Re: Chrome/Chromium patches

[Chris PeBenito <pebenito@ieee.org>]

On 2/16/20 5:00 AM, Jason Zaman wrote:
> On Wed, Feb 12, 2020 at 01:30:39PM +1100, Russell Coker wrote:
>> The attached patch against the git refpolicy from 3 days ago makes Chrome work
>> with Pulseaudio, DRI, Flash, and lots of little things.
> 
> Flash is dead. My chrome even pops up a banner every time i start it
> saying flash is disabled by default and will be completely removed in a
> few months. Not sure adding the flash is worth it.

Agreed.  If there are any flash-specific rules, please remove them.


>> Adds tunables chromium_exec_plugins and xserver_allow_dri.
>>
>> I think this is ready to merge with the names of the tunables and interfaces
>> being the only possible changes needed.
>>
>> -- 
>> My Main Blog         http://etbe.coker.com.au/
>> My Documents Blog    http://doc.coker.com.au/
> 
>> Chromium and DRI policy
>>
>> Index: refpolicy-2.20200209/policy/modules/apps/chromium.te
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.te
>> +++ refpolicy-2.20200209/policy/modules/apps/chromium.te
>> @@ -39,6 +39,13 @@ gen_tunable(chromium_bind_tcp_unreserved
>>   ## </desc>
>>   gen_tunable(chromium_rw_usb_dev, false)
>>   
>> +## <desc>
>> +## <p>
>> +## Allow chromium to execute it's config (for plugins like Flash)
>> +## </p>
>> +## </desc>
>> +gen_tunable(chromium_exec_plugins, false)
>> +
>>   type chromium_t;
>>   domain_dyntrans_type(chromium_t)
>>   
>> @@ -63,6 +70,9 @@ type chromium_tmpfs_t;
>>   userdom_user_tmpfs_file(chromium_tmpfs_t)
>>   optional_policy(`
>>   	pulseaudio_tmpfs_content(chromium_tmpfs_t)
>> +	pulseaudio_rw_tmpfs_files(chromium_t)
>> +	pulseaudio_stream_connect(chromium_t)
>> +	pulseaudio_use_fds(chromium_t)
>>   ')
>>   
>>   type chromium_xdg_config_t;
>> @@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t)
>>   #
>>   
>>   # execmem for load in plugins
>> -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
>> +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull };
>> +allow chromium_t self:dir { write add_name };
>> +allow chromium_t self:file create;
>>   allow chromium_t self:fifo_file rw_fifo_file_perms;
>>   allow chromium_t self:sem create_sem_perms;
>>   allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
>> @@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni
>>   
>>   allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
>>   allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
>> +allow chromium_t chromium_sandbox_t:file read_file_perms;
>>   
>>   allow chromium_t chromium_naclhelper_t:process { share };
>>   
>> @@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch
>>   manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
>>   files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
>>   
>> +# for /run/user/$UID
>> +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
>> +
>>   manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
>>   allow chromium_t chromium_tmpfs_t:file map;
>>   fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
>> @@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re
>>   domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
>>   domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
>>   
>> +# for self:file create
>> +kernel_associate_proc(chromium_t)

Where under /proc/self does this work?

>>   kernel_list_proc(chromium_t)
>> +kernel_read_kernel_sysctls(chromium_t)
>>   kernel_read_net_sysctls(chromium_t)
>>   
>>   corecmd_exec_bin(chromium_t)
>> @@ -145,6 +165,9 @@ dev_read_sound(chromium_t)
>>   dev_write_sound(chromium_t)
>>   dev_read_urand(chromium_t)
>>   dev_read_rand(chromium_t)
>> +tunable_policy(`xserver_allow_dri', `
>> +	dev_rw_dri(chromium_t)
>> +')
>>   dev_rw_xserver_misc(chromium_t)
>>   dev_map_xserver_misc(chromium_t)
>>   
>> @@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t)
>>   userdom_manage_user_certs(chromium_t)
>>   userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
>>   
>> -xdg_create_cache_dirs(chromium_t)
>> -xdg_create_config_dirs(chromium_t)
>> -xdg_create_data_dirs(chromium_t)
>> +xdg_manage_cache(chromium_t)
>> +xdg_manage_config(chromium_t)
>> +xdg_manage_data(chromium_t)
> 
> NAK. Chrome should only be able to create the base ~/.config/cache dirs,
> not manage other things inside them.
> The template userdom_user_content_access_template is for this exact
> thing. By default chrome will have no access then the template generates
> booleans the user can easily toggle to enable access. That stuff was
> done specifically to confine things like browsers.
> 
>>   xdg_manage_downloads(chromium_t)
>> -xdg_read_config_files(chromium_t)
>> -xdg_read_data_files(chromium_t)
>>   
>>   xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
>> +xserver_stream_connect_xdm(chromium_t)
>> +
>> +xserver_manage_mesa_shader_cache(chromium_t)
>>   
>>   tunable_policy(`chromium_bind_tcp_unreserved_ports',`
>>   	corenet_tcp_bind_generic_node(chromium_t)
>> @@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',`
>>   	udev_read_db(chromium_t)
>>   ')
>>   
>> +tunable_policy(`chromium_exec_plugins',`
>> +	# sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t
>> +	can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t })
>> +')
>> +
> 
> Not really sure theres much point to adding this just to remove it in 6
> months.
> 
> 
>>   tunable_policy(`chromium_read_system_info',`
>>   	kernel_read_kernel_sysctls(chromium_t)
>>   	# Memory optimizations & optimizations based on OS/version
>> @@ -229,6 +258,10 @@ optional_policy(`
>>   ')
>>   
>>   optional_policy(`
>> +	networkmanager_dbus_chat(chromium_t)
>> +')
>> +
>> +optional_policy(`
>>   	dbus_all_session_bus_client(chromium_t)
>>   	dbus_system_bus_client(chromium_t)
>>   
>> @@ -241,8 +274,13 @@ optional_policy(`
>>   	')
>>   
>>   	optional_policy(`
>> +		devicekit_dbus_chat_disk(chromium_t)
>>   		devicekit_dbus_chat_power(chromium_t)
>>   	')
>> +
>> +	optional_policy(`
>> +		systemd_dbus_chat_hostnamed(chromium_t)
>> +	')
>>   ')
>>   
>>   optional_policy(`
>> @@ -252,6 +290,10 @@ optional_policy(`
>>   	dpkg_read_db(chromium_t)
>>   ')
>>   
>> +optional_policy(`
>> +	ssh_dontaudit_agent_tmp(chromium_t)
>> +')
>> +
>>   ifdef(`use_alsa',`
>>   	optional_policy(`
>>   		alsa_domain(chromium_t, chromium_tmpfs_t)
>> @@ -259,6 +301,7 @@ ifdef(`use_alsa',`
>>   
>>   	optional_policy(`
>>   		pulseaudio_domtrans(chromium_t)
>> +		pulseaudio_read_home(chromium_t)
>>   	')
>>   ')
>>   
>> @@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend
>>   
>>   xdg_read_config_files(chromium_renderer_t)
>>   
>> +# should we have a tunable for this?
>> +xdg_read_pictures(chromium_t)
> 
> I personally don't really want my browser to be able to access my
> photos. A boolean would be good yeah. Maybe name it similar to the ones
> userdom_user_content_access_template makes?
> 
>> +
>>   xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
>>   
>>   tunable_policy(`chromium_read_system_info',`
>> @@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf
>>   
>>   dev_read_sysfs(chromium_naclhelper_t)
>>   dev_read_urand(chromium_naclhelper_t)
>> +kernel_list_proc(chromium_naclhelper_t)
>> +
>> +miscfiles_read_localization(chromium_naclhelper_t)
>> Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if
>> +++ refpolicy-2.20200209/policy/modules/kernel/kernel.if
>> @@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',`
>>   
>>   ########################################
>>   ## <summary>
>> +##	Associate a file to proc_t (/proc)
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`kernel_associate_proc',`
>> +	gen_require(`
>> +		type proc_t;
>> +	')
>> +	allow $1 proc_t:filesystem associate;
>> +')
>> +
>> +########################################
>> +## <summary>
>>   ##	Send a kill signal to unlabeled processes.
>>   ## </summary>
>>   ## <param name="domain">
>> Index: refpolicy-2.20200209/policy/modules/services/xserver.te
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.te
>> +++ refpolicy-2.20200209/policy/modules/services/xserver.te
>> @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
>>   ## </desc>
>>   gen_tunable(xserver_object_manager, false)
>>   
>> +## <desc>
>> +## <p>
>> +## Allow DRI access
>> +## </p>
>> +## </desc>
>> +gen_tunable(xserver_allow_dri, false)
>> +
>>   attribute x_domain;
>>   
>>   # X Events
>> Index: refpolicy-2.20200209/policy/modules/services/xserver.if
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
>> +++ refpolicy-2.20200209/policy/modules/services/xserver.if
>> @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
>>   	files_search_tmp($2)
>>   
>>   	# Communicate via System V shared memory.
>> +	allow $2 xserver_t:fd use;
>>   	allow $2 xserver_t:shm r_shm_perms;
>> -	allow $2 xserver_tmpfs_t:file read_file_perms;
>> +	allow $2 xserver_tmpfs_t:file { map read_file_perms };
>>   
>>   	# allow ps to show iceauth
>>   	ps_process_pattern($2, iceauth_t)
>> @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
>>   	allow $2 xdm_tmp_t:sock_file { read write };
>>   	dontaudit $2 xdm_t:tcp_socket { read write };
>>   
>> -	# Client read xserver shm
>> -	allow $2 xserver_t:fd use;
>> -	allow $2 xserver_tmpfs_t:file read_file_perms;
>> -
>>   	# Read /tmp/.X0-lock
>>   	allow $2 xserver_tmp_t:file { getattr read };
>>   
>> @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',`
>>   	# open office is looking for the following
>>   	dev_getattr_agp_dev($2)
>>   	dev_dontaudit_rw_dri($2)
>> +	tunable_policy(`xserver_allow_dri',`
>> +		dev_rw_dri($2)
>> +	')
> 
> This whole dri thing might need to be looked at separately from this
> patch. It apparently depends on the graphics driver so I used to think
> it should be a boolean. But other policies just add rw_dri without a
> boolean so not really sure. Personally on my machine I just add
> dev_rw_dri(x_domain) and be done with it.

This is a good point.  If we can get some clarity that would be useful, 
since many things are muddy with X.


>>   	# GNOME checks for usb and other devices:
>>   	dev_rw_usbfs($2)
>>   
>> @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache'
>>   
>>   	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>>   	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>> +	xdg_search_cache_dirs($1)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Manage the mesa shader cache.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`xserver_manage_mesa_shader_cache',`
>> +	gen_require(`
>> +		type mesa_shader_cache_t;
>> +	')
>> +
>> +	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>> +	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
>>   	allow $1 mesa_shader_cache_t:file map;
>>   
>>   	xdg_search_cache_dirs($1)
>> Index: refpolicy-2.20200209/policy/modules/apps/chromium.if
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.if
>> +++ refpolicy-2.20200209/policy/modules/apps/chromium.if
>> @@ -38,7 +38,15 @@ interface(`chromium_role',`
>>   
>>   	allow $2 chromium_t:process signal_perms;
>>   	allow $2 chromium_renderer_t:process signal_perms;
>> +	allow $2 chromium_sandbox_t:process signal_perms;
>>   	allow $2 chromium_naclhelper_t:process signal_perms;
>> +	allow chromium_t $2:process { signull signal };
>> +	allow $2 chromium_t:file manage_file_perms;
>> +
>> +	allow $2 chromium_t:unix_stream_socket connectto;
>> +
>> +	# for /tmp/.ICE-unix/* sockets
>> +	allow chromium_t $2:unix_stream_socket connectto;
>>   
>>   	allow chromium_sandbox_t $2:fd use;
>>   	allow chromium_naclhelper_t $2:fd use;
>> @@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
>>   	gen_require(`
>>   		type chromium_t;
>>   		type chromium_exec_t;
>> +		class dbus send_msg;
>>   	')
>>   
>>   	corecmd_search_bin($1)
>> Index: refpolicy-2.20200209/policy/modules/services/ssh.if
>> ===================================================================
>> --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
>> +++ refpolicy-2.20200209/policy/modules/services/ssh.if
>> @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',`
>>   	files_search_tmp($1)
>>   	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
>>   ')
>> +
>> +#######################################
>> +## <summary>
>> +##	dontaudit access to ssh agent tmp dirs
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain not to audit.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`ssh_dontaudit_agent_tmp',`
>> +	gen_require(`
>> +		type ssh_agent_tmp_t;
>> +	')
>> +
>> +	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
>> +')
> 


-- 
Chris PeBenito