2020-04-10 06:20:53

by Russell Coker

[permalink] [raw]
Subject: another chromium patch

I removed all the controversion stuff so I think this is ready for inclusion.

Signed-off-by: Russell Coker <[email protected]>

Chromium policy tweaks and DRI policy

Index: refpolicy-2.20200410/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20200410/policy/modules/apps/chromium.te
@@ -63,6 +63,9 @@ type chromium_tmpfs_t;
userdom_user_tmpfs_file(chromium_tmpfs_t)
optional_policy(`
pulseaudio_tmpfs_content(chromium_tmpfs_t)
+ pulseaudio_rw_tmpfs_files(chromium_t)
+ pulseaudio_stream_connect(chromium_t)
+ pulseaudio_use_fds(chromium_t)
')

type chromium_xdg_config_t;
@@ -96,6 +99,7 @@ allow chromium_t chromium_renderer_t:uni

allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;

allow chromium_t chromium_naclhelper_t:process { share };

@@ -108,6 +112,9 @@ manage_sock_files_pattern(chromium_t, ch
manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })

+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
allow chromium_t chromium_tmpfs_t:file map;
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -129,6 +136,8 @@ domtrans_pattern(chromium_t, chromium_sa
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)

kernel_list_proc(chromium_t)
+kernel_read_fs_sysctls(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
kernel_read_net_sysctls(chromium_t)

corecmd_exec_bin(chromium_t)
@@ -145,6 +154,9 @@ dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
dev_read_rand(chromium_t)
+tunable_policy(`xserver_allow_dri', `
+ dev_rw_dri(chromium_t)
+')
dev_rw_xserver_misc(chromium_t)
dev_map_xserver_misc(chromium_t)

@@ -187,6 +199,9 @@ xdg_read_config_files(chromium_t)
xdg_read_data_files(chromium_t)

xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)

tunable_policy(`chromium_bind_tcp_unreserved_ports',`
corenet_tcp_bind_generic_node(chromium_t)
@@ -230,6 +245,10 @@ optional_policy(`
')

optional_policy(`
+ networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
dbus_all_session_bus_client(chromium_t)
dbus_system_bus_client(chromium_t)

@@ -242,8 +261,13 @@ optional_policy(`
')

optional_policy(`
+ devicekit_dbus_chat_disk(chromium_t)
devicekit_dbus_chat_power(chromium_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_hostnamed(chromium_t)
+ ')
')

optional_policy(`
@@ -253,6 +277,10 @@ optional_policy(`
dpkg_read_db(chromium_t)
')

+optional_policy(`
+ ssh_dontaudit_agent_tmp(chromium_t)
+')
+
ifdef(`use_alsa',`
optional_policy(`
alsa_domain(chromium_t, chromium_tmpfs_t)
@@ -260,6 +288,7 @@ ifdef(`use_alsa',`

optional_policy(`
pulseaudio_domtrans(chromium_t)
+ pulseaudio_read_home(chromium_t)
')
')

@@ -361,3 +390,6 @@ tunable_policy(`chromium_read_system_inf

dev_read_sysfs(chromium_naclhelper_t)
dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20200410/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20200410/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
## </desc>
gen_tunable(xserver_object_manager, false)

+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
attribute x_domain;

# X Events
Index: refpolicy-2.20200410/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200410/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
files_search_tmp($2)

# Communicate via System V shared memory.
+ allow $2 xserver_t:fd use;
allow $2 xserver_t:shm r_shm_perms;
- allow $2 xserver_tmpfs_t:file read_file_perms;
+ allow $2 xserver_tmpfs_t:file { map read_file_perms };

# allow ps to show iceauth
ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };

- # Client read xserver shm
- allow $2 xserver_t:fd use;
- allow $2 xserver_tmpfs_t:file read_file_perms;
-
# Read /tmp/.X0-lock
allow $2 xserver_tmp_t:file { getattr read };

@@ -91,6 +88,9 @@ interface(`xserver_restricted_role',`
# open office is looking for the following
dev_getattr_agp_dev($2)
dev_dontaudit_rw_dri($2)
+ tunable_policy(`xserver_allow_dri',`
+ dev_rw_dri($2)
+ ')
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)

@@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache'

rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+## Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+ gen_require(`
+ type mesa_shader_cache_t;
+ ')
+
+ manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
allow $1 mesa_shader_cache_t:file map;

xdg_search_cache_dirs($1)
Index: refpolicy-2.20200410/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20200410/policy/modules/apps/chromium.if
@@ -38,7 +38,15 @@ interface(`chromium_role',`

allow $2 chromium_t:process signal_perms;
allow $2 chromium_renderer_t:process signal_perms;
+ allow $2 chromium_sandbox_t:process signal_perms;
allow $2 chromium_naclhelper_t:process signal_perms;
+ allow chromium_t $2:process { signull signal };
+ allow $2 chromium_t:file manage_file_perms;
+
+ allow $2 chromium_t:unix_stream_socket connectto;
+
+ # for /tmp/.ICE-unix/* sockets
+ allow chromium_t $2:unix_stream_socket connectto;

allow chromium_sandbox_t $2:fd use;
allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
gen_require(`
type chromium_t;
type chromium_exec_t;
+ class dbus send_msg;
')

corecmd_search_bin($1)
Index: refpolicy-2.20200410/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200410/policy/modules/services/ssh.if
@@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
+
+#######################################
+## <summary>
+## dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+ gen_require(`
+ type ssh_agent_tmp_t;
+ ')
+
+ dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')


2020-04-14 16:27:27

by Chris PeBenito

[permalink] [raw]
Subject: Re: another chromium patch

On 4/10/20 2:20 AM, Russell Coker wrote:
> I removed all the controversion stuff so I think this is ready for inclusion.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Chromium policy tweaks and DRI policy
>
> Index: refpolicy-2.20200410/policy/modules/apps/chromium.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/apps/chromium.te
> +++ refpolicy-2.20200410/policy/modules/apps/chromium.te
> @@ -63,6 +63,9 @@ type chromium_tmpfs_t;
> userdom_user_tmpfs_file(chromium_tmpfs_t)
> optional_policy(`
> pulseaudio_tmpfs_content(chromium_tmpfs_t)
> + pulseaudio_rw_tmpfs_files(chromium_t)
> + pulseaudio_stream_connect(chromium_t)
> + pulseaudio_use_fds(chromium_t)
> ')
>
> type chromium_xdg_config_t;
> @@ -96,6 +99,7 @@ allow chromium_t chromium_renderer_t:uni
>
> allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
> allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
> +allow chromium_t chromium_sandbox_t:file read_file_perms;
>
> allow chromium_t chromium_naclhelper_t:process { share };
>
> @@ -108,6 +112,9 @@ manage_sock_files_pattern(chromium_t, ch
> manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
> files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
>
> +# for /run/user/$UID
> +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
> +
> manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
> allow chromium_t chromium_tmpfs_t:file map;
> fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
> @@ -129,6 +136,8 @@ domtrans_pattern(chromium_t, chromium_sa
> domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
>
> kernel_list_proc(chromium_t)
> +kernel_read_fs_sysctls(chromium_t)
> +kernel_read_kernel_sysctls(chromium_t)
> kernel_read_net_sysctls(chromium_t)
>
> corecmd_exec_bin(chromium_t)
> @@ -145,6 +154,9 @@ dev_read_sound(chromium_t)
> dev_write_sound(chromium_t)
> dev_read_urand(chromium_t)
> dev_read_rand(chromium_t)
> +tunable_policy(`xserver_allow_dri', `
> + dev_rw_dri(chromium_t)
> +')

Seems that this would be a chromium tunable. It should also move down with the
other tunables, in order of the tunable name.


> dev_rw_xserver_misc(chromium_t)
> dev_map_xserver_misc(chromium_t)
>
> @@ -187,6 +199,9 @@ xdg_read_config_files(chromium_t)
> xdg_read_data_files(chromium_t)
>
> xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
> +xserver_stream_connect_xdm(chromium_t)
> +
> +xserver_manage_mesa_shader_cache(chromium_t)
>
> tunable_policy(`chromium_bind_tcp_unreserved_ports',`
> corenet_tcp_bind_generic_node(chromium_t)
> @@ -230,6 +245,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_chat(chromium_t)
> +')

Should move down after the dpkg optional.

> +optional_policy(`
> dbus_all_session_bus_client(chromium_t)
> dbus_system_bus_client(chromium_t)
>
> @@ -242,8 +261,13 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_chat_disk(chromium_t)
> devicekit_dbus_chat_power(chromium_t)
> ')
> +
> + optional_policy(`
> + systemd_dbus_chat_hostnamed(chromium_t)
> + ')
> ')
>
> optional_policy(`
> @@ -253,6 +277,10 @@ optional_policy(`
> dpkg_read_db(chromium_t)
> ')
>
> +optional_policy(`
> + ssh_dontaudit_agent_tmp(chromium_t)
> +')
> +
> ifdef(`use_alsa',`
> optional_policy(`
> alsa_domain(chromium_t, chromium_tmpfs_t)
> @@ -260,6 +288,7 @@ ifdef(`use_alsa',`
>
> optional_policy(`
> pulseaudio_domtrans(chromium_t)
> + pulseaudio_read_home(chromium_t)
> ')
> ')
> @@ -361,3 +390,6 @@ tunable_policy(`chromium_read_system_inf
>
> dev_read_sysfs(chromium_naclhelper_t)
> dev_read_urand(chromium_naclhelper_t)
> +kernel_list_proc(chromium_naclhelper_t)
> +
> +miscfiles_read_localization(chromium_naclhelper_t)
> Index: refpolicy-2.20200410/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20200410/policy/modules/services/xserver.te
> @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
> ## </desc>
> gen_tunable(xserver_object_manager, false)
>
> +## <desc>
> +## <p>
> +## Allow DRI access
> +## </p>
> +## </desc>
> +gen_tunable(xserver_allow_dri, false)
> +
> attribute x_domain;
>
> # X Events
> Index: refpolicy-2.20200410/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200410/policy/modules/services/xserver.if
> @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
> files_search_tmp($2)
>
> # Communicate via System V shared memory.
> + allow $2 xserver_t:fd use;
> allow $2 xserver_t:shm r_shm_perms;
> - allow $2 xserver_tmpfs_t:file read_file_perms;
> + allow $2 xserver_tmpfs_t:file { map read_file_perms };
>
> # allow ps to show iceauth
> ps_process_pattern($2, iceauth_t)
> @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
> allow $2 xdm_tmp_t:sock_file { read write };
> dontaudit $2 xdm_t:tcp_socket { read write };
>
> - # Client read xserver shm
> - allow $2 xserver_t:fd use;
> - allow $2 xserver_tmpfs_t:file read_file_perms;

When did this need drop from xorg?

> # Read /tmp/.X0-lock
> allow $2 xserver_tmp_t:file { getattr read };
>
> @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',`
> # open office is looking for the following
> dev_getattr_agp_dev($2)
> dev_dontaudit_rw_dri($2)
> + tunable_policy(`xserver_allow_dri',`
> + dev_rw_dri($2)
> + ')

Should go at the bottom of the interface.

> # GNOME checks for usb and other devices:
> dev_rw_usbfs($2)
>
> @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache'
>
> rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + xdg_search_cache_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the mesa shader cache.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_manage_mesa_shader_cache',`
> + gen_require(`
> + type mesa_shader_cache_t;
> + ')
> +
> + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> allow $1 mesa_shader_cache_t:file map;
>
> xdg_search_cache_dirs($1)
> Index: refpolicy-2.20200410/policy/modules/apps/chromium.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/apps/chromium.if
> +++ refpolicy-2.20200410/policy/modules/apps/chromium.if
> @@ -38,7 +38,15 @@ interface(`chromium_role',`
>
> allow $2 chromium_t:process signal_perms;
> allow $2 chromium_renderer_t:process signal_perms;
> + allow $2 chromium_sandbox_t:process signal_perms;
> allow $2 chromium_naclhelper_t:process signal_perms;
> + allow chromium_t $2:process { signull signal };
> + allow $2 chromium_t:file manage_file_perms;
> +
> + allow $2 chromium_t:unix_stream_socket connectto;
> +
> + # for /tmp/.ICE-unix/* sockets
> + allow chromium_t $2:unix_stream_socket connectto;
>
> allow chromium_sandbox_t $2:fd use;
> allow chromium_naclhelper_t $2:fd use;
> @@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
> gen_require(`
> type chromium_t;
> type chromium_exec_t;
> + class dbus send_msg;
> ')
>
> corecmd_search_bin($1)
> Index: refpolicy-2.20200410/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200410/policy/modules/services/ssh.if
> @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',`
> files_search_tmp($1)
> delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
> ')
> +
> +#######################################
> +## <summary>
> +## dontaudit access to ssh agent tmp dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain not to audit.
> +## </summary>
> +## </param>
> +#
> +interface(`ssh_dontaudit_agent_tmp',`
> + gen_require(`
> + type ssh_agent_tmp_t;
> + ')
> +
> + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
> +')
>


--
Chris PeBenito