Add comprehensive SELinux policy module for bwrap thumbnail generation #2950
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 0c4dcad.
Thumbnail services (Tumbler/GNOME Desktop Thumbnailer) use bwrap
(bubblewrap) to generate thumbnails in a secure sandbox, e.g. when
taking screenshots or viewing images in the file manager (Thunar/GNOME Files).
This policy update adds all necessary permissions for bwrap to function
properly in the thumb_t context for thumbnail generation. It addresses
user_namespace creation, filesystem mount operations, and symlink creation
that are required for bwrap's sandboxing mechanism.
* COMPREHENSIVE BWRAP POLICY FOR THUMBNAIL GENERATION
* Based on Red Hat Bugzilla #2327872 and bwrap documentation
* 1. USER NAMESPACE CREATION (Critical - from RH Bug #2327872)
* Allows bwrap to create user namespaces for sandboxing
allow thumb_t self:user_namespace create;
* 2. CAPABILITY PERMISSIONS (User namespace operations)
* Required for bwrap to manage sandboxed processes
allow thumb_t self:cap_userns { net_admin setpcap sys_admin sys_ptrace };
* 3. PROCESS CAPABILITIES
* Allows bwrap to set capabilities on sandboxed processes
allow thumb_t self:process setcap;
* 4. NETWORK NAMESPACE CONFIGURATION
* Required for bwrap to configure network namespaces in sandbox
allow thumb_t self:netlink_route_socket nlmsg_write;
* 5. FILESYSTEM MOUNT OPERATIONS
* Allows bwrap to create bind mounts and mount points
* Mount on root directory (for creating sandbox root)
allow thumb_t root_t:dir mounton;
* Mount on tmpfs directories (for /tmp isolation)
allow thumb_t thumb_tmpfs_t:dir mounton;
allow thumb_t tmpfs_t:dir mounton;
* 6. FILESYSTEM REMOUNT/MOUNT/UNMOUNT
* Allows bwrap to:
* - mount: Create new mounts for sandbox
* - remount: Change mount flags (e.g., read-only)
* - unmount: Clean up sandbox mounts
allow thumb_t fs_t:filesystem { mount remount unmount };
* 7. SYMBOLIC LINK CREATION
* Allows bwrap to create stdin/stdout/stderr symlinks in sandbox tmpfs
allow thumb_t thumb_tmpfs_t:lnk_file create;
Authored-by: [email protected]
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2415016
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2390663
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.