SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] base chrome/chromium patch fixed
@ 2021-01-14 23:32 Russell Coker
  2021-01-19 13:41 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2021-01-14 23:32 UTC (permalink / raw)
  To: selinux-refpolicy

This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed, and the
chromium_t:file manage_file_perms removed as requested.

I believe it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210115/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20210115/policy/modules/apps/chromium.te
@@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1)
 
 ## <desc>
 ## <p>
+## Allow chromium to access direct rendering interface
+## </p>
+## <p>
+## Needed for good performance on complex sites
+## </p>
+## </desc>
+gen_tunable(chromium_dri, true)
+
+## <desc>
+## <p>
 ## Allow chromium to read system information
 ## </p>
 ## <p>
@@ -63,6 +73,9 @@ type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
 optional_policy(`
 	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+	pulseaudio_rw_tmpfs_files(chromium_t)
+	pulseaudio_stream_connect(chromium_t)
+	pulseaudio_use_fds(chromium_t)
 ')
 
 type chromium_xdg_config_t;
@@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni
 
 allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
 allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
 
@@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch
 manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
 files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
 
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
 manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
 allow chromium_t chromium_tmpfs_t:file map;
 fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
 kernel_list_proc(chromium_t)
+kernel_read_fs_sysctls(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
 
 corecmd_exec_bin(chromium_t)
@@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t)
 xdg_read_data_files(chromium_t)
 
 xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
 
 tunable_policy(`chromium_bind_tcp_unreserved_ports',`
 	corenet_tcp_bind_generic_node(chromium_t)
@@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese
 	allow chromium_t self:tcp_socket { listen accept };
 ')
 
+tunable_policy(`chromium_dri', `
+	dev_rw_dri(chromium_t)
+')
+
 tunable_policy(`chromium_rw_usb_dev',`
 	dev_rw_generic_usb_dev(chromium_t)
 ')
@@ -240,8 +266,13 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(chromium_t)
 		devicekit_dbus_chat_power(chromium_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_hostnamed(chromium_t)
+	')
 ')
 
 optional_policy(`
@@ -251,6 +282,14 @@ optional_policy(`
 	dpkg_read_db(chromium_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
+	ssh_dontaudit_agent_tmp(chromium_t)
+')
+
 ########################################
 #
 # chromium_renderer local policy
@@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf
 
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20210115/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20210115/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20210115/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210115/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
+	allow $2 xserver_t:fd use;
 	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
+	allow $2 xserver_tmpfs_t:file { map read_file_perms };
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
 	# Read /tmp/.X0-lock
 	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
@@ -119,6 +116,9 @@ interface(`xserver_restricted_role',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 ')
 
 ########################################
@@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	allow $1 mesa_shader_cache_t:file map;
 
 	xdg_search_cache_dirs($1)
Index: refpolicy-2.20210115/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20210115/policy/modules/apps/chromium.if
@@ -38,7 +38,14 @@ interface(`chromium_role',`
 
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
+	allow chromium_t $2:process { signull signal };
+
+	allow $2 chromium_t:unix_stream_socket connectto;
+
+	# for /tmp/.ICE-unix/* sockets
+	allow chromium_t $2:unix_stream_socket connectto;
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +116,7 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)
Index: refpolicy-2.20210115/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20210115/policy/modules/services/ssh.if
@@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#######################################
+## <summary>
+##	dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+	gen_require(`
+		type ssh_agent_tmp_t;
+	')
+
+	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] base chrome/chromium patch fixed
  2021-01-14 23:32 [PATCH] base chrome/chromium patch fixed Russell Coker
@ 2021-01-19 13:41 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2021-01-19 13:41 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/14/21 6:32 PM, Russell Coker wrote:
> This patch is the one I described as "another chromium patch" on the 10th of
> April last year, but with the issues addressed, and the
> chromium_t:file manage_file_perms removed as requested.
> 
> I believe it's ready for inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>

Nerged.



> Index: refpolicy-2.20210115/policy/modules/apps/chromium.te
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te
> +++ refpolicy-2.20210115/policy/modules/apps/chromium.te
> @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1)
>   
>   ## <desc>
>   ## <p>
> +## Allow chromium to access direct rendering interface
> +## </p>
> +## <p>
> +## Needed for good performance on complex sites
> +## </p>
> +## </desc>
> +gen_tunable(chromium_dri, true)
> +
> +## <desc>
> +## <p>
>   ## Allow chromium to read system information
>   ## </p>
>   ## <p>
> @@ -63,6 +73,9 @@ type chromium_tmpfs_t;
>   userdom_user_tmpfs_file(chromium_tmpfs_t)
>   optional_policy(`
>   	pulseaudio_tmpfs_content(chromium_tmpfs_t)
> +	pulseaudio_rw_tmpfs_files(chromium_t)
> +	pulseaudio_stream_connect(chromium_t)
> +	pulseaudio_use_fds(chromium_t)
>   ')
>   
>   type chromium_xdg_config_t;
> @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni
>   
>   allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
>   allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
> +allow chromium_t chromium_sandbox_t:file read_file_perms;
>   
>   allow chromium_t chromium_naclhelper_t:process { share };
>   
> @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch
>   manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
>   files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
>   
> +# for /run/user/$UID
> +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
> +
>   manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
>   allow chromium_t chromium_tmpfs_t:file map;
>   fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
> @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa
>   domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
>   
>   kernel_list_proc(chromium_t)
> +kernel_read_fs_sysctls(chromium_t)
> +kernel_read_kernel_sysctls(chromium_t)
>   kernel_read_net_sysctls(chromium_t)
>   
>   corecmd_exec_bin(chromium_t)
> @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t)
>   xdg_read_data_files(chromium_t)
>   
>   xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
> +xserver_stream_connect_xdm(chromium_t)
> +
> +xserver_manage_mesa_shader_cache(chromium_t)
>   
>   tunable_policy(`chromium_bind_tcp_unreserved_ports',`
>   	corenet_tcp_bind_generic_node(chromium_t)
> @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese
>   	allow chromium_t self:tcp_socket { listen accept };
>   ')
>   
> +tunable_policy(`chromium_dri', `
> +	dev_rw_dri(chromium_t)
> +')
> +
>   tunable_policy(`chromium_rw_usb_dev',`
>   	dev_rw_generic_usb_dev(chromium_t)
>   ')
> @@ -240,8 +266,13 @@ optional_policy(`
>   	')
>   
>   	optional_policy(`
> +		devicekit_dbus_chat_disk(chromium_t)
>   		devicekit_dbus_chat_power(chromium_t)
>   	')
> +
> +	optional_policy(`
> +		systemd_dbus_chat_hostnamed(chromium_t)
> +	')
>   ')
>   
>   optional_policy(`
> @@ -251,6 +282,14 @@ optional_policy(`
>   	dpkg_read_db(chromium_t)
>   ')
>   
> +optional_policy(`
> +	networkmanager_dbus_chat(chromium_t)
> +')
> +
> +optional_policy(`
> +	ssh_dontaudit_agent_tmp(chromium_t)
> +')
> +
>   ########################################
>   #
>   # chromium_renderer local policy
> @@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf
>   
>   dev_read_sysfs(chromium_naclhelper_t)
>   dev_read_urand(chromium_naclhelper_t)
> +kernel_list_proc(chromium_naclhelper_t)
> +
> +miscfiles_read_localization(chromium_naclhelper_t)
> Index: refpolicy-2.20210115/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20210115/policy/modules/services/xserver.te
> @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
>   ## </desc>
>   gen_tunable(xserver_object_manager, false)
>   
> +## <desc>
> +## <p>
> +## Allow DRI access
> +## </p>
> +## </desc>
> +gen_tunable(xserver_allow_dri, false)
> +
>   attribute x_domain;
>   
>   # X Events
> Index: refpolicy-2.20210115/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210115/policy/modules/services/xserver.if
> @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
>   	files_search_tmp($2)
>   
>   	# Communicate via System V shared memory.
> +	allow $2 xserver_t:fd use;
>   	allow $2 xserver_t:shm r_shm_perms;
> -	allow $2 xserver_tmpfs_t:file read_file_perms;
> +	allow $2 xserver_tmpfs_t:file { map read_file_perms };
>   
>   	# allow ps to show iceauth
>   	ps_process_pattern($2, iceauth_t)
> @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
>   	allow $2 xdm_tmp_t:sock_file { read write };
>   	dontaudit $2 xdm_t:tcp_socket { read write };
>   
> -	# Client read xserver shm
> -	allow $2 xserver_t:fd use;
> -	allow $2 xserver_tmpfs_t:file read_file_perms;
> -
>   	# Read /tmp/.X0-lock
>   	allow $2 xserver_tmp_t:file read_inherited_file_perms;
>   
> @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',`
>   		allow $2 xserver_t:shm rw_shm_perms;
>   		allow $2 xserver_tmpfs_t:file rw_file_perms;
>   	')
> +	tunable_policy(`xserver_allow_dri',`
> +		dev_rw_dri($2)
> +	')
>   ')
>   
>   ########################################
> @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache'
>   
>   	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>   	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> +	xdg_search_cache_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage the mesa shader cache.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_manage_mesa_shader_cache',`
> +	gen_require(`
> +		type mesa_shader_cache_t;
> +	')
> +
> +	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> +	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>   	allow $1 mesa_shader_cache_t:file map;
>   
>   	xdg_search_cache_dirs($1)
> Index: refpolicy-2.20210115/policy/modules/apps/chromium.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if
> +++ refpolicy-2.20210115/policy/modules/apps/chromium.if
> @@ -38,7 +38,14 @@ interface(`chromium_role',`
>   
>   	allow $2 chromium_t:process signal_perms;
>   	allow $2 chromium_renderer_t:process signal_perms;
> +	allow $2 chromium_sandbox_t:process signal_perms;
>   	allow $2 chromium_naclhelper_t:process signal_perms;
> +	allow chromium_t $2:process { signull signal };
> +
> +	allow $2 chromium_t:unix_stream_socket connectto;
> +
> +	# for /tmp/.ICE-unix/* sockets
> +	allow chromium_t $2:unix_stream_socket connectto;
>   
>   	allow chromium_sandbox_t $2:fd use;
>   	allow chromium_naclhelper_t $2:fd use;
> @@ -109,6 +116,7 @@ interface(`chromium_domtrans',`
>   	gen_require(`
>   		type chromium_t;
>   		type chromium_exec_t;
> +		class dbus send_msg;
>   	')
>   
>   	corecmd_search_bin($1)
> Index: refpolicy-2.20210115/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20210115/policy/modules/services/ssh.if
> @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',`
>   	files_search_tmp($1)
>   	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
>   ')
> +
> +#######################################
> +## <summary>
> +##	dontaudit access to ssh agent tmp dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain not to audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`ssh_dontaudit_agent_tmp',`
> +	gen_require(`
> +		type ssh_agent_tmp_t;
> +	')
> +
> +	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
> +')
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-14 23:32 [PATCH] base chrome/chromium patch fixed Russell Coker
2021-01-19 13:41 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git