1 |
commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun May 7 03:39:18 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun May 7 17:40:29 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12 |
7 |
|
8 |
chromium: allow cap_userns for the sandbox |
9 |
|
10 |
https://patchwork.kernel.org/patch/8785151/ |
11 |
|
12 |
policy/modules/contrib/chromium.te | 7 +++++-- |
13 |
1 file changed, 5 insertions(+), 2 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te |
16 |
index cd1e1116..a4fba97c 100644 |
17 |
--- a/policy/modules/contrib/chromium.te |
18 |
+++ b/policy/modules/contrib/chromium.te |
19 |
@@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t) |
20 |
# |
21 |
|
22 |
# execmem for load in plugins |
23 |
-allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal }; |
24 |
-allow chromium_t self:fifo_file rw_fifo_file_perms;; |
25 |
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; |
26 |
+allow chromium_t self:fifo_file rw_fifo_file_perms; |
27 |
allow chromium_t self:sem create_sem_perms; |
28 |
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; |
29 |
+# cap_userns sys_admin for the sandbox |
30 |
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace }; |
31 |
|
32 |
allow chromium_t chromium_exec_t:file execute_no_trans; |
33 |
|
34 |
@@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) |
35 |
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) |
36 |
|
37 |
kernel_list_proc(chromium_t) |
38 |
+kernel_read_net_sysctls(chromium_t) |
39 |
|
40 |
corecmd_exec_bin(chromium_t) |
41 |
# Look for /etc/gentoo-release through a shell invocation running find |