throw Baloo in jail
Martin Flöser
mgraesslin at kde.org
Fri May 5 19:37:41 UTC 2017
Am 2017-05-05 18:37, schrieb Detlef Eppers:
> File indexing tools encounter all different types of files, both of
> trusted and untrusted origin, and last November it was demonstrated by
> Chris Evans how this can potentially be exploited*. In order to
> provide a means for mitigation, I have written a Firejail profile**
> for Baloo recently (Firejail is a SUID sandboxing tool, modeled after
> the Chromium sandbox).
>
> However, almost all the stuff I do now with Firejail (seccomp filter,
> dropping capabilities, namespaces, file system restrictions) could
> equally be done through a systemd unit file, providing better security
> for all Plasma users. So my question number one is if for Baloo,
> switching to a systemd user unit could be considered a viable option
> (versus the current autostart mechanism).
Only if you want to fight an uphill battle. I would not suggest to go
for systemd unit files. There are distributions who threatened to drop
all of KDE if there is only one component which depends on systemd.
Instead I would suggest to go for using seccomp directly in baloo
similar to what I did in kscreenlocker_greet for Plasma 5.10.
>
> Question number two: I would like to restrict Baloo's access to the
> file system through Firejail. But if I bind-mount the home directory
> write-protected and only ~/.local/share/baloo as writable, baloo_file
> will fail to launch, printing:
>
> Failed to create database, removing corrupted database.
> Failed to create database after deleting corrupted one.
>
> If the whole ~/.local/share is writable however, everything works as
> expected.
From my testing with seccomp on kscreenlocker_greet it is just not
possible to start an application with privs restricted. Instead open the
database and then install the seccomp filter. All we need is to know
that once it starts to parse a file it's no longer able to write to any
file.
>
> Similarly, baloo_file won't write to its configuration file
> ~/.config/baloofilerc if it is remounted writable. Only if the whole
> ~/.config folder is writable everything works as expected. To me this
> looks like Baloo wants to create write-locks, and the question is if
> one could conceive an alternative mechanism. This would not only help
> to write tighter Firejail profiles, but also in restricting baloo_file
> as much as possible through a systemd execution environment.
Right, things are using lock files. I doubt you can change that as
that's probably directly in KConfig. I also stumbled over that when
doing the seccomp filtering. It was one of the problems which pushed me
towards only installing the filter once everything is setup but before
untrusted code gets executed.
In case you are interested:
https://cgit.kde.org/kscreenlocker.git/commit/?id=5e3c7b337c9525f6b427c06f1814938b0a161db8
is the commit which introduced seccomp filtering in kscreenlocker.
Oh and thanks for having a look at it! This is in my opinion really low
hanging fruit to get baloo more secure.
Cheers
Martin
More information about the Kde-frameworks-devel
mailing list