Deploy RBAC on Dillo browser

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Deploy RBAC on Dillo browser

Postby timbgo » Tue Jul 07, 2015 11:21 am

I'm having issues with Dillo browser.

It is a really lean browser meant for advanced users, for those who are not familiar, and is the opposite of the harvester browsers that most ov even *nixers use.

I have posted on the issues I have on the Dillo mailing list, and the issue of concern to grsecurity (although in other issues there are aspects related to grsecurity deployment as well), is this one (where I also promise I would post here about it):

Github et alia login/cookies issue
http://lists.dillo.org/pipermail/dillo- ... 10582.html
(that's the start of that thread)

and where I promise I would ask for insight from advanced users here on Grsecurity Forums is:

[ same title ]
http://lists.dillo.org/pipermail/dillo- ... 10586.html

So this is my entries, real, complete (with even all the commented out lines that I replaced with what I in my best understanding would be their broader equivalents, for want of more correct term), regarding dillo, in my:

/etc/grsec/policy:

Code: Select all
# Role: miro
subject /usr/bin/dillo o {
   /            h
   /Cmn         r
   /Cmn/dLo         wc
   /Cmn/m*            wc
   /Cmn/Kaff         wc
   /etc            
   /etc/fltk         wc
   /etc/gai.conf         r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/host.conf         r
   /etc/hosts         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         h
   /etc/resolv.conf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro/.Xauthority      r
   /home/miro/.dillo      
   /home/miro/.dillo/cookiesrc   r
   /home/miro/.dillo/dillorc   r
   /home/miro/.dillo/domainrc   r
   /home/miro/.dillo/dpid_comm_keys   r
   /home/miro/.dillo/keysrc   r
   /home/miro/.fltk/fltk.org   
   /home/miro/.fltk/fltk.org/filechooser.prefs   r
   /home/miro/.fltk/fltk.org/fltk.prefs   rw
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /tmp            rwcd
   /usr            h
   /usr/bin         h
   /usr/bin/dillo         rx
   /usr/bin/dpid         x
   /usr/lib64         rx
   /usr/share         r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect   0.0.0.0/0:0 stream dgram tcp udp
   connect   0.0.0.0/0:80 stream dgram tcp udp
   connect   0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect   0.0.0.0/0:53 stream dgram tcp udp
   connect   0.0.0.0/0:443 stream dgram tcp udp
   connect   127.0.0.1/32:0 stream dgram tcp udp
   connect   127.0.0.1/32:53 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream tcp
#   connect 204.187.15.12/32:80 stream tcp
#   connect 204.187.15.4/32:0 stream dgram tcp udp
#   connect 204.187.15.4/32:80 stream dgram tcp udp
#   connect 142.4.210.26/32:80 stream tcp
#   connect 89.16.167.134/32:80 stream tcp
#   connect 217.196.43.138/32:80 stream tcp
#   connect 96.45.83.40/32:0 dgram udp
#   connect 96.45.83.209/32:0 dgram udp
#   connect 96.45.82.53/32:0 dgram udp
#   connect 96.45.82.134/32:0 stream dgram tcp udp
#   connect 96.45.82.134/32:80 stream dgram tcp udp
#   connect 131.211.32.146/32:0 dgram udp
#   connect 168.100.10.85/32:0 stream dgram tcp udp
#   connect 168.100.10.85/32:80 stream dgram tcp udp
#   connect 192.254.186.79/32:80 stream tcp
#   connect 192.30.252.130/32:80 stream tcp
#   connect 192.168.1.1/32:53 dgram udp
   connect   178.218.164.164/32:1024-65535 stream dgram tcp udp
   connect   192.168.3.0/32:1024-65535 stream dgram tcp udp
   sock_allow_family unix inet ipv6 netlink
}

# Role: miro
subject /usr/bin/dpid o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro/.dillo      
   /home/miro/.dillo/dpid_comm_keys   wcd
   /home/miro/.dillo/dpidrc   r
   /lib64            h
   /lib64/ld-2.20.so      x
   /lib64/libc-2.20.so      rx
   /usr            h
   /usr/bin/dpid         rx
   /usr/lib64/dillo/dpi   x   
   /usr/lib64/dillo/dpi/https      x
   /usr/lib64/dillo/dpi/https/https.filter.dpi   x
   /usr/lib64/dillo/dpi/file/file.dpi   x
   -CAP_ALL
   bind   0.0.0.0/32:0 dgram ip
   bind   127.0.0.1/32:1024-65535 stream tcp
   bind 127.0.0.1/32:1024-65535 stream tcp
#   connect 127.0.0.1/32:5021 stream tcp
#   connect 127.0.0.1/32:5024 stream tcp
#   connect 127.0.0.1/32:5029 stream tcp
   connect   192.168.3.0/32:9999 stream dgram tcp udp
   connect   178.218.164.164/32:2082-2096 stream dgram tcp udp
   sock_allow_family all
}

# Role: miro
subject /usr/lib64/dillo/dpi o {
   /            h
   /dev            h
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro/.dillo      
   /home/miro/.dillo/bm.txt   rwcd
   /home/miro/.dillo/bm.txt.bak   rwcd
   /home/miro/.dillo/cookies.txt   rwc
   /home/miro/.dillo/cookiesrc   r
   /home/miro/.dillo/dpid_comm_keys   r
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/share         r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   bind 127.0.0.1/32:1024-65535 stream tcp
#   bind 127.0.0.1/32:5024 stream tcp
#   bind 127.0.0.1/32:5029 stream tcp
   connect   0.0.0.0/0:0 stream dgram tcp udp
   connect   0.0.0.0/0:80 stream dgram tcp udp
   connect   0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect   0.0.0.0/0:53 stream dgram tcp udp
   connect   0.0.0.0/0:443 stream dgram tcp udp
   connect   127.0.0.1/32:0 stream dgram tcp udp
   connect   127.0.0.1/32:53 stream dgram tcp udp
   sock_allow_family all
}



And there is probably something not completely right, or even something wrong, with this part of my policy configuration (alhough I'm not sure that it is wrong, and especially what)... Because, Dillo behaves erratically, as I explained in the Dillo mailing list, pasting over from the links given, that it:

http://lists.dillo.org/pipermail/dillo-dev/2015-July/010586.html wrote:So [the link] begins to open, and those maybe 1000 lines per minute
begin to flood my /var/log/messages, Another typical one, just like the
one that I already gave closer to the start of this message of mine:

Jul 7 16:47:16 g0n kernel: grsec: (miro:U:/usr/lib64/dillo/dpi) exec of
/usr/lib64/dillo/dpi/cookies/cookies.dpi
(/usr/lib64/dillo/dpi/cookies/cookies.dpi ) by
/usr/lib64/dillo/dpi/cookies/cookies.dpi[dpid:28919] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/dpid[dpid:28798] uid/euid:1000/1000
gid/egid:1000/1000

Then I, in another terminal, as root, issue:

# killall dpid

which for grsecurity.net page opening need be done maybe once or rarely
twice if at all, but for debian.net page opening needs to be done a few
times, as it keeps restarting...

And correcting myself that I did need to issue the "killall dpid" quite a few times to start editing on forums.grsecurity.net.

I'll be pouring over this issue, and if some of the advanced readers can give use advice, I'll be grateful!

Cheers!
Last edited by timbgo on Tue Jul 07, 2015 1:36 pm, edited 1 time in total.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Deply RBAC on Dillo browser

Postby timbgo » Tue Jul 07, 2015 11:51 am

Upon logging in for posting this (with lots of issued 'killall dpid'), I notice in /var/log/messages :
Code: Select all
Jul  7 17:39:17 g0n kernel: grsec: (miro:U:/usr/bin/dpid) denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /usr/bin/dpid[dpid:2036] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/dillo[dillo:1517] uid/euid:1000/1000 gid/egid:1000/1000


I got:

Code: Select all
# grep  'RLIMIT_NOFILE against limit 1024 for /usr/bin/dpid'  messages_150707_1741_g0n  | wc -l
220
#


of them.

And I still haven't figured out what RLIMIT means. Any quick links where to read what RLIMIT is, anyone?

And, on another note, to answer with possible solution before I am suggested it, I think I should try and create a subject:

Code: Select all
# Role: miro
subject /usr/lib64/dillo/dpi/cookies/cookies.dpi ol {
    /               h
    -CAP_ALL   
    bind    disabled   
    connect disabled
}


and get some learning under way with:
Code: Select all
# gradm -L /etc/grsec/learning.logs -E


Just done it.

No. It seems that it can't be gotten to work well, for some reason...

I am still getting those thousands of lines in my /var/log/messages .
(and to edit this --but this it only of concern for Dillo, I had to use my understanding that I posted on:

http://lists.dillo.org/pipermail/dillo- ... 10523.html
in a variant, but the sed line a variant of the one on:
http://forums.debian.net/viewtopic.php? ... 60#p577608

-- as on forums.grsecurity.net Dillo did not show the edit-icon for this editing of mine)

At a loss as to what to try next...
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Deply RBAC on Dillo browser

Postby spender » Tue Jul 07, 2015 12:45 pm

In the case of the RLIMIT_NOFILE logs, what's probably happening there was a call to dup2 with the new fd being -1. This could likely be due to a bug in the dpid application.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Deply RBAC on Dillo browser

Postby timbgo » Tue Jul 07, 2015 1:17 pm

spender wrote:In the case of the RLIMIT_NOFILE logs, what's probably happening there was a call to dup2 with the new fd being -1. This could likely be due to a bug in the dpid application.

-Brad


I hope the Dillo devs are reading this (it's too highbrow for me).

But I want to add, that I posted a related topic on Gentoo Forums:

Deploy paxctl-ng XATTR markings on Dillo browser
https://forums.gentoo.org/viewtopic-t-1021518.html

To conclude the reporting, anywhere I browse, there are no issues with those hundreds per minute cookies.dpi lines in the logs any more, but neither do any more cookies appear in ~/.dillo/cookies.txt .

And, apparently, somebody correct me if I'm wrong, my per subject dillo program RBAC configuration in my /etc/grsec/policy seems to be right.

I'll go now to the other topic:

A no-poetteringware desktop RBAC policy
viewtopic.php?f=5&t=4153

and post my postfix subjects configuration lines from my /etc/grsec/policy as I'm not sure about it.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Deploy RBAC on Dillo browser

Postby timbgo » Thu Jul 09, 2015 5:57 am

I keep previous copies of /etc/grsec/policy, to later go back if I make a
wrong change.

Code: Select all
for i in $(ls -1tr grsec_150706_g0n_00 grsec_150708_g0n_05) ; do
   ls -l $i ;
   egrep 'dillo o |/dpid o|/lib64/dillo/.* o ' $i ;
   echo ;
   read FAKE ;
done ;

This is just for me to roughly identify what I have regarding dillo in those.

This is their output:

Code: Select all
-rw------- 1 root root 110073 2015-07-06 15:05 grsec_150706_g0n_00
subject /usr/bin/dillo o {
subject /usr/bin/dpid o {
subject /usr/lib64/dillo/dpi/https/https.filter.dpi o {


-rw------- 1 root root 111145 2015-07-08 19:48 grsec_150708_g0n_05
subject /usr/bin/dillo o {
subject /usr/bin/dpid o {
subject /usr/lib64/dillo/dpi o {



I have currently the latter one installed, as:
Code: Select all
# diff grsec_150708_g0n_05 /etc/grsec/policy
#

returns an empty string.

And I'm afraid, for some reason, I will need to go back again, and maybe even add the cookies.dpi subject.

The 1000 lines per minute (or around) of those cookies line, as well as the freezing of the pages to newly open until I 'killall dpid' a few times, these may need more learning, and more subjects.

The latter, the current RBAC polict for Dillo is further above in this topic, but previously, I had this:

Code: Select all
# Role: miro
subject /usr/bin/dillo o {
   /            h
   /Cmn         r
   /Cmn/dLo         wc
   /Cmn/m*            wc
   /Cmn/Kaff         wc
   /etc            
   /etc/fltk         wc
   /etc/gai.conf         r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/host.conf         r
   /etc/hosts         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         h
   /etc/resolv.conf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro/.Xauthority      r
   /home/miro/.dillo      
   /home/miro/.dillo/cookiesrc   r
   /home/miro/.dillo/dillorc   r
   /home/miro/.dillo/domainrc   r
   /home/miro/.dillo/dpid_comm_keys   r
   /home/miro/.dillo/keysrc   r
   /home/miro/.fltk/fltk.org   
   /home/miro/.fltk/fltk.org/filechooser.prefs   r
   /home/miro/.fltk/fltk.org/fltk.prefs   rw
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /tmp            rwcd
   /usr            h
   /usr/bin         h
   /usr/bin/dillo         rx
   /usr/bin/dpid         rx
   /usr/lib64         rx
   /usr/share         r
   -CAP_ALL
#   connect 0.0.0.0/0:5020 stream dgram tcp udp
#   connect 0.0.0.0/0:5022 stream dgram tcp udp
   sock_allow_family ipv6 netlink
   bind 0.0.0.0/32:0 dgram ip
#   bind 127.0.0.1/32:5020-5022 stream dgram tcp udp
   bind 127.0.0.1/32:1024-65535 stream tcp
   connect 0.0.0.0/0:0 stream dgram tcp udp
   connect 0.0.0.0/0:80 stream dgram tcp udp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 127.0.0.1/32:0 stream dgram tcp udp
   connect 127.0.0.1/32:53 stream dgram tcp udp
#   connect 127.0.0.1/32:8008 stream dgram tcp udp
#   connect 127.0.0.1/32:9999 stream dgram tcp udp
#   connect 127.0.0.1/32:5020-5022 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream dgram tcp udp
#   connect 178.218.164.164/32:2082-2096 stream dgram tcp udp
   connect 178.218.164.164/32:1024-65535 stream dgram tcp udp
   connect 192.168.3.0/24:1024-65535 stream dgram tcp udp
   sock_allow_family unix inet ipv6 netlink
}

# Role: miro
subject /usr/bin/dpid o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro/.dillo      
   /home/miro/.dillo/dpid_comm_keys   wcd
   /home/miro/.dillo/dpidrc   r
   /lib64            h
   /lib64/ld-2.20.so      x
   24ib64/libc-2.20.so      rx
   /usr            h
   /usr/bin/dpid         rx
   /usr/lib64/dillo/dpi   x   
   /usr/lib64/dillo/dpi/https      x
   /usr/lib64/dillo/dpi/https/https.filter.dpi   x
   /usr/lib64/dillo/dpi/file/file.dpi   x
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   bind 127.0.0.1/32:1024-65535 stream tcp
#   bind 127.0.0.1/32:5020-5022 stream dgram tcp udp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
#   connect 0.0.0.0/0:443 stream dgram tcp udp
#   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream dgram tcp udp
#   connect 127.0.0.1/32:0 stream dgram tcp udp
#   connect 127.0.0.1/32:53 stream dgram tcp udp
#   connect 127.0.0.1/32:8008 stream dgram tcp udp
#   connect 127.0.0.1/32:9999 stream dgram tcp udp
   connect 192.168.3.0/24:9999 stream dgram tcp udp
   connect 178.218.164.164/32:2082-2096 stream dgram tcp udp
#   sock_allow_family unix inet netlink
   sock_allow_family all
}

# Role: miro
subject /usr/lib64/dillo/dpi/https/https.filter.dpi o {
   /            h
   /dev            h
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro/.dillo   r
#   /home/miro/.dillo/certs/c8e949fc.0   r
#   /home/miro/.dillo/dpid_comm_keys   r
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/meminfo         r
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /usr            h
   /usr/lib64         h
   /usr/lib64/dillo/dpi/https/https.filter.dpi   rx
   /usr/lib64/libcrypto.so.1.0.0   rx
   /usr/lib64/libssl.so.1.0.0   rx
   /usr/share         r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
#   connect 78.26.97.141/32:443 stream tcp
#   connect 146.185.183.13/32:443 stream tcp
#   connect 173.194.67.95/32:443 stream tcp
#   connect 46.105.191.76/32:443 stream tcp
#   connect 46.51.197.89/32:443 stream tcp
#   connect 199.27.75.133/32:443 stream tcp
#   connect 23.235.43.133/32:443 stream tcp
#   connect 82.195.75.112/32:443 stream tcp
#   connect 217.196.43.138/32:443 stream tcp
#   connect 50.251.85.52/32:443 stream tcp
#   connect 54.229.105.203/32:443 stream tcp
#   connect 54.229.115.42/32:443 stream tcp
#   connect 75.126.24.82/32:443 stream tcp
#   connect 69.163.224.215/32:443 stream tcp
#   connect 204.187.15.12/32:443 stream tcp
#   connect 178.62.188.7/32:443 stream tcp
#   connect 178.218.164.164/32:2096 stream tcp
#   connect 192.30.252.131/32:443 stream tcp
#   connect 192.168.1.1/32:53 dgram udp
   sock_allow_family all
}


I usually comment out only and leave the lines that grsecurity wrote in the learning process, in case I happen to poorly substiture them with more lines containing more general addresses. Those are the lines just above this paragraph, that show how I browsed a number of websites for the learning.

You can see that I substituted those 19 lines that are commented out, with just the two above. These two:
Code: Select all
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp

My widening of the socket (stream dgram) and protocol (tcp udp) was probably wrong, those should have been left as in the line grsec gave, but hopefully inconsequential.

The 0.0.0.0 substitutes any address, which I guess for browsing is necessary.

So maybe I should have substituted those two lines with:

Code: Select all
   connect 0.0.0.0/0:443 stream tcp
   connect 0.0.0.0/0:53 dgram udp

Also, probably the:
Code: Select all
   sock_allow_family all

is likely, the 'all' part, of my own addition (when things don't work after many tries I cut corners ;-) I know you don't, only I do so).

In the two earlier subject (there are three subjects altogether), you can see:

Code: Select all
   connect 192.168.3.0/24:9999 stream dgram tcp udp

but grsecurity couldn't learn that, as I only have a few machines.

The line grsec gave was something to this effect:
Code: Select all
   connect 192.168.3.91/32:9999 stream dgram tcp udp

in fact, probably not even that, because it's probably me who put both the stream and dgram, and tcp and udp on the same line there too, except maybe that latter line is fine, for both udp (such as nfs), and for tcp (such as apache server).

These lines are really only for non-online machines, SOHO only machines of mine. They are irrelevant for online machines (this one which I browse, post, and email with), as they only communicate the air-gapped way with the offline machines, and never see the SOHO.

I think I might re-include that old, containing:
Code: Select all
subject /usr/lib64/dillo/dpi/https/https.filter.dpi o

section, and maybe try and do some more learning on:
Code: Select all
subject /usr/lib64/dillo/dpi/cookies/cookies.dpi ol {
   /      hide
   -CAP_ALL
   bind   disabled
   connect   disabled
}

and then come back...
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Deploy RBAC on Dillo browser

Postby timbgo » Sat Jul 11, 2015 12:36 am

I have changed the dillo policy somewhat. Still same 1000s per minute cookies.dpi issue, but not always. I'm kind of forced to deal with this issue, because it's the browser I use, as I can trust it.

Code: Select all
# Role: miro
subject /usr/bin/dillo o {
   /            h
   /Cmn         
   /Cmn/dLo         r
   /Cmn/m*            r
   /Cmn/Kaff         r
   /etc            
   /etc/fltk         wc
   /etc/fonts      r
   /etc/gai.conf         r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/host.conf         r
   /etc/hosts         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         h
   /etc/resolv.conf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro/.Xauthority      r
   /home/miro      r
#   /home/miro/.dillo/cookiesrc   r
#   /home/miro/.dillo/dillorc   r
#   /home/miro/.dillo/domainrc   r
#   /home/miro/.dillo/dpid_comm_keys   r
#   /home/miro/.dillo/keysrc   r
   /home/miro/.fltk/fltk.org   
   /home/miro/.fltk/fltk.org/filechooser.prefs   r
   /home/miro/.fltk/fltk.org/fltk.prefs   rw
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/meminfo         r
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /tmp            rwcd
   /usr            h
   /usr/bin         h
   /usr/bin/dillo         rx
   /usr/bin/dpid         rx
   /usr/lib64         rx
   /usr/share         r
   /var/cache/fontconfig      r
   -CAP_ALL
   bind   0.0.0.0/32:0 dgram ip
   connect   0.0.0.0/0:0 stream dgram tcp udp
   connect   0.0.0.0/0:80 stream dgram tcp udp
#   connect   0.0.0.0/0:5020 stream dgram tcp udp
#   connect   0.0.0.0/0:5022 stream dgram tcp udp
   connect   0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect   0.0.0.0/0:53 stream dgram tcp udp
   connect   127.0.0.1/32:0 stream dgram tcp udp
   connect   127.0.0.1/32:53 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream tcp
   connect   178.218.164.164/32:2082-2096 stream dgram tcp udp
   sock_allow_family ipv6 netlink
   bind 0.0.0.0/32:0 dgram ip
   bind 127.0.0.1/32:5020-5022 stream dgram tcp udp
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 127.0.0.1/32:0 stream dgram tcp udp
   connect 127.0.0.1/32:53 stream dgram tcp udp
   connect 127.0.0.1/32:5020-5022 stream dgram tcp udp
   connect 127.0.0.1/32:8008 stream dgram tcp udp
   connect 127.0.0.1/32:9999 stream dgram tcp udp
   connect 192.168.3.3/32:9999 stream dgram tcp udp
   connect 178.218.164.164/32:2082-2096 stream dgram tcp udp
   sock_allow_family unix inet ipv6 netlink
}

# Role: miro
subject /usr/bin/dpid o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /home            h
   /home/miro         r   
   /home/miro/.dillo   wcd
#   /home/miro/.dillo/dpid_comm_keys   wcd
   /home/miro/.dillo/dpidrc   r
   /lib64            h
   /lib64/ld-2.20.so      x
   /lib64/libc-2.20.so      rx
   /usr            h
   /usr/bin/dpid         rx
   /usr/lib64/dillo/dpi   x   
   /usr/lib64/dillo/dpi/https      x
   /usr/lib64/dillo/dpi/https/https.filter.dpi   x
   /usr/lib64/dillo/dpi/file/file.dpi   x
   -CAP_ALL
   bind   0.0.0.0/32:0 dgram ip
   bind   127.0.0.1/32:1024-65535 stream tcp
   bind 127.0.0.1/32:1024-65535 stream tcp
#   connect 127.0.0.1/32:5021 stream tcp
#   connect 127.0.0.1/32:5024 stream tcp
#   connect 127.0.0.1/32:5029 stream tcp
   connect   192.168.3.0/24:9999 stream dgram tcp udp
   connect   178.218.164.164/32:2082-2096 stream dgram tcp udp
   sock_allow_family all
}

# Role: miro
subject /usr/lib64/dillo/dpi o {
   /            h
   /Cmn
   /Cmn/dLo*      r
   /dev            h
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro      r
   /home/miro/.dillo      rwcd
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/share         r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   bind 127.0.0.1/32:1024-65535 stream tcp
#   bind 127.0.0.1/32:5020-5022 stream dgram tcp udp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
#   connect 0.0.0.0/0:80 stream dgram tcp udp
#   connect 0.0.0.0/0:443 stream dgram tcp udp
#   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 127.0.0.1/32:1024-65535 stream dgram tcp udp
#   connect 127.0.0.1/32:0 stream dgram tcp udp
#   connect 127.0.0.1/32:53 stream dgram tcp udp
#   connect 127.0.0.1/32:8008 stream dgram tcp udp
#   connect 127.0.0.1/32:9999 stream dgram tcp udp
   connect 192.168.3.0/24:9999 stream dgram tcp udp
   connect 178.218.164.164/32:2082-2096 stream dgram tcp udp
#   sock_allow_family unix inet netlink
   sock_allow_family all
}

# Role: miro
subject /usr/lib64/dillo/dpi/https/https.filter.dpi o {
   /            h
   /dev            h
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            h
   /home/miro   r
#   /home/miro/.dillo/certs/c8e949fc.0   r
#   /home/miro/.dillo/dpid_comm_keys   r
   /lib64            rx
   /lib64/modules         h
   /proc            
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/meminfo         r
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /usr            h
   /usr/lib64         h
   /usr/lib64/dillo/dpi/https/https.filter.dpi   rx
   /usr/lib64/libcrypto.so.1.0.0   rx
   /usr/lib64/libssl.so.1.0.0   rx
   /usr/share         r
   -CAP_ALL
   bind 0.0.0.0/32:0 dgram ip
   connect 0.0.0.0/0:443 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
#   connect 78.26.97.141/32:443 stream tcp
#   connect 146.185.183.13/32:443 stream tcp
#   connect 173.194.67.95/32:443 stream tcp
#   connect 46.105.191.76/32:443 stream tcp
#   connect 46.51.197.89/32:443 stream tcp
#   connect 199.27.75.133/32:443 stream tcp
#   connect 23.235.43.133/32:443 stream tcp
#   connect 82.195.75.112/32:443 stream tcp
#   connect 217.196.43.138/32:443 stream tcp
#   connect 50.251.85.52/32:443 stream tcp
#   connect 54.229.105.203/32:443 stream tcp
#   connect 54.229.115.42/32:443 stream tcp
#   connect 75.126.24.82/32:443 stream tcp
#   connect 69.163.224.215/32:443 stream tcp
#   connect 204.187.15.12/32:443 stream tcp
#   connect 178.62.188.7/32:443 stream tcp
#   connect 178.218.164.164/32:2096 stream tcp
#   connect 192.30.252.131/32:443 stream tcp
#   connect 192.168.1.1/32:53 dgram udp
   sock_allow_family all
}


When I say occasionally, I mean sometimes there isn't any flooding like described in previous posts, but normal operation.

I can also browse files, such as:

file:/home/miro/devmanual.gentoo.org/index.html

with this setup.

Cheers!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to RBAC policy development