| 1 |
On Tue, Apr 10, 2012 at 01:11:36PM +0200, "Paweł Hajdan, Jr." wrote: |
| 2 |
> I'm experimenting with Chromium SELinux sandbox |
| 3 |
> (<http://code.google.com/p/chromium/wiki/LinuxSandboxing>) and came up |
| 4 |
> with a working policy module (attached). |
| 5 |
> |
| 6 |
> Note that for that to be effective one has to compile chromium with |
| 7 |
> -Dselinux=1 gyp flag, and I've not yet committed such change to CVS |
| 8 |
> (waiting for 20.x dev channel release, so that it has a lot of testing |
| 9 |
> before unmasking). |
| 10 |
> |
| 11 |
> How does the attached policy look to you? (I'm SELinux newbie, although |
| 12 |
> I probably know Chromium pretty well as its developer and packager) |
| 13 |
> |
| 14 |
> You can also compare that with policy module written for Chromium by |
| 15 |
> another Chromium developer in 2010: |
| 16 |
> <http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/linux/selinux/chromium-browser.te?view=markup> |
| 17 |
> |
| 18 |
> What are the next steps to add this policy to Gentoo? |
| 19 |
|
| 20 |
Hi Paweł, |
| 21 |
|
| 22 |
The policy itself is currently written (or generated?) with raw allow rules |
| 23 |
towards domains not defined by the policy module itself. For instance: |
| 24 |
|
| 25 |
allow chromium_renderer_t urandom_device_t:chr_file { getattr open read }; |
| 26 |
|
| 27 |
The policies we strive to support are based on the naming and style |
| 28 |
conventions used by the reference policy, so that we can easily forward them |
| 29 |
to their repository. This has the advantages that, if accepted, |
| 30 |
|
| 31 |
1. the names used are globally set, so no collisions can occur with |
| 32 |
possible future releases of other modules, |
| 33 |
2. the policy code itself will be reviewed by more experts, but also better |
| 34 |
maintained, as it will be used by other distributions (and contributors) |
| 35 |
as well |
| 36 |
|
| 37 |
The above allow rule would probably look like: |
| 38 |
dev_read_urand(chromium_renderer_t) |
| 39 |
which, given prior experience, probably means you also want (or need) to |
| 40 |
dev_read_rand(chromium_renderer_t) |
| 41 |
as well ;-) |
| 42 |
|
| 43 |
Do you feel up to updating the policy to reflect the style of refpolicy? If |
| 44 |
not, I don't mind taking a stab at it myself. |
| 45 |
|
| 46 |
However, besides the style, it also looks like the module is quite |
| 47 |
incomplete. It only defines the chromium_renderer_t, but how would chrome |
| 48 |
ever be able to "transition" to this domain? There is no transition rule |
| 49 |
declared, nor any files that could behave as entry points for the domain. |
| 50 |
|
| 51 |
I would also expect that, if it is for chromium, there would be a chromium_t |
| 52 |
domain as well. Or in other words: |
| 53 |
|
| 54 |
- a user calls chromium (labeled "chromium_exec_t") |
| 55 |
- a transition occurs from user_t to chromium_t |
| 56 |
- chromium calls some binary for rendering (or is SELinux-aware and |
| 57 |
does it by itself) |
| 58 |
- a transition occurs from chromium_t to chromium_renderer_t |
| 59 |
- etc. |
| 60 |
|
| 61 |
The use of "dyntransition" is frowned upon as it is much more "lax" than a |
| 62 |
regular transition. |
| 63 |
|
| 64 |
Wkr, |
| 65 |
Sven Vermeulen |
Archives