Re: gnome-keyring AppArmor and

From: Stef Walter <stefw gnome org>
To: Marc Deslauriers <marc deslauriers canonical com>
Cc: tyler hicks canonical com, gnome-keyring-list gnome org
Subject: Re: gnome-keyring AppArmor and
Date: Fri, 25 Jan 2013 12:46:00 +0100

On 01/18/2013 04:46 PM, Marc Deslauriers wrote:
> On 13-01-18 10:29 AM, Michael Terry wrote:
>> (I just noticed the subject line is odd.  The copy in my Sent folder
>> says "AppArmor and gnome-keyring", but the copy that the mailing list
>> sent out is garbled.  Weird.)
>>
>> Thanks for the reply!  Further comments below.
>>
>> On 01/18/2013 05:24 AM, Stef Walter wrote:
>>> There was some discussion about this before from the SMACK perspective.
>>>
>>> In principle I agree with a plan like this.
>>>
>>> Some key points I'd like to add, which meshes with what you outlined.
>>> I'm not bringing these up as contradiction, merely as clarification.
>>>
>>>   * There should be no prompts for this stuff when access fails. Like
>>>     you said it is 'silent'. This was the second reason that the previous
>>>     solution was security theater.
>>
>> Agreed.
> 
> This was security theatre mostly because the X server doesn't prevent
> confined apps from manipulating those prompts. In situations where
> additional security is present, such as when confining X using the XACE,
> or when using an alternative display server such as Wayland, it may be
> possible to display such prompts in a secure fashion.
> 
> The question of whether or not the user is able to perform an informed
> decision when one of these dialogs pops up is a separate issue.

Exactly.

>>
>>>   * We should treat unconfined apps as their own security context. That
>>>     is a confined app should be able to access only it's own secrets, and
>>>     unconfined apps should not be able to access any secrets for confined
>>>     apps.
>>
>> Agreed regarding confined apps.  But is it valuable or even possible to
>> prevent unconfined apps from doing anything?
> 
> I'm not sure how to prevent an unconfined app from accessing secrets.
> How do you propose doing so?
> 
>>
>>>   * All of this only affects the reading/writing of the actual secrets.
>>>     The items containing the secrets, and their attributes (which have
>>>     *no* security guarantees) are still visible by all apps, and can
>>>     thus be managed by the password manager and so on.
>>
>> Just so we are on the same page, I gather you are saying that items
>> stored by confined apps should be visible to unconfined apps.  Not that
>> confined apps can see attributes of items stored by unconfined apps.
>>
>> Agreed as far as that goes (because, as I note above, I had assumed that
>> unconfined apps would have no restrictions at all, as it is today).
> 
> I expect items and attributes would be hidden to confined apps also. At
> the very least, it's an information leak to know what the user has in
> his keyring.

Fair enough. Makes sense.

I guess I was also hoping we could solve the problem of having certain
applications be able to store passwords in the keyring, which are not
readily viewable by the key manager (like seahorse). People are always
complaining about how they can see their passwords in the key manager.
>From a security perspective, that's expected, but since it surprises
people I wanted to see what we could do.

Cheers,

Stef

References:
- gnome-keyring AppArmor and
  - From: Michael Terry
- Re: gnome-keyring AppArmor and
  - From: Stef Walter
- Re: gnome-keyring AppArmor and
  - From: Michael Terry
- Re: gnome-keyring AppArmor and
  - From: Marc Deslauriers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]