Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Deploy paxctl-ng XATTR markings on Dillo browser
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Jul 07, 2015 4:51 pm    Post subject: Deploy paxctl-ng XATTR markings on Dillo browser Reply with quote

The inner workings of the Dillo browser (which I really need in my environment: sea-calm secure in comparison with the big harvesting browsers), some of those inner workings of Dillo are provided by these:

Code:

# ls -lR /usr/lib64/dillo/dpi/
/usr/lib64/dillo/dpi/:
total 36
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 bookmarks
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 cookies
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 datauri
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 downloads
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 file
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 ftp
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 hello
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 https
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 vsource

/usr/lib64/dillo/dpi/bookmarks:
total 52
-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi

/usr/lib64/dillo/dpi/cookies:
total 48
-rwxr-xr-x 1 root root 47240 2015-07-05 07:33 cookies.dpi

/usr/lib64/dillo/dpi/datauri:
total 36
-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 datauri.filter.dpi

/usr/lib64/dillo/dpi/downloads:
total 52
-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 downloads.dpi

/usr/lib64/dillo/dpi/file:
total 44
-rwxr-xr-x 1 root root 42872 2015-07-05 07:33 file.dpi

/usr/lib64/dillo/dpi/ftp:
total 36
-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 ftp.filter.dpi

/usr/lib64/dillo/dpi/hello:
total 32
-rwxr-xr-x 1 root root 30584 2015-07-05 07:33 hello.filter.dpi

/usr/lib64/dillo/dpi/https:
total 40
-rwxr-xr-x 1 root root 38776 2015-07-05 07:33 https.filter.dpi

/usr/lib64/dillo/dpi/vsource:
total 36
-rwxr-xr-x 1 root root 34688 2015-07-05 07:33 vsource.filter.dpi
#


I had to do this on those:

Code:

for i in $(ls -1 /usr/lib64/dillo/dpi/) ; do
   ls -l /usr/lib64/dillo/dpi/$i ;
   for j in $(ls -1 /usr/lib64/dillo/dpi/$i/) ; do
      paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;
      ask ;
      if [ "$?" == 0 ] ; then
         paxctl-ng -F /usr/lib64/dillo/dpi/$i/$j ;
         read FAKE
         paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;
         read FAKE
      fi
   done
done


(
I placed this function in my ~root/.bashrc (it's from Mendel Cooper's Advanced Bash Scripting Guide):

Code:

function ask()
{
    echo -n "$@" '[y/n] ' ; read ans
    case "$ans" in
        y*|Y*) return 0 ;;
        *) return 1 ;;
    esac
}

)


Why? Because they all looked like this:

Code:

-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi
/usr/lib64/dillo/dpi/bookmarks/bookmarks.dpi:
   PT_PAX    : -e---
   XATTR_PAX : not found


id est, set for only with the old paxctl managed PT_PAX flags, not for the new, recommended XATTR_PAX flags, managed by paxctl-ng.

They now do (see paxctl-ng -h, for the -F flag). I think I should file a bug, as the transition should have been under way long since (I noticed that in some other packages, can't remember for sure, was it clamav?). But waiting first for other opinions to possibly weigh in. (Maybe I'm not abreast with the development, or I missed something somewhere.)

I've been trying to report how Dillo behaves on the Dillo mailing list, see, exampli gratia:

Github et alia login/cookies issue
http://lists.dillo.org/pipermail/dillo-dev/2015-July/010582.html

with references in the Grsecurity Forums:

Deply RBAC on Dillo browser
https://forums.grsecurity.net/viewtopic.php?f=5&t=4228&p=15351

(and if you're coming from anywhere there, this text I prepared at least a day
ago, and all the Dillo binaries in the:

Code:

/usr/lib64/dillo/dpi/*/

have been dealt with '-F', copy PT_PAX to XATTR_PAX, and with '-m', disable MPROTECT, before those reports.

If a kind visitor reads there in either Dillo mailing list or Grsecurity Foruns, a good news: all works well now on Gentoo Forums... ;-) . None of those ugly cookies.dpi lines ...

Miles to go before some rest, but we're getting there...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum