* [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs
@ 2019-01-12 8:03 Jason Zaman
2019-01-12 8:03 ` [PATCH 2/5] files: introduce files_dontaudit_read_etc_files Jason Zaman
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Jason Zaman @ 2019-01-12 8:03 UTC (permalink / raw)
To: selinux-refpolicy; +Cc: Jason Zaman
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 65bfcb63..78a95ce8 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4043,6 +4043,26 @@ interface(`dev_dontaudit_getattr_sysfs',`
dontaudit $1 sysfs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Dont audit attempts to read hardware state information
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain for which the attempts do not need to be audited
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:file read_file_perms;
+ dontaudit $1 sysfs_t:dir list_dir_perms;
+ dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
+')
+
########################################
## <summary>
## mounton sysfs directories.
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] files: introduce files_dontaudit_read_etc_files
2019-01-12 8:03 [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs Jason Zaman
@ 2019-01-12 8:03 ` Jason Zaman
2019-01-12 8:03 ` [PATCH 3/5] kernel: introduce kernel_dontaudit_read_kernel_sysctl Jason Zaman
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2019-01-12 8:03 UTC (permalink / raw)
To: selinux-refpolicy; +Cc: Jason Zaman
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e9bc8dd9..f1c94411 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3403,6 +3403,25 @@ interface(`files_dontaudit_read_etc_runtime_files',`
dontaudit $1 etc_runtime_t:file { getattr read };
')
+########################################
+## <summary>
+## Do not audit attempts to read files
+## in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:file { getattr read };
+')
+
########################################
## <summary>
## Do not audit attempts to write
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] kernel: introduce kernel_dontaudit_read_kernel_sysctl
2019-01-12 8:03 [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs Jason Zaman
2019-01-12 8:03 ` [PATCH 2/5] files: introduce files_dontaudit_read_etc_files Jason Zaman
@ 2019-01-12 8:03 ` Jason Zaman
2019-01-12 8:03 ` [PATCH 4/5] userdomain: introduce userdom_user_home_dir_filetrans_user_cert Jason Zaman
2019-01-12 8:03 ` [PATCH 5/5] Add chromium policy upstreamed from Gentoo Jason Zaman
3 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2019-01-12 8:03 UTC (permalink / raw)
To: selinux-refpolicy; +Cc: Jason Zaman
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 843b26e3..1ad282aa 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2012,6 +2012,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
dontaudit $1 sysctl_kernel_t:dir search;
')
+#######################################
+## <summary>
+## Do not audit attempted reading of kernel sysctls
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit accesses from
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:file read_file_perms;
+')
+
########################################
## <summary>
## Read generic crypto sysctls.
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] userdomain: introduce userdom_user_home_dir_filetrans_user_cert
2019-01-12 8:03 [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs Jason Zaman
2019-01-12 8:03 ` [PATCH 2/5] files: introduce files_dontaudit_read_etc_files Jason Zaman
2019-01-12 8:03 ` [PATCH 3/5] kernel: introduce kernel_dontaudit_read_kernel_sysctl Jason Zaman
@ 2019-01-12 8:03 ` Jason Zaman
2019-01-12 8:03 ` [PATCH 5/5] Add chromium policy upstreamed from Gentoo Jason Zaman
3 siblings, 0 replies; 7+ messages in thread
From: Jason Zaman @ 2019-01-12 8:03 UTC (permalink / raw)
To: selinux-refpolicy; +Cc: Jason Zaman
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e7117976..5221bd13 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2491,6 +2491,35 @@ interface(`userdom_user_home_content_filetrans',`
files_search_home($1)
')
+########################################
+## <summary>
+## Automatically use the user_cert_t label for selected resources
+## created in a users home directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Resource type(s) for which the label should be used
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the resource that is being created
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
########################################
## <summary>
## Create objects in a user home directory
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] Add chromium policy upstreamed from Gentoo
2019-01-12 8:03 [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs Jason Zaman
` (2 preceding siblings ...)
2019-01-12 8:03 ` [PATCH 4/5] userdomain: introduce userdom_user_home_dir_filetrans_user_cert Jason Zaman
@ 2019-01-12 8:03 ` Jason Zaman
2019-01-23 8:27 ` Russell Coker
2019-01-23 23:49 ` Chris PeBenito
3 siblings, 2 replies; 7+ messages in thread
From: Jason Zaman @ 2019-01-12 8:03 UTC (permalink / raw)
To: selinux-refpolicy; +Cc: Jason Zaman
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/apps/chromium.fc | 31 +++
policy/modules/apps/chromium.if | 139 +++++++++++++
policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++
3 files changed, 512 insertions(+)
create mode 100644 policy/modules/apps/chromium.fc
create mode 100644 policy/modules/apps/chromium.if
create mode 100644 policy/modules/apps/chromium.te
diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
new file mode 100644
index 00000000..534235dc
--- /dev/null
+++ b/policy/modules/apps/chromium.fc
@@ -0,0 +1,31 @@
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
+HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
new file mode 100644
index 00000000..26eb0259
--- /dev/null
+++ b/policy/modules/apps/chromium.if
@@ -0,0 +1,139 @@
+## <summary>
+## Chromium browser
+## </summary>
+
+#######################################
+## <summary>
+## Role access for chromium
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chromium_role',`
+ gen_require(`
+ type chromium_t;
+ type chromium_renderer_t;
+ type chromium_sandbox_t;
+ type chromium_naclhelper_t;
+ type chromium_exec_t;
+ ')
+
+ role $1 types chromium_t;
+ role $1 types chromium_renderer_t;
+ role $1 types chromium_sandbox_t;
+ role $1 types chromium_naclhelper_t;
+
+ # Transition from the user domain to the derived domain
+ chromium_domtrans($2)
+
+ # Allow ps to show chromium processes and allow the user to signal it
+ ps_process_pattern($2, chromium_t)
+ ps_process_pattern($2, chromium_renderer_t)
+
+ allow $2 chromium_t:process signal_perms;
+ allow $2 chromium_renderer_t:process signal_perms;
+ allow $2 chromium_naclhelper_t:process signal_perms;
+
+ allow chromium_sandbox_t $2:fd use;
+ allow chromium_naclhelper_t $2:fd use;
+')
+
+#######################################
+## <summary>
+## Read-write access to Chromiums' temporary fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_rw_tmp_pipes',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
+')
+
+##############################################
+## <summary>
+## Automatically use the specified type for resources created in chromium's
+## temporary locations
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that creates the resource(s)
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Type of the resource created
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the resource being created
+## </summary>
+## </param>
+#
+interface(`chromium_tmp_filetrans',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
+ filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to the chromium domain (chromium_t)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_domtrans',`
+ gen_require(`
+ type chromium_t;
+ type chromium_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chromium_exec_t, chromium_t)
+')
+
+#######################################
+## <summary>
+## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_run',`
+ gen_require(`
+ type chromium_t;
+ ')
+
+ chromium_domtrans($1)
+ role $2 types chromium_t;
+')
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
new file mode 100644
index 00000000..5219cb87
--- /dev/null
+++ b/policy/modules/apps/chromium.te
@@ -0,0 +1,342 @@
+policy_module(chromium, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow chromium to read system information
+## </p>
+## <p>
+## Although not needed for regular browsing, this will allow chromium to update
+## its own memory consumption based on system state, support additional
+## debugging, detect specific devices, etc.
+## </p>
+## </desc>
+gen_tunable(chromium_read_system_info, false)
+
+## <desc>
+## <p>
+## Allow chromium to bind to tcp ports
+## </p>
+## <p>
+## Although not needed for regular browsing, some chrome extensions need to
+## bind to tcp ports and accept connections.
+## </p>
+## </desc>
+gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
+type chromium_t;
+domain_dyntrans_type(chromium_t)
+
+type chromium_exec_t;
+application_domain(chromium_t, chromium_exec_t)
+
+type chromium_naclhelper_t;
+type chromium_naclhelper_exec_t;
+application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
+
+type chromium_sandbox_t;
+type chromium_sandbox_exec_t;
+application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t)
+
+type chromium_tmp_t;
+userdom_user_tmp_file(chromium_tmp_t)
+
+type chromium_tmpfs_t;
+userdom_user_tmpfs_file(chromium_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(chromium_tmpfs_t)
+')
+
+type chromium_xdg_config_t;
+xdg_config_content(chromium_xdg_config_t)
+
+type chromium_xdg_cache_t;
+xdg_cache_content(chromium_xdg_cache_t)
+
+
+
+########################################
+#
+# chromium local policy
+#
+
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
+allow chromium_t self:sem create_sem_perms;
+allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
+
+allow chromium_t chromium_exec_t:file execute_no_trans;
+
+allow chromium_t chromium_renderer_t:dir list_dir_perms;
+allow chromium_t chromium_renderer_t:file rw_file_perms;
+allow chromium_t chromium_renderer_t:fd use;
+allow chromium_t chromium_renderer_t:process signal_perms;
+allow chromium_t chromium_renderer_t:shm rw_shm_perms;
+allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
+allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
+allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_naclhelper_t:process { share };
+
+# tmp has a wide class access (used for plugins)
+manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+allow chromium_t chromium_tmp_t:file map;
+manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
+
+manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+allow chromium_t chromium_tmpfs_t:file map;
+fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
+fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
+
+manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+allow chromium_t chromium_xdg_config_t:file map;
+manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
+
+manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
+manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
+
+dyntrans_pattern(chromium_t, chromium_renderer_t)
+domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
+domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
+
+kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
+
+corecmd_exec_bin(chromium_t)
+# Look for /etc/gentoo-release through a shell invocation running find
+corecmd_exec_shell(chromium_t)
+
+corenet_tcp_connect_all_unreserved_ports(chromium_t)
+corenet_tcp_connect_ftp_port(chromium_t)
+corenet_tcp_connect_http_port(chromium_t)
+corenet_udp_bind_generic_node(chromium_t)
+corenet_udp_bind_all_unreserved_ports(chromium_t)
+
+dev_read_sound(chromium_t)
+dev_write_sound(chromium_t)
+dev_read_urand(chromium_t)
+dev_read_rand(chromium_t)
+dev_rw_xserver_misc(chromium_t)
+dev_map_xserver_misc(chromium_t)
+
+domain_dontaudit_search_all_domains_state(chromium_t)
+
+files_list_home(chromium_t)
+files_search_home(chromium_t)
+files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
+files_read_etc_files(chromium_t)
+# During find for /etc/whatever-release we get lots of output otherwise
+files_dontaudit_getattr_all_dirs(chromium_t)
+
+fs_dontaudit_getattr_xattr_fs(chromium_t)
+
+miscfiles_read_all_certs(chromium_t)
+miscfiles_read_localization(chromium_t)
+
+sysnet_dns_name_resolve(chromium_t)
+
+userdom_user_content_access_template(chromium, chromium_t)
+userdom_dontaudit_list_user_home_dirs(chromium_t)
+# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
+userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
+
+xdg_create_cache_dirs(chromium_t)
+xdg_create_config_dirs(chromium_t)
+xdg_create_data_dirs(chromium_t)
+xdg_manage_downloads(chromium_t)
+xdg_read_config_files(chromium_t)
+xdg_read_data_files(chromium_t)
+
+xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_bind_tcp_unreserved_ports',`
+ corenet_tcp_bind_generic_node(chromium_t)
+ corenet_tcp_bind_all_unreserved_ports(chromium_t)
+ allow chromium_t self:tcp_socket { listen accept };
+')
+
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+ udev_read_db(chromium_t)
+')
+
+tunable_policy(`chromium_read_system_info',`
+ kernel_read_kernel_sysctls(chromium_t)
+ # Memory optimizations & optimizations based on OS/version
+ kernel_read_system_state(chromium_t)
+
+ # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
+ dev_read_sysfs(chromium_t)
+
+ storage_getattr_fixed_disk_dev(chromium_t)
+
+ files_read_etc_runtime_files(chromium_t)
+
+ dev_dontaudit_getattr_all_chr_files(chromium_t)
+ init_dontaudit_getattr_initctl(chromium_t)
+',`
+ kernel_dontaudit_read_kernel_sysctl(chromium_t)
+ kernel_dontaudit_read_system_state(chromium_t)
+
+ dev_dontaudit_read_sysfs(chromium_t)
+
+ files_dontaudit_read_etc_runtime_files(chromium_t)
+')
+
+optional_policy(`
+ cups_read_config(chromium_t)
+ cups_stream_connect(chromium_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(chromium_t)
+ dbus_system_bus_client(chromium_t)
+
+ optional_policy(`
+ unconfined_dbus_chat(chromium_t)
+ ')
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(chromium_t)
+ ')
+ optional_policy(`
+ devicekit_dbus_chat_power(chromium_t)
+ ')
+')
+
+ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(chromium_t, chromium_tmpfs_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_domtrans(chromium_t)
+ ')
+')
+
+########################################
+#
+# chromium_renderer local policy
+#
+
+allow chromium_renderer_t self:process execmem;
+
+allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
+allow chromium_renderer_t self:shm create_shm_perms;
+allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
+allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
+
+allow chromium_renderer_t chromium_t:fd use;
+allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
+allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
+
+dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
+dontaudit chromium_renderer_t self:process getsched;
+
+read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
+
+rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
+
+dev_read_urand(chromium_renderer_t)
+
+files_dontaudit_list_tmp(chromium_renderer_t)
+files_dontaudit_read_etc_files(chromium_renderer_t)
+files_search_var(chromium_renderer_t)
+
+init_sigchld(chromium_renderer_t)
+
+miscfiles_read_localization(chromium_renderer_t)
+
+userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
+userdom_use_user_terminals(chromium_renderer_t)
+
+xdg_read_config_files(chromium_renderer_t)
+
+xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_read_system_info',`
+ kernel_read_kernel_sysctls(chromium_renderer_t)
+ kernel_read_system_state(chromium_renderer_t)
+',`
+ kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
+ kernel_dontaudit_read_system_state(chromium_renderer_t)
+')
+
+#########################################
+#
+# Chromium sandbox local policy
+#
+
+allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chromium_sandbox_t self:process { setrlimit };
+allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+
+allow chromium_sandbox_t chromium_t:process { share };
+# /proc access
+allow chromium_sandbox_t chromium_t:dir list_dir_perms;
+allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
+allow chromium_sandbox_t chromium_t:file rw_file_perms;
+
+allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
+allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
+
+kernel_list_proc(chromium_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
+
+userdom_use_user_ptys(chromium_sandbox_t)
+
+chromium_domtrans(chromium_sandbox_t)
+
+##########################################
+#
+# Chromium nacl helper local policy
+#
+
+allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
+
+domain_mmap_low_uncond(chromium_naclhelper_t)
+
+userdom_use_user_ptys(chromium_naclhelper_t)
+
+tunable_policy(`chromium_read_system_info',`
+ kernel_read_kernel_sysctls(chromium_naclhelper_t)
+ kernel_read_system_state(chromium_naclhelper_t)
+',`
+ kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
+ kernel_dontaudit_read_system_state(chromium_naclhelper_t)
+')
+
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 5/5] Add chromium policy upstreamed from Gentoo
2019-01-12 8:03 ` [PATCH 5/5] Add chromium policy upstreamed from Gentoo Jason Zaman
@ 2019-01-23 8:27 ` Russell Coker
2019-01-23 23:49 ` Chris PeBenito
1 sibling, 0 replies; 7+ messages in thread
From: Russell Coker @ 2019-01-23 8:27 UTC (permalink / raw)
To: Jason Zaman; +Cc: selinux-refpolicy
This looks OK at a quick scan.
On Saturday, 12 January 2019 7:03:44 PM AEDT Jason Zaman wrote:
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
> policy/modules/apps/chromium.fc | 31 +++
> policy/modules/apps/chromium.if | 139 +++++++++++++
> policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++
> 3 files changed, 512 insertions(+)
> create mode 100644 policy/modules/apps/chromium.fc
> create mode 100644 policy/modules/apps/chromium.if
> create mode 100644 policy/modules/apps/chromium.te
>
> diff --git a/policy/modules/apps/chromium.fc
> b/policy/modules/apps/chromium.fc new file mode 100644
> index 00000000..534235dc
> --- /dev/null
> +++ b/policy/modules/apps/chromium.fc
> @@ -0,0 +1,31 @@
> +/opt/google/chrome/chrome --
gen_context(system_u:object_r:chromium_exec
> _t,s0)
> +/opt/google/chrome/chrome_sandbox --
gen_context(system_u:object_r:chrom
> ium_sandbox_exec_t,s0)
> +/opt/google/chrome/chrome-sandbox --
gen_context(system_u:object_r:chrom
> ium_sandbox_exec_t,s0)
> +/opt/google/chrome/google-chrome --
gen_context(system_u:object_r:chromi
> um_exec_t,s0)
> +/opt/google/chrome/nacl_helper_bootstrap --
gen_context(system_u:object_r
> :chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome/libudev.so.0
gen_context(system_u:object_r:lib_t,s0
> ) +
> +/opt/google/chrome-beta/chrome --
gen_context(system_u:object_r:chromium
> _exec_t,s0)
> +/opt/google/chrome-beta/chrome_sandbox --
gen_context(system_u:object_r:
> chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-beta/chrome-sandbox --
gen_context(system_u:object_r:
> chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-beta/google-chrome --
gen_context(system_u:object_r:c
> hromium_exec_t,s0)
> +/opt/google/chrome-beta/nacl_helper_bootstrap --
gen_context(system_u:obj
> ect_r:chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome-beta/libudev.so.0
gen_context(system_u:object_r:lib_
> t,s0) +
> +/opt/google/chrome-unstable/chrome --
gen_context(system_u:object_r:chrom
> ium_exec_t,s0)
> +/opt/google/chrome-unstable/chrome_sandbox --
gen_context(system_u:object
> _r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-unstable/chrome-sandbox --
gen_context(system_u:object
> _r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-unstable/google-chrome --
gen_context(system_u:object_
> r:chromium_exec_t,s0)
> +/opt/google/chrome-unstable/nacl_helper_bootstrap --
gen_context(system_u:
> object_r:chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome-unstable/libudev.so.0
gen_context(system_u:object_r:l
> ib_t,s0) +
> +/usr/lib/chromium-browser/chrome --
gen_context(system_u:object_r:chromiu
> m_exec_t,s0)
> +/usr/lib/chromium-browser/chrome_sandbox --
gen_context(system_u:object_r
> :chromium_sandbox_exec_t,s0)
> +/usr/lib/chromium-browser/chrome-sandbox --
gen_context(system_u:object_r
> :chromium_sandbox_exec_t,s0)
> +/usr/lib/chromium-browser/chromium-launcher\.sh --
gen_context(system_u:o
> bject_r:chromium_exec_t,s0)
> +/usr/lib/chromium-browser/nacl_helper_bootstrap --
gen_context(system_u:o
> bject_r:chromium_naclhelper_exec_t,s0) +
> +HOME_DIR/\.cache/chromium(/.*)?
gen_context(system_u:object_r:chromium_
> xdg_cache_t,s0)
> +HOME_DIR/\.cache/google-chrome(/.*)?
gen_context(system_u:object_r:chro
> mium_xdg_cache_t,s0)
> +HOME_DIR/\.config/chromium(/.*)?
gen_context(system_u:object_r:chromium
> _xdg_config_t,s0)
> +HOME_DIR/\.config/google-chrome(/.*)?
gen_context(system_u:object_r:chr
> omium_xdg_config_t,s0) diff --git a/policy/modules/apps/chromium.if
> b/policy/modules/apps/chromium.if new file mode 100644
> index 00000000..26eb0259
> --- /dev/null
> +++ b/policy/modules/apps/chromium.if
> @@ -0,0 +1,139 @@
> +## <summary>
> +## Chromium browser
> +## </summary>
> +
> +#######################################
> +## <summary>
> +## Role access for chromium
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_role',`
> + gen_require(`
> + type chromium_t;
> + type chromium_renderer_t;
> + type chromium_sandbox_t;
> + type chromium_naclhelper_t;
> + type chromium_exec_t;
> + ')
> +
> + role $1 types chromium_t;
> + role $1 types chromium_renderer_t;
> + role $1 types chromium_sandbox_t;
> + role $1 types chromium_naclhelper_t;
> +
> + # Transition from the user domain to the derived domain
> + chromium_domtrans($2)
> +
> + # Allow ps to show chromium processes and allow the user to signal it
> + ps_process_pattern($2, chromium_t)
> + ps_process_pattern($2, chromium_renderer_t)
> +
> + allow $2 chromium_t:process signal_perms;
> + allow $2 chromium_renderer_t:process signal_perms;
> + allow $2 chromium_naclhelper_t:process signal_perms;
> +
> + allow chromium_sandbox_t $2:fd use;
> + allow chromium_naclhelper_t $2:fd use;
> +')
> +
> +#######################################
> +## <summary>
> +## Read-write access to Chromiums' temporary fifo files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_rw_tmp_pipes',`
> + gen_require(`
> + type chromium_tmp_t;
> + ')
> +
> + rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
> +')
> +
> +##############################################
> +## <summary>
> +## Automatically use the specified type for resources created in
chromium's
> +## temporary locations
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that creates the resource(s)
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## Type of the resource created
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## The name of the resource being created
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_tmp_filetrans',`
> + gen_require(`
> + type chromium_tmp_t;
> + ')
> +
> + search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
> + filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
> +')
> +
> +#######################################
> +## <summary>
> +## Execute a domain transition to the chromium domain (chromium_t)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_domtrans',`
> + gen_require(`
> + type chromium_t;
> + type chromium_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, chromium_exec_t, chromium_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Execute chromium in the chromium domain and allow the specified role
to
> access the chromium domain +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_run',`
> + gen_require(`
> + type chromium_t;
> + ')
> +
> + chromium_domtrans($1)
> + role $2 types chromium_t;
> +')
> diff --git a/policy/modules/apps/chromium.te
> b/policy/modules/apps/chromium.te new file mode 100644
> index 00000000..5219cb87
> --- /dev/null
> +++ b/policy/modules/apps/chromium.te
> @@ -0,0 +1,342 @@
> +policy_module(chromium, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow chromium to read system information
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, this will allow chromium to
> update +## its own memory consumption based on system state, support
> additional +## debugging, detect specific devices, etc.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_read_system_info, false)
> +
> +## <desc>
> +## <p>
> +## Allow chromium to bind to tcp ports
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, some chrome extensions need to
> +## bind to tcp ports and accept connections.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_bind_tcp_unreserved_ports, false)
> +
> +## <desc>
> +## <p>
> +## Allow chromium to read/write USB devices
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, used for debugging over usb
> +## or using FIDO U2F tokens.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_rw_usb_dev, false)
> +
> +type chromium_t;
> +domain_dyntrans_type(chromium_t)
> +
> +type chromium_exec_t;
> +application_domain(chromium_t, chromium_exec_t)
> +
> +type chromium_naclhelper_t;
> +type chromium_naclhelper_exec_t;
> +application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
> +
> +type chromium_sandbox_t;
> +type chromium_sandbox_exec_t;
> +application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
> +
> +type chromium_renderer_t;
> +domain_base_type(chromium_renderer_t)
> +
> +type chromium_tmp_t;
> +userdom_user_tmp_file(chromium_tmp_t)
> +
> +type chromium_tmpfs_t;
> +userdom_user_tmpfs_file(chromium_tmpfs_t)
> +optional_policy(`
> + pulseaudio_tmpfs_content(chromium_tmpfs_t)
> +')
> +
> +type chromium_xdg_config_t;
> +xdg_config_content(chromium_xdg_config_t)
> +
> +type chromium_xdg_cache_t;
> +xdg_cache_content(chromium_xdg_cache_t)
> +
> +
> +
> +########################################
> +#
> +# chromium local policy
> +#
> +
> +# execmem for load in plugins
> +allow chromium_t self:process { execmem getsched getcap setcap setrlimit
> setsched sigkill signal }; +allow chromium_t self:fifo_file
> rw_fifo_file_perms;
> +allow chromium_t self:sem create_sem_perms;
> +allow chromium_t self:netlink_kobject_uevent_socket
> client_stream_socket_perms; +# cap_userns sys_admin for the sandbox
> +allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
> +
> +allow chromium_t chromium_exec_t:file execute_no_trans;
> +
> +allow chromium_t chromium_renderer_t:dir list_dir_perms;
> +allow chromium_t chromium_renderer_t:file rw_file_perms;
> +allow chromium_t chromium_renderer_t:fd use;
> +allow chromium_t chromium_renderer_t:process signal_perms;
> +allow chromium_t chromium_renderer_t:shm rw_shm_perms;
> +allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
> +allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
> +
> +allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
> +allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
> +
> +allow chromium_t chromium_naclhelper_t:process { share };
> +
> +# tmp has a wide class access (used for plugins)
> +manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +allow chromium_t chromium_tmp_t:file map;
> +manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
> +
> +manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
> +allow chromium_t chromium_tmpfs_t:file map;
> +fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
> +fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
> +
> +manage_files_pattern(chromium_t, chromium_xdg_config_t,
> chromium_xdg_config_t) +allow chromium_t chromium_xdg_config_t:file map;
> +manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t,
> chromium_xdg_config_t) +manage_dirs_pattern(chromium_t,
> chromium_xdg_config_t, chromium_xdg_config_t)
> +xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium") +
> +manage_files_pattern(chromium_t, chromium_xdg_cache_t,
> chromium_xdg_cache_t) +allow chromium_t chromium_xdg_cache_t:file map;
> +manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
> +xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium") +
> +dyntrans_pattern(chromium_t, chromium_renderer_t)
> +domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
> +domtrans_pattern(chromium_t, chromium_naclhelper_exec_t,
> chromium_naclhelper_t) +
> +kernel_list_proc(chromium_t)
> +kernel_read_net_sysctls(chromium_t)
> +
> +corecmd_exec_bin(chromium_t)
> +# Look for /etc/gentoo-release through a shell invocation running find
> +corecmd_exec_shell(chromium_t)
> +
> +corenet_tcp_connect_all_unreserved_ports(chromium_t)
> +corenet_tcp_connect_ftp_port(chromium_t)
> +corenet_tcp_connect_http_port(chromium_t)
> +corenet_udp_bind_generic_node(chromium_t)
> +corenet_udp_bind_all_unreserved_ports(chromium_t)
> +
> +dev_read_sound(chromium_t)
> +dev_write_sound(chromium_t)
> +dev_read_urand(chromium_t)
> +dev_read_rand(chromium_t)
> +dev_rw_xserver_misc(chromium_t)
> +dev_map_xserver_misc(chromium_t)
> +
> +domain_dontaudit_search_all_domains_state(chromium_t)
> +
> +files_list_home(chromium_t)
> +files_search_home(chromium_t)
> +files_read_usr_files(chromium_t)
> +files_map_usr_files(chromium_t)
> +files_read_etc_files(chromium_t)
> +# During find for /etc/whatever-release we get lots of output otherwise
> +files_dontaudit_getattr_all_dirs(chromium_t)
> +
> +fs_dontaudit_getattr_xattr_fs(chromium_t)
> +
> +miscfiles_read_all_certs(chromium_t)
> +miscfiles_read_localization(chromium_t)
> +
> +sysnet_dns_name_resolve(chromium_t)
> +
> +userdom_user_content_access_template(chromium, chromium_t)
> +userdom_dontaudit_list_user_home_dirs(chromium_t)
> +# Debugging. Also on user_tty_device_t if X is started through "startx" for
> instance +userdom_use_user_terminals(chromium_t)
> +userdom_manage_user_certs(chromium_t)
> +userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
> +
> +xdg_create_cache_dirs(chromium_t)
> +xdg_create_config_dirs(chromium_t)
> +xdg_create_data_dirs(chromium_t)
> +xdg_manage_downloads(chromium_t)
> +xdg_read_config_files(chromium_t)
> +xdg_read_data_files(chromium_t)
> +
> +xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
> +
> +tunable_policy(`chromium_bind_tcp_unreserved_ports',`
> + corenet_tcp_bind_generic_node(chromium_t)
> + corenet_tcp_bind_all_unreserved_ports(chromium_t)
> + allow chromium_t self:tcp_socket { listen accept };
> +')
> +
> +tunable_policy(`chromium_rw_usb_dev',`
> + dev_rw_generic_usb_dev(chromium_t)
> + udev_read_db(chromium_t)
> +')
> +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_t)
> + # Memory optimizations & optimizations based on OS/version
> + kernel_read_system_state(chromium_t)
> +
> + # Debugging (sys/kernel/debug) and device information (sys/bus and
> sys/devices). + dev_read_sysfs(chromium_t)
> +
> + storage_getattr_fixed_disk_dev(chromium_t)
> +
> + files_read_etc_runtime_files(chromium_t)
> +
> + dev_dontaudit_getattr_all_chr_files(chromium_t)
> + init_dontaudit_getattr_initctl(chromium_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_t)
> + kernel_dontaudit_read_system_state(chromium_t)
> +
> + dev_dontaudit_read_sysfs(chromium_t)
> +
> + files_dontaudit_read_etc_runtime_files(chromium_t)
> +')
> +
> +optional_policy(`
> + cups_read_config(chromium_t)
> + cups_stream_connect(chromium_t)
> +')
> +
> +optional_policy(`
> + dbus_all_session_bus_client(chromium_t)
> + dbus_system_bus_client(chromium_t)
> +
> + optional_policy(`
> + unconfined_dbus_chat(chromium_t)
> + ')
> + optional_policy(`
> + gnome_dbus_chat_all_gkeyringd(chromium_t)
> + ')
> + optional_policy(`
> + devicekit_dbus_chat_power(chromium_t)
> + ')
> +')
> +
> +ifdef(`use_alsa',`
> + optional_policy(`
> + alsa_domain(chromium_t, chromium_tmpfs_t)
> + ')
> +
> + optional_policy(`
> + pulseaudio_domtrans(chromium_t)
> + ')
> +')
> +
> +########################################
> +#
> +# chromium_renderer local policy
> +#
> +
> +allow chromium_renderer_t self:process execmem;
> +
> +allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
> +allow chromium_renderer_t self:shm create_shm_perms;
> +allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
> +allow chromium_renderer_t self:unix_stream_socket { create getattr read
> write }; +
> +allow chromium_renderer_t chromium_t:fd use;
> +allow chromium_renderer_t chromium_t:unix_stream_socket
> rw_stream_socket_perms; +allow chromium_renderer_t chromium_tmpfs_t:file
> rw_file_perms;
> +
> +dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
> +dontaudit chromium_renderer_t self:process getsched;
> +
> +read_files_pattern(chromium_renderer_t, chromium_xdg_config_t,
> chromium_xdg_config_t) +
> +rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
> +
> +dev_read_urand(chromium_renderer_t)
> +
> +files_dontaudit_list_tmp(chromium_renderer_t)
> +files_dontaudit_read_etc_files(chromium_renderer_t)
> +files_search_var(chromium_renderer_t)
> +
> +init_sigchld(chromium_renderer_t)
> +
> +miscfiles_read_localization(chromium_renderer_t)
> +
> +userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
> +userdom_use_user_terminals(chromium_renderer_t)
> +
> +xdg_read_config_files(chromium_renderer_t)
> +
> +xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t,
> chromium_tmpfs_t) +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_renderer_t)
> + kernel_read_system_state(chromium_renderer_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
> + kernel_dontaudit_read_system_state(chromium_renderer_t)
> +')
> +
> +#########################################
> +#
> +# Chromium sandbox local policy
> +#
> +
> +allow chromium_sandbox_t self:capability { dac_read_search setgid setuid
> sys_admin sys_chroot sys_ptrace }; +allow chromium_sandbox_t self:process {
> setrlimit };
> +allow chromium_sandbox_t self:unix_stream_socket
> create_stream_socket_perms; +
> +allow chromium_sandbox_t chromium_t:process { share };
> +# /proc access
> +allow chromium_sandbox_t chromium_t:dir list_dir_perms;
> +allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
> +allow chromium_sandbox_t chromium_t:file rw_file_perms;
> +
> +allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
> +allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
> +
> +kernel_list_proc(chromium_sandbox_t)
> +
> +domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
> +
> +userdom_use_user_ptys(chromium_sandbox_t)
> +
> +chromium_domtrans(chromium_sandbox_t)
> +
> +##########################################
> +#
> +# Chromium nacl helper local policy
> +#
> +
> +allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
> +
> +domain_mmap_low_uncond(chromium_naclhelper_t)
> +
> +userdom_use_user_ptys(chromium_naclhelper_t)
> +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_naclhelper_t)
> + kernel_read_system_state(chromium_naclhelper_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
> + kernel_dontaudit_read_system_state(chromium_naclhelper_t)
> +')
> +
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 5/5] Add chromium policy upstreamed from Gentoo
2019-01-12 8:03 ` [PATCH 5/5] Add chromium policy upstreamed from Gentoo Jason Zaman
2019-01-23 8:27 ` Russell Coker
@ 2019-01-23 23:49 ` Chris PeBenito
1 sibling, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2019-01-23 23:49 UTC (permalink / raw)
To: Jason Zaman, selinux-refpolicy
On 1/12/19 3:03 AM, Jason Zaman wrote:
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
> policy/modules/apps/chromium.fc | 31 +++
> policy/modules/apps/chromium.if | 139 +++++++++++++
> policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++
> 3 files changed, 512 insertions(+)
> create mode 100644 policy/modules/apps/chromium.fc
> create mode 100644 policy/modules/apps/chromium.if
> create mode 100644 policy/modules/apps/chromium.te
>
> diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
> new file mode 100644
> index 00000000..534235dc
> --- /dev/null
> +++ b/policy/modules/apps/chromium.fc
> @@ -0,0 +1,31 @@
> +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
> +
> +/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
> +
> +/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
> +/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0)
> +
> +/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
> +/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0)
> +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
> +
> +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
> +HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
> +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
> +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0)
> diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
> new file mode 100644
> index 00000000..26eb0259
> --- /dev/null
> +++ b/policy/modules/apps/chromium.if
> @@ -0,0 +1,139 @@
> +## <summary>
> +## Chromium browser
> +## </summary>
> +
> +#######################################
> +## <summary>
> +## Role access for chromium
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_role',`
> + gen_require(`
> + type chromium_t;
> + type chromium_renderer_t;
> + type chromium_sandbox_t;
> + type chromium_naclhelper_t;
> + type chromium_exec_t;
> + ')
> +
> + role $1 types chromium_t;
> + role $1 types chromium_renderer_t;
> + role $1 types chromium_sandbox_t;
> + role $1 types chromium_naclhelper_t;
> +
> + # Transition from the user domain to the derived domain
> + chromium_domtrans($2)
> +
> + # Allow ps to show chromium processes and allow the user to signal it
> + ps_process_pattern($2, chromium_t)
> + ps_process_pattern($2, chromium_renderer_t)
> +
> + allow $2 chromium_t:process signal_perms;
> + allow $2 chromium_renderer_t:process signal_perms;
> + allow $2 chromium_naclhelper_t:process signal_perms;
> +
> + allow chromium_sandbox_t $2:fd use;
> + allow chromium_naclhelper_t $2:fd use;
> +')
> +
> +#######################################
> +## <summary>
> +## Read-write access to Chromiums' temporary fifo files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_rw_tmp_pipes',`
> + gen_require(`
> + type chromium_tmp_t;
> + ')
> +
> + rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
> +')
> +
> +##############################################
> +## <summary>
> +## Automatically use the specified type for resources created in chromium's
> +## temporary locations
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that creates the resource(s)
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## Type of the resource created
> +## </summary>
> +## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## The name of the resource being created
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_tmp_filetrans',`
> + gen_require(`
> + type chromium_tmp_t;
> + ')
> +
> + search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
> + filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
> +')
> +
> +#######################################
> +## <summary>
> +## Execute a domain transition to the chromium domain (chromium_t)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_domtrans',`
> + gen_require(`
> + type chromium_t;
> + type chromium_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, chromium_exec_t, chromium_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`chromium_run',`
> + gen_require(`
> + type chromium_t;
> + ')
> +
> + chromium_domtrans($1)
> + role $2 types chromium_t;
> +')
> diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
> new file mode 100644
> index 00000000..5219cb87
> --- /dev/null
> +++ b/policy/modules/apps/chromium.te
> @@ -0,0 +1,342 @@
> +policy_module(chromium, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow chromium to read system information
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, this will allow chromium to update
> +## its own memory consumption based on system state, support additional
> +## debugging, detect specific devices, etc.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_read_system_info, false)
> +
> +## <desc>
> +## <p>
> +## Allow chromium to bind to tcp ports
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, some chrome extensions need to
> +## bind to tcp ports and accept connections.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_bind_tcp_unreserved_ports, false)
> +
> +## <desc>
> +## <p>
> +## Allow chromium to read/write USB devices
> +## </p>
> +## <p>
> +## Although not needed for regular browsing, used for debugging over usb
> +## or using FIDO U2F tokens.
> +## </p>
> +## </desc>
> +gen_tunable(chromium_rw_usb_dev, false)
> +
> +type chromium_t;
> +domain_dyntrans_type(chromium_t)
> +
> +type chromium_exec_t;
> +application_domain(chromium_t, chromium_exec_t)
> +
> +type chromium_naclhelper_t;
> +type chromium_naclhelper_exec_t;
> +application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
> +
> +type chromium_sandbox_t;
> +type chromium_sandbox_exec_t;
> +application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
> +
> +type chromium_renderer_t;
> +domain_base_type(chromium_renderer_t)
> +
> +type chromium_tmp_t;
> +userdom_user_tmp_file(chromium_tmp_t)
> +
> +type chromium_tmpfs_t;
> +userdom_user_tmpfs_file(chromium_tmpfs_t)
> +optional_policy(`
> + pulseaudio_tmpfs_content(chromium_tmpfs_t)
> +')
> +
> +type chromium_xdg_config_t;
> +xdg_config_content(chromium_xdg_config_t)
> +
> +type chromium_xdg_cache_t;
> +xdg_cache_content(chromium_xdg_cache_t)
> +
> +
> +
> +########################################
> +#
> +# chromium local policy
> +#
> +
> +# execmem for load in plugins
> +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
> +allow chromium_t self:fifo_file rw_fifo_file_perms;
> +allow chromium_t self:sem create_sem_perms;
> +allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
> +# cap_userns sys_admin for the sandbox
> +allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
> +
> +allow chromium_t chromium_exec_t:file execute_no_trans;
> +
> +allow chromium_t chromium_renderer_t:dir list_dir_perms;
> +allow chromium_t chromium_renderer_t:file rw_file_perms;
> +allow chromium_t chromium_renderer_t:fd use;
> +allow chromium_t chromium_renderer_t:process signal_perms;
> +allow chromium_t chromium_renderer_t:shm rw_shm_perms;
> +allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
> +allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
> +
> +allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
> +allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
> +
> +allow chromium_t chromium_naclhelper_t:process { share };
> +
> +# tmp has a wide class access (used for plugins)
> +manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +allow chromium_t chromium_tmp_t:file map;
> +manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> +files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
> +
> +manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
> +allow chromium_t chromium_tmpfs_t:file map;
> +fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
> +fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
> +
> +manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
> +allow chromium_t chromium_xdg_config_t:file map;
> +manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
> +manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
> +xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
> +
> +manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
> +allow chromium_t chromium_xdg_cache_t:file map;
> +manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
> +xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
> +
> +dyntrans_pattern(chromium_t, chromium_renderer_t)
> +domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
> +domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
> +
> +kernel_list_proc(chromium_t)
> +kernel_read_net_sysctls(chromium_t)
> +
> +corecmd_exec_bin(chromium_t)
> +# Look for /etc/gentoo-release through a shell invocation running find
> +corecmd_exec_shell(chromium_t)
> +
> +corenet_tcp_connect_all_unreserved_ports(chromium_t)
> +corenet_tcp_connect_ftp_port(chromium_t)
> +corenet_tcp_connect_http_port(chromium_t)
> +corenet_udp_bind_generic_node(chromium_t)
> +corenet_udp_bind_all_unreserved_ports(chromium_t)
> +
> +dev_read_sound(chromium_t)
> +dev_write_sound(chromium_t)
> +dev_read_urand(chromium_t)
> +dev_read_rand(chromium_t)
> +dev_rw_xserver_misc(chromium_t)
> +dev_map_xserver_misc(chromium_t)
> +
> +domain_dontaudit_search_all_domains_state(chromium_t)
> +
> +files_list_home(chromium_t)
> +files_search_home(chromium_t)
> +files_read_usr_files(chromium_t)
> +files_map_usr_files(chromium_t)
> +files_read_etc_files(chromium_t)
> +# During find for /etc/whatever-release we get lots of output otherwise
> +files_dontaudit_getattr_all_dirs(chromium_t)
> +
> +fs_dontaudit_getattr_xattr_fs(chromium_t)
> +
> +miscfiles_read_all_certs(chromium_t)
> +miscfiles_read_localization(chromium_t)
> +
> +sysnet_dns_name_resolve(chromium_t)
> +
> +userdom_user_content_access_template(chromium, chromium_t)
> +userdom_dontaudit_list_user_home_dirs(chromium_t)
> +# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
> +userdom_use_user_terminals(chromium_t)
> +userdom_manage_user_certs(chromium_t)
> +userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
> +
> +xdg_create_cache_dirs(chromium_t)
> +xdg_create_config_dirs(chromium_t)
> +xdg_create_data_dirs(chromium_t)
> +xdg_manage_downloads(chromium_t)
> +xdg_read_config_files(chromium_t)
> +xdg_read_data_files(chromium_t)
> +
> +xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
> +
> +tunable_policy(`chromium_bind_tcp_unreserved_ports',`
> + corenet_tcp_bind_generic_node(chromium_t)
> + corenet_tcp_bind_all_unreserved_ports(chromium_t)
> + allow chromium_t self:tcp_socket { listen accept };
> +')
> +
> +tunable_policy(`chromium_rw_usb_dev',`
> + dev_rw_generic_usb_dev(chromium_t)
> + udev_read_db(chromium_t)
> +')
> +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_t)
> + # Memory optimizations & optimizations based on OS/version
> + kernel_read_system_state(chromium_t)
> +
> + # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
> + dev_read_sysfs(chromium_t)
> +
> + storage_getattr_fixed_disk_dev(chromium_t)
> +
> + files_read_etc_runtime_files(chromium_t)
> +
> + dev_dontaudit_getattr_all_chr_files(chromium_t)
> + init_dontaudit_getattr_initctl(chromium_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_t)
> + kernel_dontaudit_read_system_state(chromium_t)
> +
> + dev_dontaudit_read_sysfs(chromium_t)
> +
> + files_dontaudit_read_etc_runtime_files(chromium_t)
> +')
> +
> +optional_policy(`
> + cups_read_config(chromium_t)
> + cups_stream_connect(chromium_t)
> +')
> +
> +optional_policy(`
> + dbus_all_session_bus_client(chromium_t)
> + dbus_system_bus_client(chromium_t)
> +
> + optional_policy(`
> + unconfined_dbus_chat(chromium_t)
> + ')
> + optional_policy(`
> + gnome_dbus_chat_all_gkeyringd(chromium_t)
> + ')
> + optional_policy(`
> + devicekit_dbus_chat_power(chromium_t)
> + ')
> +')
> +
> +ifdef(`use_alsa',`
> + optional_policy(`
> + alsa_domain(chromium_t, chromium_tmpfs_t)
> + ')
> +
> + optional_policy(`
> + pulseaudio_domtrans(chromium_t)
> + ')
> +')
> +
> +########################################
> +#
> +# chromium_renderer local policy
> +#
> +
> +allow chromium_renderer_t self:process execmem;
> +
> +allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
> +allow chromium_renderer_t self:shm create_shm_perms;
> +allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
> +allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
> +
> +allow chromium_renderer_t chromium_t:fd use;
> +allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
> +allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
> +
> +dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
> +dontaudit chromium_renderer_t self:process getsched;
> +
> +read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
> +
> +rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
> +
> +dev_read_urand(chromium_renderer_t)
> +
> +files_dontaudit_list_tmp(chromium_renderer_t)
> +files_dontaudit_read_etc_files(chromium_renderer_t)
> +files_search_var(chromium_renderer_t)
> +
> +init_sigchld(chromium_renderer_t)
> +
> +miscfiles_read_localization(chromium_renderer_t)
> +
> +userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
> +userdom_use_user_terminals(chromium_renderer_t)
> +
> +xdg_read_config_files(chromium_renderer_t)
> +
> +xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
> +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_renderer_t)
> + kernel_read_system_state(chromium_renderer_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
> + kernel_dontaudit_read_system_state(chromium_renderer_t)
> +')
> +
> +#########################################
> +#
> +# Chromium sandbox local policy
> +#
> +
> +allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
> +allow chromium_sandbox_t self:process { setrlimit };
> +allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow chromium_sandbox_t chromium_t:process { share };
> +# /proc access
> +allow chromium_sandbox_t chromium_t:dir list_dir_perms;
> +allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
> +allow chromium_sandbox_t chromium_t:file rw_file_perms;
> +
> +allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
> +allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
> +
> +kernel_list_proc(chromium_sandbox_t)
> +
> +domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
> +
> +userdom_use_user_ptys(chromium_sandbox_t)
> +
> +chromium_domtrans(chromium_sandbox_t)
> +
> +##########################################
> +#
> +# Chromium nacl helper local policy
> +#
> +
> +allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
> +
> +domain_mmap_low_uncond(chromium_naclhelper_t)
> +
> +userdom_use_user_ptys(chromium_naclhelper_t)
> +
> +tunable_policy(`chromium_read_system_info',`
> + kernel_read_kernel_sysctls(chromium_naclhelper_t)
> + kernel_read_system_state(chromium_naclhelper_t)
> +',`
> + kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
> + kernel_dontaudit_read_system_state(chromium_naclhelper_t)
> +')
> +
This set is merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-01-24 0:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-12 8:03 [PATCH 1/5] devices: introduce dev_dontaudit_read_sysfs Jason Zaman
2019-01-12 8:03 ` [PATCH 2/5] files: introduce files_dontaudit_read_etc_files Jason Zaman
2019-01-12 8:03 ` [PATCH 3/5] kernel: introduce kernel_dontaudit_read_kernel_sysctl Jason Zaman
2019-01-12 8:03 ` [PATCH 4/5] userdomain: introduce userdom_user_home_dir_filetrans_user_cert Jason Zaman
2019-01-12 8:03 ` [PATCH 5/5] Add chromium policy upstreamed from Gentoo Jason Zaman
2019-01-23 8:27 ` Russell Coker
2019-01-23 23:49 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).