they prefer increased security or a more Windows-like experience, with the latter as the default.

LCA sVirt talk video online

Some videos from LCA 2009 have been posted online, per this email from Mary Gardiner.

The video from my sVirt (MAC security for Linux virtualization) talk is available as an OGG file. I’ve also re-uploaded it as a google video.

I’d suggest having a copy of the slides open when watching, as they’re not always shown in the video, and you’re definitely better off looking at them than me in any case.

LCA was a genuinely enjoyable conference: laid-back and really well organized, with a good balance of talks. One really great aspect was the way internet access was provided to the accommodation, which at least in my case, worked perfectly, with a microwave link from UTAS connected to the hotel’s internal wiring. I often need to work during conferences, and having good network access is probably my top priority in selecting accommodation.

I was glad to be part of the security miniconf organized by Casey Schaufler, which brought together folk from the kernel security community and various highly technical folk. There were talks from several leading security developers, including Casey (fs capabilities and rootless systems), Russell Coker (standing in for Kaigai Kohei on SE-postgresql and web application MAC), and Kentaro Takeda (TOMOYO). The miniconf concluded with an open panel discussion which was covered by LWN. For reasons I can’t quite recall now, I ended up doing an ad-hoc presentation on Fedora Kiosk Mode, which I think helped demonstrate some of the progress SELinux has made in terms of usability and extension to general use scenarios.

Also see my flickr photoset, and a short video of one of the exhibitions from the Batteries Not Included art exhibition, which ran as part of the conference.

LCA 2010 will be held in Wellington, New Zealand — here’s an amusing video by the organizers. I hope to make it there.