miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
 Posted: Tue Jul 07, 2015 4:51 pm Post subject: Deploy paxctl-ng XATTR markings on Dillo browser |
 |
|
The inner workings of the Dillo browser (which I really need in my environment: sea-calm secure in comparison with the big harvesting browsers), some of those inner workings of Dillo are provided by these:
| Code: |
# ls -lR /usr/lib64/dillo/dpi/
/usr/lib64/dillo/dpi/:
total 36
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 bookmarks
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 cookies
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 datauri
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 downloads
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 file
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 ftp
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 hello
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 https
drwxr-xr-x 2 root root 4096 2015-07-05 07:33 vsource
/usr/lib64/dillo/dpi/bookmarks:
total 52
-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi
/usr/lib64/dillo/dpi/cookies:
total 48
-rwxr-xr-x 1 root root 47240 2015-07-05 07:33 cookies.dpi
/usr/lib64/dillo/dpi/datauri:
total 36
-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 datauri.filter.dpi
/usr/lib64/dillo/dpi/downloads:
total 52
-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 downloads.dpi
/usr/lib64/dillo/dpi/file:
total 44
-rwxr-xr-x 1 root root 42872 2015-07-05 07:33 file.dpi
/usr/lib64/dillo/dpi/ftp:
total 36
-rwxr-xr-x 1 root root 34680 2015-07-05 07:33 ftp.filter.dpi
/usr/lib64/dillo/dpi/hello:
total 32
-rwxr-xr-x 1 root root 30584 2015-07-05 07:33 hello.filter.dpi
/usr/lib64/dillo/dpi/https:
total 40
-rwxr-xr-x 1 root root 38776 2015-07-05 07:33 https.filter.dpi
/usr/lib64/dillo/dpi/vsource:
total 36
-rwxr-xr-x 1 root root 34688 2015-07-05 07:33 vsource.filter.dpi
#
|
I had to do this on those:
| Code: |
for i in $(ls -1 /usr/lib64/dillo/dpi/) ; do
ls -l /usr/lib64/dillo/dpi/$i ;
for j in $(ls -1 /usr/lib64/dillo/dpi/$i/) ; do
paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;
ask ;
if [ "$?" == 0 ] ; then
paxctl-ng -F /usr/lib64/dillo/dpi/$i/$j ;
read FAKE
paxctl-ng -v /usr/lib64/dillo/dpi/$i/$j ;
read FAKE
fi
done
done
|
(
I placed this function in my ~root/.bashrc (it's from Mendel Cooper's Advanced Bash Scripting Guide):
| Code: |
function ask()
{
echo -n "$@" '[y/n] ' ; read ans
case "$ans" in
y*|Y*) return 0 ;;
*) return 1 ;;
esac
}
)
|
Why? Because they all looked like this:
| Code: |
-rwxr-xr-x 1 root root 51064 2015-07-05 07:33 bookmarks.dpi
/usr/lib64/dillo/dpi/bookmarks/bookmarks.dpi:
PT_PAX : -e---
XATTR_PAX : not found
|
id est, set for only with the old paxctl managed PT_PAX flags, not for the new, recommended XATTR_PAX flags, managed by paxctl-ng.
They now do (see paxctl-ng -h, for the -F flag). I think I should file a bug, as the transition should have been under way long since (I noticed that in some other packages, can't remember for sure, was it clamav?). But waiting first for other opinions to possibly weigh in. (Maybe I'm not abreast with the development, or I missed something somewhere.)
I've been trying to report how Dillo behaves on the Dillo mailing list, see, exampli gratia:
Github et alia login/cookies issue
http://lists.dillo.org/pipermail/dillo-dev/2015-July/010582.html
with references in the Grsecurity Forums:
Deply RBAC on Dillo browser
https://forums.grsecurity.net/viewtopic.php?f=5&t=4228&p=15351
(and if you're coming from anywhere there, this text I prepared at least a day
ago, and all the Dillo binaries in the:
| Code: |
/usr/lib64/dillo/dpi/*/
|
have been dealt with '-F', copy PT_PAX to XATTR_PAX, and with '-m', disable MPROTECT, before those reports.
If a kind visitor reads there in either Dillo mailing list or Grsecurity Foruns, a good news: all works well now on Gentoo Forums...  . None of those ugly cookies.dpi lines ...
Miles to go before some rest, but we're getting there... |
|
Networking & Security
