SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Russell Coker <russell@coker.com.au>
To: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Chrome/Chromium patches
Date: Wed, 12 Feb 2020 13:30:39 +1100
Message-ID: <4241549.o4G3l8VaYd@xev> (raw)

[-- Attachment #1: Type: text/plain, Size: 413 bytes --]

The attached patch against the git refpolicy from 3 days ago makes Chrome work 
with Pulseaudio, DRI, Flash, and lots of little things.

Adds tunables chromium_exec_plugins and xserver_allow_dri.

I think this is ready to merge with the names of the tunables and interfaces 
being the only possible changes needed.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[-- Attachment #2: chromium.diff --]
[-- Type: text/x-patch, Size: 10517 bytes --]

Chromium and DRI policy

Index: refpolicy-2.20200209/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20200209/policy/modules/apps/chromium.te
@@ -39,6 +39,13 @@ gen_tunable(chromium_bind_tcp_unreserved
 ## </desc>
 gen_tunable(chromium_rw_usb_dev, false)
 
+## <desc>
+## <p>
+## Allow chromium to execute it's config (for plugins like Flash)
+## </p>
+## </desc>
+gen_tunable(chromium_exec_plugins, false)
+
 type chromium_t;
 domain_dyntrans_type(chromium_t)
 
@@ -63,6 +70,9 @@ type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
 optional_policy(`
 	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+	pulseaudio_rw_tmpfs_files(chromium_t)
+	pulseaudio_stream_connect(chromium_t)
+	pulseaudio_use_fds(chromium_t)
 ')
 
 type chromium_xdg_config_t;
@@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t)
 #
 
 # execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull };
+allow chromium_t self:dir { write add_name };
+allow chromium_t self:file create;
 allow chromium_t self:fifo_file rw_fifo_file_perms;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni
 
 allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
 allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
 
@@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch
 manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
 files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
 
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
 manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
 allow chromium_t chromium_tmpfs_t:file map;
 fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re
 domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
+# for self:file create
+kernel_associate_proc(chromium_t)
+
 kernel_list_proc(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
 
 corecmd_exec_bin(chromium_t)
@@ -145,6 +165,9 @@ dev_read_sound(chromium_t)
 dev_write_sound(chromium_t)
 dev_read_urand(chromium_t)
 dev_read_rand(chromium_t)
+tunable_policy(`xserver_allow_dri', `
+	dev_rw_dri(chromium_t)
+')
 dev_rw_xserver_misc(chromium_t)
 dev_map_xserver_misc(chromium_t)
 
@@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t)
 userdom_manage_user_certs(chromium_t)
 userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
 
-xdg_create_cache_dirs(chromium_t)
-xdg_create_config_dirs(chromium_t)
-xdg_create_data_dirs(chromium_t)
+xdg_manage_cache(chromium_t)
+xdg_manage_config(chromium_t)
+xdg_manage_data(chromium_t)
 xdg_manage_downloads(chromium_t)
-xdg_read_config_files(chromium_t)
-xdg_read_data_files(chromium_t)
 
 xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
 
 tunable_policy(`chromium_bind_tcp_unreserved_ports',`
 	corenet_tcp_bind_generic_node(chromium_t)
@@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',`
 	udev_read_db(chromium_t)
 ')
 
+tunable_policy(`chromium_exec_plugins',`
+	# sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t
+	can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t })
+')
+
 tunable_policy(`chromium_read_system_info',`
 	kernel_read_kernel_sysctls(chromium_t)
 	# Memory optimizations & optimizations based on OS/version
@@ -229,6 +258,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(chromium_t)
 	dbus_system_bus_client(chromium_t)
 
@@ -241,8 +274,13 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(chromium_t)
 		devicekit_dbus_chat_power(chromium_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_hostnamed(chromium_t)
+	')
 ')
 
 optional_policy(`
@@ -252,6 +290,10 @@ optional_policy(`
 	dpkg_read_db(chromium_t)
 ')
 
+optional_policy(`
+	ssh_dontaudit_agent_tmp(chromium_t)
+')
+
 ifdef(`use_alsa',`
 	optional_policy(`
 		alsa_domain(chromium_t, chromium_tmpfs_t)
@@ -259,6 +301,7 @@ ifdef(`use_alsa',`
 
 	optional_policy(`
 		pulseaudio_domtrans(chromium_t)
+		pulseaudio_read_home(chromium_t)
 	')
 ')
 
@@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend
 
 xdg_read_config_files(chromium_renderer_t)
 
+# should we have a tunable for this?
+xdg_read_pictures(chromium_t)
+
 xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
 
 tunable_policy(`chromium_read_system_info',`
@@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf
 
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20200209/policy/modules/kernel/kernel.if
@@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',`
 
 ########################################
 ## <summary>
+##	Associate a file to proc_t (/proc)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_associate_proc',`
+	gen_require(`
+		type proc_t;
+	')
+	allow $1 proc_t:filesystem associate;
+')
+
+########################################
+## <summary>
 ##	Send a kill signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20200209/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20200209/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20200209/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200209/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
+	allow $2 xserver_t:fd use;
 	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
+	allow $2 xserver_tmpfs_t:file { map read_file_perms };
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
 	# Read /tmp/.X0-lock
 	allow $2 xserver_tmp_t:file { getattr read };
 
@@ -91,6 +88,9 @@ interface(`xserver_restricted_role',`
 	# open office is looking for the following
 	dev_getattr_agp_dev($2)
 	dev_dontaudit_rw_dri($2)
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($2)
 
@@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	allow $1 mesa_shader_cache_t:file map;
 
 	xdg_search_cache_dirs($1)
Index: refpolicy-2.20200209/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20200209/policy/modules/apps/chromium.if
@@ -38,7 +38,15 @@ interface(`chromium_role',`
 
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
+	allow chromium_t $2:process { signull signal };
+	allow $2 chromium_t:file manage_file_perms;
+
+	allow $2 chromium_t:unix_stream_socket connectto;
+
+	# for /tmp/.ICE-unix/* sockets
+	allow chromium_t $2:unix_stream_socket connectto;
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)
Index: refpolicy-2.20200209/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200209/policy/modules/services/ssh.if
@@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#######################################
+## <summary>
+##	dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+	gen_require(`
+		type ssh_agent_tmp_t;
+	')
+
+	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')

             reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-12  2:30 Russell Coker [this message]
2020-02-16 10:00 ` Jason Zaman
2020-02-16 15:54   ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4241549.o4G3l8VaYd@xev \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git