Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sun, 07 May 2017 17:41:19
Message-Id: 1494178829.83244b1264056d64fe3c979671a68ec3a80cd7dd.perfinion@gentoo
1 commit: 83244b1264056d64fe3c979671a68ec3a80cd7dd
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Sun May 7 03:39:18 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun May 7 17:40:29 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83244b12
7
8 chromium: allow cap_userns for the sandbox
9
10 https://patchwork.kernel.org/patch/8785151/
11
12 policy/modules/contrib/chromium.te | 7 +++++--
13 1 file changed, 5 insertions(+), 2 deletions(-)
14
15 diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
16 index cd1e1116..a4fba97c 100644
17 --- a/policy/modules/contrib/chromium.te
18 +++ b/policy/modules/contrib/chromium.te
19 @@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t)
20 #
21
22 # execmem for load in plugins
23 -allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal };
24 -allow chromium_t self:fifo_file rw_fifo_file_perms;;
25 +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
26 +allow chromium_t self:fifo_file rw_fifo_file_perms;
27 allow chromium_t self:sem create_sem_perms;
28 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
29 +# cap_userns sys_admin for the sandbox
30 +allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
31
32 allow chromium_t chromium_exec_t:file execute_no_trans;
33
34 @@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
35 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
36
37 kernel_list_proc(chromium_t)
38 +kernel_read_net_sysctls(chromium_t)
39
40 corecmd_exec_bin(chromium_t)
41 # Look for /etc/gentoo-release through a shell invocation running find
Report Message
Find on MARC Find on Google Groups