[refpolicy] Chrome patch for discussion

[refpolicy] Chrome patch for discussion

[Russell Coker]

This patch has been hanging around in my collection for years.  I am NOT
suggesting including it as-is.  I am sending it for discussion.

One thing to discuss is whether we use mozilla_t for all browsers (maybe add
a typealias to browser_t or something) or whether we have a chrome_t.  I
think that having a single mozilla_t or browser_t is the better option but I'm
not stuck on it.  I can rewrite it for a separate chrome_t if that is the
consensus.

Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.fc
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.fc
+++ refpolicy-2.20170917/policy/modules/contrib/mozilla.fc
@@ -1,5 +1,8 @@
 HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.config/google-chrome(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
 HOME_DIR/\.netscape(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.phoenix(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -14,6 +17,7 @@ HOME_DIR/\.spicec(/.*)?	gen_context(syst
 HOME_DIR/\.ICAClient(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
 HOME_DIR/zimbrauserdata(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
 
+/usr/bin/chromium	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/epiphany	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/epiphany-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/bin/mozilla	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -39,3 +43,10 @@ HOME_DIR/zimbrauserdata(/.*)?	gen_contex
 /usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 /usr/lib/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 /usr/lib/xulrunner[^/]*/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/chromium/chrome-sandbox --	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+/usr/lib/chromium/chromium	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/opt/google/chrome/chrome-sandbox --	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+/opt/google/chrome/chrome	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/opt/google/chrome/google-chrome --	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/opt/google/chrome/nacl_helper	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+
Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.if
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.if
+++ refpolicy-2.20170917/policy/modules/contrib/mozilla.if
@@ -14,12 +14,18 @@
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="type">
+##	<summary>
+##	Type of the user tty
+##	</summary>
+## </param>
 #
 interface(`mozilla_role',`
 	gen_require(`
 		type mozilla_t, mozilla_exec_t, mozilla_home_t;
 		type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
 		type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
+		type chrome_sandbox_t, chrome_browser_exec_t;
 		attribute_role mozilla_roles;
 	')
 
@@ -36,6 +42,7 @@ interface(`mozilla_role',`
 	#
 
 	domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+	domtrans_pattern($2, chrome_browser_exec_t, mozilla_t)
 
 	allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
 	ps_process_pattern($2, mozilla_t)
@@ -45,6 +52,9 @@ interface(`mozilla_role',`
 
 	allow $2 mozilla_t:fd use;
 	allow $2 mozilla_t:shm rw_shm_perms;
+	allow chrome_sandbox_t $2:fd use;
+	allow chrome_sandbox_t $2:fifo_file write;
+	allow chrome_sandbox_t $3:chr_file { read write };
 
 	stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
 
@@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',`
 interface(`mozilla_domtrans',`
 	gen_require(`
 		type mozilla_t, mozilla_exec_t;
+		type chrome_browser_exec_t;
 	')
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+	domtrans_pattern($1, chrome_browser_exec_t, mozilla_t)
 ')
 
 ########################################
Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.te
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.te
+++ refpolicy-2.20170917/policy/modules/contrib/mozilla.te
@@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp
 type mozilla_plugin_tmpfs_t;
 userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
 
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+type chrome_browser_exec_t;
+application_domain(mozilla_t, chrome_browser_exec_t)
+userdom_user_application_domain(mozilla_t, chrome_browser_exec_t )
+role mozilla_plugin_roles types chrome_sandbox_t;
+domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t)
+allow mozilla_t chrome_sandbox_t:process sigchld;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+ubac_constrained(chrome_sandbox_t)
+fs_getattr_xattr_fs(chrome_sandbox_t)
+
+allow chrome_sandbox_t mozilla_t:dir list_dir_perms;
+allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms;
+allow chrome_sandbox_t mozilla_t:file read_file_perms;
+allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms;
+allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
+allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
+allow chrome_sandbox_t mozilla_t:fd use;
+allow chrome_sandbox_t mozilla_t:file write;
+allow chrome_sandbox_t proc_t:dir read;
+allow chrome_sandbox_t self:process setrlimit;
+type chrome_sandbox_tmp_t;
+
+# this is needed for Chrome (not Chromium) startup
+allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure };
+
+files_tmp_file(chrome_sandbox_tmp_t)
+ubac_constrained(chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir })
+allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms;
+allow mozilla_t self:unix_dgram_socket sendto;
+allow mozilla_t chrome_browser_exec_t:file execute_no_trans;
+# for V8
+allow mozilla_t self:process execmem;
+
+allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read };
+allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write };
+
 optional_policy(`
 	pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
 ')
@@ -76,8 +115,22 @@ optional_policy(`
 # Local policy
 #
 
+dontaudit chrome_sandbox_t domain:dir getattr;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t)
+allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms;
+allow chrome_sandbox_t self:fifo_file rw_file_perms;
+allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
+allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t mozilla_t:process { share sigchld };
+allow mozilla_t chrome_sandbox_t:fd use;
+allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write };
+dev_read_sysfs(mozilla_t)
+domain_dontaudit_search_all_domains_state(chrome_sandbox_t)
+
 allow mozilla_t self:capability { setgid setuid sys_nice };
-allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap };
 allow mozilla_t self:fifo_file rw_fifo_file_perms;
 allow mozilla_t self:shm create_shm_perms;
 allow mozilla_t self:sem create_sem_perms;
@@ -90,6 +143,10 @@ allow mozilla_t mozilla_plugin_t:fd use;
 allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
 allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
 allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
+
+# for plugins
+can_exec(mozilla_t, mozilla_home_t)
+
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
 userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
@@ -100,6 +157,7 @@ filetrans_pattern(mozilla_t, mozilla_hom
 manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
 manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
 allow mozilla_t mozilla_tmp_t:file map;
 files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
 
@@ -107,7 +165,10 @@ manage_files_pattern(mozilla_t, mozilla_
 manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
 manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# so mozilla can create /var/run/user/PID/pulse
+auth_read_var_auth(mozilla_t)
 
 allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
 allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
@@ -117,11 +178,16 @@ stream_connect_pattern(mozilla_t, mozill
 
 can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
 
+allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms;
+
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
 kernel_read_system_state(mozilla_t)
 kernel_read_net_sysctls(mozilla_t)
 
+# for overcommit_memory
+kernel_read_vm_overcommit_sysctl(mozilla_t)
+
 corecmd_list_bin(mozilla_t)
 corecmd_exec_shell(mozilla_t)
 corecmd_exec_bin(mozilla_t)
@@ -166,6 +232,8 @@ dev_read_rand(mozilla_t)
 dev_read_urand(mozilla_t)
 dev_rw_dri(mozilla_t)
 dev_write_sound(mozilla_t)
+dev_dontaudit_getattr_all_chr_files(mozilla_t)
+dev_dontaudit_getattr_all_blk_files(mozilla_t)
 
 domain_dontaudit_read_all_domains_state(mozilla_t)
 
@@ -207,6 +275,7 @@ mozilla_run_plugin(mozilla_t, mozilla_ro
 mozilla_run_plugin_config(mozilla_t, mozilla_roles)
 
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+corenet_tcp_connect_xserver_port(mozilla_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
 
Index: refpolicy-2.20170917/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170917/policy/modules/kernel/corecommands.fc
@@ -120,6 +120,7 @@ ifdef(`distro_debian',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0)
 
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
Index: refpolicy-2.20170917/policy/modules/contrib/xguest.te
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/contrib/xguest.te
+++ refpolicy-2.20170917/policy/modules/contrib/xguest.te
@@ -103,7 +103,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mozilla_role(xguest_r, xguest_t)
+	mozilla_role(xguest_r, xguest_t, user_devpts_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170917/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20170917/policy/modules/roles/staff.te
@@ -142,7 +142,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mozilla_role(staff_r, staff_t)
+		mozilla_role(staff_r, staff_t, user_devpts_t)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20170917/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170917/policy/modules/roles/sysadm.te
@@ -648,7 +648,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mozilla_role(sysadm_r, sysadm_t)
+	mozilla_role(sysadm_r, sysadm_t, user_devpts_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170917/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20170917.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20170917/policy/modules/roles/unprivuser.te
@@ -114,7 +114,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mozilla_role(user_r, user_t)
+		mozilla_role(user_r, user_t, user_devpts_t)
 	')
 
 	optional_policy(`

[refpolicy] Chrome patch for discussion

[Jason Zaman]

On Sun, Sep 17, 2017 at 01:28:11PM +1000, Russell Coker via refpolicy wrote:
> This patch has been hanging around in my collection for years.  I am NOT
> suggesting including it as-is.  I am sending it for discussion.
> 
> One thing to discuss is whether we use mozilla_t for all browsers (maybe add
> a typealias to browser_t or something) or whether we have a chrome_t.  I
> think that having a single mozilla_t or browser_t is the better option but I'm
> not stuck on it.  I can rewrite it for a separate chrome_t if that is the
> consensus.


We've had a chromium_t in gentoo for quite a while

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.te
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.if
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.fc

I kinda like firefox and chromium separate cuz chrome has a bunch of
booleans for chromecast and fido u2f and stuff so then less perms can be
given to FF.

Also other stuff is that FF can work without execmem if you build with
JIT disabled but chrome wont.

If we're separating the domains then we can just use the gentoo one
instead of having to re-write. I can send it upstream if its good.
Any comments on it?

> 
> Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.fc
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.fc
> +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.fc
> @@ -1,5 +1,8 @@
>  HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
>  HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
> +HOME_DIR/\.config/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
> +HOME_DIR/\.config/google-chrome(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
> +HOME_DIR/\.cache/chromium(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
>  HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
>  HOME_DIR/\.netscape(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
>  HOME_DIR/\.phoenix(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
> @@ -14,6 +17,7 @@ HOME_DIR/\.spicec(/.*)?	gen_context(syst
>  HOME_DIR/\.ICAClient(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
>  HOME_DIR/zimbrauserdata(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
>  
> +/usr/bin/chromium	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
>  /usr/bin/epiphany	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
>  /usr/bin/epiphany-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
>  /usr/bin/mozilla	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
> @@ -39,3 +43,10 @@ HOME_DIR/zimbrauserdata(/.*)?	gen_contex
>  /usr/lib/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
>  /usr/lib/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
>  /usr/lib/xulrunner[^/]*/plugin-container	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
> +/usr/lib/chromium/chrome-sandbox --	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
> +/usr/lib/chromium/chromium	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
> +/opt/google/chrome/chrome-sandbox --	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
> +/opt/google/chrome/chrome	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
> +/opt/google/chrome/google-chrome --	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
> +/opt/google/chrome/nacl_helper	--	gen_context(system_u:object_r:chrome_browser_exec_t,s0)
> +
> Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.if
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.if
> +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.if
> @@ -14,12 +14,18 @@
>  ##	User domain for the role.
>  ##	</summary>
>  ## </param>
> +## <param name="type">
> +##	<summary>
> +##	Type of the user tty
> +##	</summary>
> +## </param>
>  #
>  interface(`mozilla_role',`
>  	gen_require(`
>  		type mozilla_t, mozilla_exec_t, mozilla_home_t;
>  		type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
>  		type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
> +		type chrome_sandbox_t, chrome_browser_exec_t;
>  		attribute_role mozilla_roles;
>  	')
>  
> @@ -36,6 +42,7 @@ interface(`mozilla_role',`
>  	#
>  
>  	domtrans_pattern($2, mozilla_exec_t, mozilla_t)
> +	domtrans_pattern($2, chrome_browser_exec_t, mozilla_t)
>  
>  	allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
>  	ps_process_pattern($2, mozilla_t)
> @@ -45,6 +52,9 @@ interface(`mozilla_role',`
>  
>  	allow $2 mozilla_t:fd use;
>  	allow $2 mozilla_t:shm rw_shm_perms;
> +	allow chrome_sandbox_t $2:fd use;
> +	allow chrome_sandbox_t $2:fifo_file write;
> +	allow chrome_sandbox_t $3:chr_file { read write };
>  
>  	stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
>  
> @@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',`
>  interface(`mozilla_domtrans',`
>  	gen_require(`
>  		type mozilla_t, mozilla_exec_t;
> +		type chrome_browser_exec_t;
>  	')
>  
>  	corecmd_search_bin($1)
>  	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
> +	domtrans_pattern($1, chrome_browser_exec_t, mozilla_t)
>  ')
>  
>  ########################################
> Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.te
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.te
> +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.te
> @@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp
>  type mozilla_plugin_tmpfs_t;
>  userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
>  
> +type chrome_sandbox_t;
> +type chrome_sandbox_exec_t;
> +type chrome_browser_exec_t;
> +application_domain(mozilla_t, chrome_browser_exec_t)
> +userdom_user_application_domain(mozilla_t, chrome_browser_exec_t )
> +role mozilla_plugin_roles types chrome_sandbox_t;
> +domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t)
> +allow mozilla_t chrome_sandbox_t:process sigchld;
> +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
> +ubac_constrained(chrome_sandbox_t)
> +fs_getattr_xattr_fs(chrome_sandbox_t)
> +
> +allow chrome_sandbox_t mozilla_t:dir list_dir_perms;
> +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms;
> +allow chrome_sandbox_t mozilla_t:file read_file_perms;
> +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms;
> +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
> +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
> +allow chrome_sandbox_t mozilla_t:fd use;
> +allow chrome_sandbox_t mozilla_t:file write;
> +allow chrome_sandbox_t proc_t:dir read;
> +allow chrome_sandbox_t self:process setrlimit;
> +type chrome_sandbox_tmp_t;
> +
> +# this is needed for Chrome (not Chromium) startup
> +allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure };
> +
> +files_tmp_file(chrome_sandbox_tmp_t)
> +ubac_constrained(chrome_sandbox_tmp_t)
> +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir })
> +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms;
> +allow mozilla_t self:unix_dgram_socket sendto;
> +allow mozilla_t chrome_browser_exec_t:file execute_no_trans;
> +# for V8
> +allow mozilla_t self:process execmem;
> +
> +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read };
> +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write };
> +
>  optional_policy(`
>  	pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
>  ')
> @@ -76,8 +115,22 @@ optional_policy(`
>  # Local policy
>  #
>  
> +dontaudit chrome_sandbox_t domain:dir getattr;
> +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
> +domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t)
> +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms;
> +allow chrome_sandbox_t self:fifo_file rw_file_perms;
> +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
> +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
> +allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace };
> +allow chrome_sandbox_t mozilla_t:process { share sigchld };
> +allow mozilla_t chrome_sandbox_t:fd use;
> +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write };
> +dev_read_sysfs(mozilla_t)
> +domain_dontaudit_search_all_domains_state(chrome_sandbox_t)
> +
>  allow mozilla_t self:capability { setgid setuid sys_nice };
> -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
> +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap };
>  allow mozilla_t self:fifo_file rw_fifo_file_perms;
>  allow mozilla_t self:shm create_shm_perms;
>  allow mozilla_t self:sem create_sem_perms;
> @@ -90,6 +143,10 @@ allow mozilla_t mozilla_plugin_t:fd use;
>  allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
>  allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
>  allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
> +
> +# for plugins
> +can_exec(mozilla_t, mozilla_home_t)
> +
>  userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
>  userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
>  userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
> @@ -100,6 +157,7 @@ filetrans_pattern(mozilla_t, mozilla_hom
>  manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
>  manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
>  manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
> +manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
>  allow mozilla_t mozilla_tmp_t:file map;
>  files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
>  
> @@ -107,7 +165,10 @@ manage_files_pattern(mozilla_t, mozilla_
>  manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
>  manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
>  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
> -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
> +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +
> +# so mozilla can create /var/run/user/PID/pulse
> +auth_read_var_auth(mozilla_t)
>  
>  allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
>  allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
> @@ -117,11 +178,16 @@ stream_connect_pattern(mozilla_t, mozill
>  
>  can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
>  
> +allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms;
> +
>  kernel_read_kernel_sysctls(mozilla_t)
>  kernel_read_network_state(mozilla_t)
>  kernel_read_system_state(mozilla_t)
>  kernel_read_net_sysctls(mozilla_t)
>  
> +# for overcommit_memory
> +kernel_read_vm_overcommit_sysctl(mozilla_t)
> +
>  corecmd_list_bin(mozilla_t)
>  corecmd_exec_shell(mozilla_t)
>  corecmd_exec_bin(mozilla_t)
> @@ -166,6 +232,8 @@ dev_read_rand(mozilla_t)
>  dev_read_urand(mozilla_t)
>  dev_rw_dri(mozilla_t)
>  dev_write_sound(mozilla_t)
> +dev_dontaudit_getattr_all_chr_files(mozilla_t)
> +dev_dontaudit_getattr_all_blk_files(mozilla_t)
>  
>  domain_dontaudit_read_all_domains_state(mozilla_t)
>  
> @@ -207,6 +275,7 @@ mozilla_run_plugin(mozilla_t, mozilla_ro
>  mozilla_run_plugin_config(mozilla_t, mozilla_roles)
>  
>  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
> +corenet_tcp_connect_xserver_port(mozilla_t)
>  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
>  xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
>  
> Index: refpolicy-2.20170917/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170917/policy/modules/kernel/corecommands.fc
> @@ -120,6 +120,7 @@ ifdef(`distro_debian',`
>  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  
>  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0)
>  
>  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>  
> Index: refpolicy-2.20170917/policy/modules/contrib/xguest.te
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/contrib/xguest.te
> +++ refpolicy-2.20170917/policy/modules/contrib/xguest.te
> @@ -103,7 +103,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> -	mozilla_role(xguest_r, xguest_t)
> +	mozilla_role(xguest_r, xguest_t, user_devpts_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20170917/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20170917/policy/modules/roles/staff.te
> @@ -142,7 +142,7 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> -		mozilla_role(staff_r, staff_t)
> +		mozilla_role(staff_r, staff_t, user_devpts_t)
>  	')
>  
>  	optional_policy(`
> Index: refpolicy-2.20170917/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170917/policy/modules/roles/sysadm.te
> @@ -648,7 +648,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> -	mozilla_role(sysadm_r, sysadm_t)
> +	mozilla_role(sysadm_r, sysadm_t, user_devpts_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20170917/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20170917.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20170917/policy/modules/roles/unprivuser.te
> @@ -114,7 +114,7 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> -		mozilla_role(user_r, user_t)
> +		mozilla_role(user_r, user_t, user_devpts_t)
>  	')
>  
>  	optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] Chrome patch for discussion

[Russell Coker]

On Sunday, 17 September 2017 12:18:12 PM AEST Jason Zaman wrote:
> We've had a chromium_t in gentoo for quite a while
> 
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/co
> ntrib/chromium.te
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/c
> ontrib/chromium.if
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/c
> ontrib/chromium.fc
> 
> I kinda like firefox and chromium separate cuz chrome has a bunch of
> booleans for chromecast and fido u2f and stuff so then less perms can be
> given to FF.
> 
> Also other stuff is that FF can work without execmem if you build with
> JIT disabled but chrome wont.

Those are good reasons for separating the domains.

> If we're separating the domains then we can just use the gentoo one
> instead of having to re-write. I can send it upstream if its good.
> Any comments on it?

Your policy is more comprehensive than mine.

How does that chromium_renderer_t work?  Is that a standard chrome feature or 
something special you did?  It would probably be best to have a comment in the 
policy about this.

It seems that the only difference between chromium_xdg_config_t and 
chromium_xdg_cache_t is that the latter can't be read by chromium_renderer_t.  
Is that sufficient reason to have an extra type?

Apart from that it appears ok to me.  NB I haven't run it, I've just inspected 
it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] Chrome patch for discussion

[Chris PeBenito]

On 09/17/2017 12:18 AM, Jason Zaman via refpolicy wrote:
> On Sun, Sep 17, 2017 at 01:28:11PM +1000, Russell Coker via refpolicy wrote:
>> This patch has been hanging around in my collection for years.  I am NOT
>> suggesting including it as-is.  I am sending it for discussion.
>>
>> One thing to discuss is whether we use mozilla_t for all browsers (maybe add
>> a typealias to browser_t or something) or whether we have a chrome_t.  I
>> think that having a single mozilla_t or browser_t is the better option but I'm
>> not stuck on it.  I can rewrite it for a separate chrome_t if that is the
>> consensus.
> 
> 
> We've had a chromium_t in gentoo for quite a while
> 
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.te
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.if
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.fc
> 
> I kinda like firefox and chromium separate cuz chrome has a bunch of
> booleans for chromecast and fido u2f and stuff so then less perms can be
> given to FF.
> 
> Also other stuff is that FF can work without execmem if you build with
> JIT disabled but chrome wont.
> 
> If we're separating the domains then we can just use the gentoo one
> instead of having to re-write. I can send it upstream if its good.
> Any comments on it?

I didn't look at either of the policies, but I'm fine with chrome having 
its own domain.

-- 
Chris PeBenito

[refpolicy] Chrome patch for discussion

[Jason Zaman]

On Sun, Sep 17, 2017 at 03:16:30PM +1000, Russell Coker wrote:
> On Sunday, 17 September 2017 12:18:12 PM AEST Jason Zaman wrote:
> > We've had a chromium_t in gentoo for quite a while
> > 
> > https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/co
> > ntrib/chromium.te
> > https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/c
> > ontrib/chromium.if
> > https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/c
> > ontrib/chromium.fc
> > 
> > I kinda like firefox and chromium separate cuz chrome has a bunch of
> > booleans for chromecast and fido u2f and stuff so then less perms can be
> > given to FF.
> > 
> > Also other stuff is that FF can work without execmem if you build with
> > JIT disabled but chrome wont.
> 
> Those are good reasons for separating the domains.
> 
> > If we're separating the domains then we can just use the gentoo one
> > instead of having to re-write. I can send it upstream if its good.
> > Any comments on it?
> 
> Your policy is more comprehensive than mine.
> 
> How does that chromium_renderer_t work?  Is that a standard chrome feature or 
> something special you did?  It would probably be best to have a comment in the 
> policy about this.

Not sure, its been around for ages. I think it originally came from the
chromium project itself and Sven imported it into gentoo but not sure
exactly.
> 
> It seems that the only difference between chromium_xdg_config_t and 
> chromium_xdg_cache_t is that the latter can't be read by chromium_renderer_t.  
> Is that sufficient reason to have an extra type?

Well the xdg stuff is automatic in the gentoo policy and they get
booleans if users want to be able to access other things so they
probably have to stay.

> Apart from that it appears ok to me.  NB I haven't run it, I've just inspected 
> it.

Since Chris is okay with it too then i'll do some cleanups and send it
upstream soon.

-- Jason

> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>