1 |
commit: 60e0d1b33e0be37edd4e8971e3b2cd67966574ab |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Mon Jan 28 08:46:49 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=60e0d1b3 |
7 |
|
8 |
chromium |
9 |
|
10 |
There are several nacl binaries that need labels. |
11 |
|
12 |
Put an ifdef debian for some chromium paths. |
13 |
|
14 |
Git policy misses chromium_role() lines, were they in another patch that was |
15 |
submitted at the same time? |
16 |
|
17 |
I don't know what this is for but doesn't seem harmful to allow it: |
18 |
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome |
19 |
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null) |
20 |
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { associate } for pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem |
21 |
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { create } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file |
22 |
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { add_name } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir |
23 |
|
24 |
Allow domain_use_interactive_fds() for running via ssh -X. |
25 |
|
26 |
Allow managing xdg data, cache, and config. |
27 |
|
28 |
Allow reading public data from apt and dpkg, probably from lsb_release or some |
29 |
other shell script. |
30 |
|
31 |
How does the whold naclhelper thing work anyway? I'm nervous about process |
32 |
share access involving chromium_sandbox_t, is that really what we want? |
33 |
|
34 |
Added lots of other stuff like searching cgroup dirs etc. |
35 |
|
36 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
37 |
|
38 |
policy/modules/apps/chromium.fc | 7 ++++++- |
39 |
policy/modules/apps/chromium.te | 32 +++++++++++++++++++++++++++----- |
40 |
policy/modules/roles/staff.te | 4 ++++ |
41 |
policy/modules/roles/sysadm.te | 4 ++++ |
42 |
policy/modules/roles/unprivuser.te | 4 ++++ |
43 |
5 files changed, 45 insertions(+), 6 deletions(-) |
44 |
|
45 |
diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc |
46 |
index 534235dc..58a6cb45 100644 |
47 |
--- a/policy/modules/apps/chromium.fc |
48 |
+++ b/policy/modules/apps/chromium.fc |
49 |
@@ -2,7 +2,7 @@ |
50 |
/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) |
51 |
/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) |
52 |
/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) |
53 |
-/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) |
54 |
+/opt/google/chrome/nacl_.* -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) |
55 |
/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) |
56 |
|
57 |
/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) |
58 |
@@ -19,9 +19,14 @@ |
59 |
/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) |
60 |
/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) |
61 |
|
62 |
+ifdef(`distro_debian',` |
63 |
+/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chromium_exec_t,s0) |
64 |
+/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) |
65 |
+', ` |
66 |
/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) |
67 |
/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) |
68 |
/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) |
69 |
+') |
70 |
/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0) |
71 |
/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) |
72 |
|
73 |
|
74 |
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te |
75 |
index 59c75491..7a18d814 100644 |
76 |
--- a/policy/modules/apps/chromium.te |
77 |
+++ b/policy/modules/apps/chromium.te |
78 |
@@ -94,8 +94,8 @@ allow chromium_t chromium_renderer_t:shm rw_shm_perms; |
79 |
allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; |
80 |
allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; |
81 |
|
82 |
-allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write }; |
83 |
-allow chromium_t chromium_sandbox_t:unix_stream_socket { read write }; |
84 |
+allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; |
85 |
+allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; |
86 |
|
87 |
allow chromium_t chromium_naclhelper_t:process { share }; |
88 |
|
89 |
@@ -149,6 +149,7 @@ dev_rw_xserver_misc(chromium_t) |
90 |
dev_map_xserver_misc(chromium_t) |
91 |
|
92 |
domain_dontaudit_search_all_domains_state(chromium_t) |
93 |
+domain_use_interactive_fds(chromium_t) |
94 |
|
95 |
files_list_home(chromium_t) |
96 |
files_search_home(chromium_t) |
97 |
@@ -159,12 +160,17 @@ files_read_etc_files(chromium_t) |
98 |
files_dontaudit_getattr_all_dirs(chromium_t) |
99 |
|
100 |
fs_dontaudit_getattr_xattr_fs(chromium_t) |
101 |
+fs_getattr_tmpfs(chromium_t) |
102 |
+fs_search_cgroup_dirs(chromium_t) |
103 |
|
104 |
miscfiles_read_all_certs(chromium_t) |
105 |
miscfiles_read_localization(chromium_t) |
106 |
|
107 |
sysnet_dns_name_resolve(chromium_t) |
108 |
|
109 |
+# for /run/udev/data/* |
110 |
+udev_read_pid_files(chromium_t) |
111 |
+ |
112 |
userdom_user_content_access_template(chromium, chromium_t) |
113 |
userdom_dontaudit_list_user_home_dirs(chromium_t) |
114 |
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance |
115 |
@@ -195,6 +201,8 @@ tunable_policy(`chromium_rw_usb_dev',` |
116 |
tunable_policy(`chromium_read_system_info',` |
117 |
kernel_read_kernel_sysctls(chromium_t) |
118 |
# Memory optimizations & optimizations based on OS/version |
119 |
+ kernel_read_crypto_sysctls(chromium_t) |
120 |
+ kernel_read_kernel_sysctls(chromium_t) |
121 |
kernel_read_system_state(chromium_t) |
122 |
|
123 |
# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices). |
124 |
@@ -237,6 +245,13 @@ optional_policy(` |
125 |
') |
126 |
') |
127 |
|
128 |
+optional_policy(` |
129 |
+ apt_read_cache(chromium_t) |
130 |
+ apt_read_db(chromium_t) |
131 |
+ dpkg_exec(chromium_t) |
132 |
+ dpkg_read_db(chromium_t) |
133 |
+') |
134 |
+ |
135 |
ifdef(`use_alsa',` |
136 |
optional_policy(` |
137 |
alsa_domain(chromium_t, chromium_tmpfs_t) |
138 |
@@ -309,23 +324,27 @@ allow chromium_sandbox_t chromium_t:dir list_dir_perms; |
139 |
allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms; |
140 |
allow chromium_sandbox_t chromium_t:file rw_file_perms; |
141 |
|
142 |
-allow chromium_sandbox_t chromium_t:unix_stream_socket { read write }; |
143 |
-allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write }; |
144 |
+allow chromium_sandbox_t chromium_t:unix_stream_socket { getattr read write }; |
145 |
+allow chromium_sandbox_t chromium_t:unix_dgram_socket { getattr read write }; |
146 |
|
147 |
kernel_list_proc(chromium_sandbox_t) |
148 |
|
149 |
domain_dontaudit_read_all_domains_state(chromium_sandbox_t) |
150 |
+domain_use_interactive_fds(chromium_sandbox_t) |
151 |
|
152 |
userdom_use_user_ptys(chromium_sandbox_t) |
153 |
|
154 |
chromium_domtrans(chromium_sandbox_t) |
155 |
+domtrans_pattern(chromium_sandbox_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) |
156 |
+allow chromium_sandbox_t chromium_naclhelper_t:process share; |
157 |
|
158 |
########################################## |
159 |
# |
160 |
# Chromium nacl helper local policy |
161 |
# |
162 |
|
163 |
-allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write }; |
164 |
+allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write }; |
165 |
+allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write }; |
166 |
|
167 |
domain_mmap_low_uncond(chromium_naclhelper_t) |
168 |
|
169 |
@@ -338,3 +357,6 @@ tunable_policy(`chromium_read_system_info',` |
170 |
kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t) |
171 |
kernel_dontaudit_read_system_state(chromium_naclhelper_t) |
172 |
') |
173 |
+ |
174 |
+dev_read_sysfs(chromium_naclhelper_t) |
175 |
+dev_read_urand(chromium_naclhelper_t) |
176 |
|
177 |
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te |
178 |
index 7b4a780a..2321ecf0 100644 |
179 |
--- a/policy/modules/roles/staff.te |
180 |
+++ b/policy/modules/roles/staff.te |
181 |
@@ -81,6 +81,10 @@ ifndef(`distro_redhat',` |
182 |
cdrecord_role(staff_r, staff_t) |
183 |
') |
184 |
|
185 |
+ optional_policy(` |
186 |
+ chromium_role(staff_r, staff_t) |
187 |
+ ') |
188 |
+ |
189 |
optional_policy(` |
190 |
cron_role(staff_r, staff_t) |
191 |
') |
192 |
|
193 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
194 |
index 6960fc31..060c4396 100644 |
195 |
--- a/policy/modules/roles/sysadm.te |
196 |
+++ b/policy/modules/roles/sysadm.te |
197 |
@@ -1271,6 +1271,10 @@ ifndef(`distro_redhat',` |
198 |
cdrecord_role(sysadm_r, sysadm_t) |
199 |
') |
200 |
|
201 |
+ optional_policy(` |
202 |
+ chromium_role(sysadm_r, sysadm_t) |
203 |
+ ') |
204 |
+ |
205 |
optional_policy(` |
206 |
cron_admin_role(sysadm_r, sysadm_t) |
207 |
') |
208 |
|
209 |
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te |
210 |
index 209c904b..02e3de3b 100644 |
211 |
--- a/policy/modules/roles/unprivuser.te |
212 |
+++ b/policy/modules/roles/unprivuser.te |
213 |
@@ -49,6 +49,10 @@ ifndef(`distro_redhat',` |
214 |
cdrecord_role(user_r, user_t) |
215 |
') |
216 |
|
217 |
+ optional_policy(` |
218 |
+ chromium_role(user_r, user_t) |
219 |
+ ') |
220 |
+ |
221 |
optional_policy(` |
222 |
cron_role(user_r, user_t) |
223 |
') |