From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Chrome patch for discussion
Date: Sun, 17 Sep 2017 10:14:19 -0400 [thread overview]
Message-ID: <d3940940-28ad-c192-793a-79a0f964fc20@ieee.org> (raw)
In-Reply-To: <20170917041812.GA29152@meriadoc.perfinion.com>
On 09/17/2017 12:18 AM, Jason Zaman via refpolicy wrote:
> On Sun, Sep 17, 2017 at 01:28:11PM +1000, Russell Coker via refpolicy wrote:
>> This patch has been hanging around in my collection for years. I am NOT
>> suggesting including it as-is. I am sending it for discussion.
>>
>> One thing to discuss is whether we use mozilla_t for all browsers (maybe add
>> a typealias to browser_t or something) or whether we have a chrome_t. I
>> think that having a single mozilla_t or browser_t is the better option but I'm
>> not stuck on it. I can rewrite it for a separate chrome_t if that is the
>> consensus.
>
>
> We've had a chromium_t in gentoo for quite a while
>
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.te
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.if
> https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.fc
>
> I kinda like firefox and chromium separate cuz chrome has a bunch of
> booleans for chromecast and fido u2f and stuff so then less perms can be
> given to FF.
>
> Also other stuff is that FF can work without execmem if you build with
> JIT disabled but chrome wont.
>
> If we're separating the domains then we can just use the gentoo one
> instead of having to re-write. I can send it upstream if its good.
> Any comments on it?
I didn't look at either of the policies, but I'm fine with chrome having
its own domain.
--
Chris PeBenito
prev parent reply other threads:[~2017-09-17 14:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 3:28 [refpolicy] Chrome patch for discussion Russell Coker
2017-09-17 4:18 ` Jason Zaman
2017-09-17 5:16 ` Russell Coker
2017-09-19 2:55 ` Jason Zaman
2017-09-17 14:14 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3940940-28ad-c192-793a-79a0f964fc20@ieee.org \
--to=pebenito@ieee.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.