I’ve been experimenting with ways to use SELinux to prevent LD_PRELOAD attacks such as the one demonstrated in GitHub - Aishou/wayland-keylogger: Proof-of-concept Wayland keylogger
So far, I have the following which works but is not as elegant as I’d like it to be:
Note: use at your own risk.
Doing the below steps will prevent unconfined processes from modifying .bashrc or .bash_profile, even when run as root. This completely prevents the LD_PRELOAD-via-bashrc issue.
Step 1:
Create a file addbashrctype.cil:
(type bashrc_t)
(typeattributeset file_type (bashrc_t))
(roletype object_r bashrc_t)
Step 2:
Install it:
semodule -i addbashrctype.cil
Step 3:
Set .bashrc and .bash_profile to the new type:
semanage fcontext -a -t bashrc_t '/var/home/yourusername/.bashrc'
semanage fcontext -a -t bashrc_t '/var/home/yourusername/.bash_profile'
Step 4:
Run restorecon to apply the types:
restorecon -v /var/home/yourusername/.bashrc
restorecon -v /var/home/yourusername/.bash_profile
Step 5:
Create a file denyrule.cil:
(deny unconfined_t bashrc_t (file (write)))
Step 6:
Install it:
semodule -i denyrules.cil
Step 7:
Attempt to modify .bashrc or .bash_profile as any user, it fails.
Bash variables are still of course globally modifiable in /etc/bashrc and /etc/profiles.d, but only as root/wheel. So this solution works but is less feasible on a multi-user system than on a single-user system, where making global bashrc modifications in /etc/bashrc is a reasonable alternative.
As a more elegant and production-ready solution, I’m wondering if it would make sense to not only prevent unconfined_t from modifying bashrc_t, but also specifying a particular text editor to run as some new type that does have write access to bashrc_t. vim/nano/whatever. That way, Fedora could by default prevent unconfined processes from executing LD_PRELOAD attacks, while still permitting users to modify their .bashrc, albeit through a much more narrow and confined channel.
Thoughts welcome