From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A5CFC433E0 for ; Thu, 14 Jan 2021 23:39:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1916123A24 for ; Thu, 14 Jan 2021 23:39:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731015AbhANXje (ORCPT ); Thu, 14 Jan 2021 18:39:34 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:49714 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730994AbhANXje (ORCPT ); Thu, 14 Jan 2021 18:39:34 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 10AEE16176 for ; Fri, 15 Jan 2021 10:38:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610667531; bh=L1X1AQqqNF2la5sjdJlyTqF305FB8Xr+LAXLsQlSLKI=; l=7997; h=Date:From:To:Subject:From; b=vuuZI3Kk4TjLoGDjvmBIoyru2R9J292JriWjsqEbse4SkJ2+WEp6hhgCfrpq3sat8 9PtU7OW0XdNosHJrQ3KwfIJS8V8E7o42GBSHn1epiJZNiKd9VNWb+561iE1SB9P8ep LGGjSnvajzur4WS+JwQSttt/wlif8PRLd84Jf8Hs= Received: by xev.coker.com.au (Postfix, from userid 1001) id 11FC512F9776; Fri, 15 Jan 2021 10:32:06 +1100 (AEDT) Date: Fri, 15 Jan 2021 10:32:06 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] base chrome/chromium patch fixed Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker Index: refpolicy-2.20210115/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20210115/policy/modules/apps/chromium.te @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1) ## ##

+## Allow chromium to access direct rendering interface +##

+##

+## Needed for good performance on complex sites +##

+## +gen_tunable(chromium_dri, true) + +## +##

## Allow chromium to read system information ##

##

@@ -63,6 +73,9 @@ type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(chromium_tmpfs_t) + pulseaudio_rw_tmpfs_files(chromium_t) + pulseaudio_stream_connect(chromium_t) + pulseaudio_use_fds(chromium_t) ') type chromium_xdg_config_t; @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; +allow chromium_t chromium_sandbox_t:file read_file_perms; allow chromium_t chromium_naclhelper_t:process { share }; @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) +# for /run/user/$UID +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) + manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) kernel_list_proc(chromium_t) +kernel_read_fs_sysctls(chromium_t) +kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t) xdg_read_data_files(chromium_t) xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) +xserver_stream_connect_xdm(chromium_t) + +xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese allow chromium_t self:tcp_socket { listen accept }; ') +tunable_policy(`chromium_dri', ` + dev_rw_dri(chromium_t) +') + tunable_policy(`chromium_rw_usb_dev',` dev_rw_generic_usb_dev(chromium_t) ') @@ -240,8 +266,13 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat_disk(chromium_t) devicekit_dbus_chat_power(chromium_t) ') + + optional_policy(` + systemd_dbus_chat_hostnamed(chromium_t) + ') ') optional_policy(` @@ -251,6 +282,14 @@ optional_policy(` dpkg_read_db(chromium_t) ') +optional_policy(` + networkmanager_dbus_chat(chromium_t) +') + +optional_policy(` + ssh_dontaudit_agent_tmp(chromium_t) +') + ######################################## # # chromium_renderer local policy @@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf dev_read_sysfs(chromium_naclhelper_t) dev_read_urand(chromium_naclhelper_t) +kernel_list_proc(chromium_naclhelper_t) + +miscfiles_read_localization(chromium_naclhelper_t) Index: refpolicy-2.20210115/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.te +++ refpolicy-2.20210115/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## gen_tunable(xserver_object_manager, false) +## +##

+## Allow DRI access +##

+## +gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20210115/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.if +++ refpolicy-2.20210115/policy/modules/services/xserver.if @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` files_search_tmp($2) # Communicate via System V shared memory. + allow $2 xserver_t:fd use; allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $2 xserver_tmpfs_t:file { map read_file_perms }; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file read_inherited_file_perms; @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache' rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + xdg_search_cache_dirs($1) +') + +######################################## +## +## Manage the mesa shader cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) Index: refpolicy-2.20210115/policy/modules/apps/chromium.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if +++ refpolicy-2.20210115/policy/modules/apps/chromium.if @@ -38,7 +38,14 @@ interface(`chromium_role',` allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; + allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; + allow chromium_t $2:process { signull signal }; + + allow $2 chromium_t:unix_stream_socket connectto; + + # for /tmp/.ICE-unix/* sockets + allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; @@ -109,6 +116,7 @@ interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; + class dbus send_msg; ') corecmd_search_bin($1) Index: refpolicy-2.20210115/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/ssh.if +++ refpolicy-2.20210115/policy/modules/services/ssh.if @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +####################################### +## +## dontaudit access to ssh agent tmp dirs +## +## +## +## Domain not to audit. +## +## +# +interface(`ssh_dontaudit_agent_tmp',` + gen_require(` + type ssh_agent_tmp_t; + ') + + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; +')