+##
+## Allow chromium to execute it's config (for plugins like Flash)
+##
+##
+gen_tunable(chromium_exec_plugins, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -63,6 +70,9 @@ type chromium_tmpfs_t;
userdom_user_tmpfs_file(chromium_tmpfs_t)
optional_policy(`
pulseaudio_tmpfs_content(chromium_tmpfs_t)
+ pulseaudio_rw_tmpfs_files(chromium_t)
+ pulseaudio_stream_connect(chromium_t)
+ pulseaudio_use_fds(chromium_t)
')
type chromium_xdg_config_t;
@@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull };
+allow chromium_t self:dir { write add_name };
+allow chromium_t self:file create;
allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni
allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
allow chromium_t chromium_naclhelper_t:process { share };
@@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch
manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
allow chromium_t chromium_tmpfs_t:file map;
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re
domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
+# for self:file create
+kernel_associate_proc(chromium_t)
+
kernel_list_proc(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
kernel_read_net_sysctls(chromium_t)
corecmd_exec_bin(chromium_t)
@@ -145,6 +165,9 @@ dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
dev_read_rand(chromium_t)
+tunable_policy(`xserver_allow_dri', `
+ dev_rw_dri(chromium_t)
+')
dev_rw_xserver_misc(chromium_t)
dev_map_xserver_misc(chromium_t)
@@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t)
userdom_manage_user_certs(chromium_t)
userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
-xdg_create_cache_dirs(chromium_t)
-xdg_create_config_dirs(chromium_t)
-xdg_create_data_dirs(chromium_t)
+xdg_manage_cache(chromium_t)
+xdg_manage_config(chromium_t)
+xdg_manage_data(chromium_t)
xdg_manage_downloads(chromium_t)
-xdg_read_config_files(chromium_t)
-xdg_read_data_files(chromium_t)
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
tunable_policy(`chromium_bind_tcp_unreserved_ports',`
corenet_tcp_bind_generic_node(chromium_t)
@@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',`
udev_read_db(chromium_t)
')
+tunable_policy(`chromium_exec_plugins',`
+ # sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t
+ can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t })
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
@@ -229,6 +258,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
dbus_all_session_bus_client(chromium_t)
dbus_system_bus_client(chromium_t)
@@ -241,8 +274,13 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_chat_disk(chromium_t)
devicekit_dbus_chat_power(chromium_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_hostnamed(chromium_t)
+ ')
')
optional_policy(`
@@ -252,6 +290,10 @@ optional_policy(`
dpkg_read_db(chromium_t)
')
+optional_policy(`
+ ssh_dontaudit_agent_tmp(chromium_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(chromium_t, chromium_tmpfs_t)
@@ -259,6 +301,7 @@ ifdef(`use_alsa',`
optional_policy(`
pulseaudio_domtrans(chromium_t)
+ pulseaudio_read_home(chromium_t)
')
')
@@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend
xdg_read_config_files(chromium_renderer_t)
+# should we have a tunable for this?
+xdg_read_pictures(chromium_t)
+
xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
tunable_policy(`chromium_read_system_info',`
@@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf
dev_read_sysfs(chromium_naclhelper_t)
dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20200209/policy/modules/kernel/kernel.if
@@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',`
########################################
##