1 |
On Tue, Apr 10, 2012 at 01:11:36PM +0200, "Paweł Hajdan, Jr." wrote: |
2 |
> I'm experimenting with Chromium SELinux sandbox |
3 |
> (<http://code.google.com/p/chromium/wiki/LinuxSandboxing>) and came up |
4 |
> with a working policy module (attached). |
5 |
> |
6 |
> Note that for that to be effective one has to compile chromium with |
7 |
> -Dselinux=1 gyp flag, and I've not yet committed such change to CVS |
8 |
> (waiting for 20.x dev channel release, so that it has a lot of testing |
9 |
> before unmasking). |
10 |
> |
11 |
> How does the attached policy look to you? (I'm SELinux newbie, although |
12 |
> I probably know Chromium pretty well as its developer and packager) |
13 |
> |
14 |
> You can also compare that with policy module written for Chromium by |
15 |
> another Chromium developer in 2010: |
16 |
> <http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/selinux/chromium-browser.te?view=markup> |
17 |
> |
18 |
> What are the next steps to add this policy to Gentoo? |
19 |
|
20 |
Hi Paweł, |
21 |
|
22 |
The policy itself is currently written (or generated?) with raw allow rules |
23 |
towards domains not defined by the policy module itself. For instance: |
24 |
|
25 |
allow chromium_renderer_t urandom_device_t:chr_file { getattr open read }; |
26 |
|
27 |
The policies we strive to support are based on the naming and style |
28 |
conventions used by the reference policy, so that we can easily forward them |
29 |
to their repository. This has the advantages that, if accepted, |
30 |
|
31 |
1. the names used are globally set, so no collisions can occur with |
32 |
possible future releases of other modules, |
33 |
2. the policy code itself will be reviewed by more experts, but also better |
34 |
maintained, as it will be used by other distributions (and contributors) |
35 |
as well |
36 |
|
37 |
The above allow rule would probably look like: |
38 |
dev_read_urand(chromium_renderer_t) |
39 |
which, given prior experience, probably means you also want (or need) to |
40 |
dev_read_rand(chromium_renderer_t) |
41 |
as well ;-) |
42 |
|
43 |
Do you feel up to updating the policy to reflect the style of refpolicy? If |
44 |
not, I don't mind taking a stab at it myself. |
45 |
|
46 |
However, besides the style, it also looks like the module is quite |
47 |
incomplete. It only defines the chromium_renderer_t, but how would chrome |
48 |
ever be able to "transition" to this domain? There is no transition rule |
49 |
declared, nor any files that could behave as entry points for the domain. |
50 |
|
51 |
I would also expect that, if it is for chromium, there would be a chromium_t |
52 |
domain as well. Or in other words: |
53 |
|
54 |
- a user calls chromium (labeled "chromium_exec_t") |
55 |
- a transition occurs from user_t to chromium_t |
56 |
- chromium calls some binary for rendering (or is SELinux-aware and |
57 |
does it by itself) |
58 |
- a transition occurs from chromium_t to chromium_renderer_t |
59 |
- etc. |
60 |
|
61 |
The use of "dyntransition" is frowned upon as it is much more "lax" than a |
62 |
regular transition. |
63 |
|
64 |
Wkr, |
65 |
Sven Vermeulen |