Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC353C43387 for ; Tue, 8 Jan 2019 08:49:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A2BFA2070B for ; Tue, 8 Jan 2019 08:49:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="wsPTmw0Y" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727810AbfAHItq (ORCPT ); Tue, 8 Jan 2019 03:49:46 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:58304 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727295AbfAHItq (ORCPT ); Tue, 8 Jan 2019 03:49:46 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 68199EE4C for ; Tue, 8 Jan 2019 19:49:44 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546937384; bh=swAmCACir38ODjhza6IVY0zelvlaf3I7AuIP7fIU1gU=; l=13196; h=Date:From:To:Subject:From; b=wsPTmw0YTreDE4lLbyX0PkX0o69T0GzpIp57rlleJ1oSSxFGm3Yv0NdjPTIL2NT63 AHwuXSV4tzpcOVlUM5kymwIJCo64mUeu+trioqIzUDXsOL9vHvukncOrZoPlaRXhdZ izp5O7KOPweqemYFRR2MbBLg5NpX2/S/H/03ck5g= Received: by xev.coker.com.au (Postfix, from userid 1001) id 509C5C3E92D; Tue, 8 Jan 2019 19:49:39 +1100 (AEDT) Date: Tue, 8 Jan 2019 19:49:39 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] chrome/chromium Message-ID: <20190108084939.GA28652@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Here's a policy patch for chrome/chromium. I don't expect this to be accepted as-is, Chris tell me what you would like in a patch for inclusion. Last time I posted this someone else said they had a good patch that they were going to submit but that never happened. Index: refpolicy-2.20180701/policy/modules/apps/mozilla.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.fc +++ refpolicy-2.20180701/policy/modules/apps/mozilla.fc @@ -1,6 +1,9 @@ HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0) HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -15,6 +18,7 @@ HOME_DIR/\.spicec(/.*)? gen_context(syst HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +/usr/bin/chromium -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -40,3 +44,10 @@ HOME_DIR/zimbrauserdata(/.*)? gen_contex /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) /usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) +/opt/google/chrome/nacl_helper -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) + Index: refpolicy-2.20180701/policy/modules/apps/mozilla.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.if +++ refpolicy-2.20180701/policy/modules/apps/mozilla.if @@ -14,12 +14,18 @@ ## User domain for the role. ## ## +## +## +## Type of the user tty +## +## # interface(`mozilla_role',` gen_require(` type mozilla_t, mozilla_exec_t, mozilla_home_t; type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; + type chrome_sandbox_t, chrome_browser_exec_t; attribute_role mozilla_roles; ') @@ -36,6 +42,7 @@ interface(`mozilla_role',` # domtrans_pattern($2, mozilla_exec_t, mozilla_t) + domtrans_pattern($2, chrome_browser_exec_t, mozilla_t) allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; ps_process_pattern($2, mozilla_t) @@ -45,6 +52,9 @@ interface(`mozilla_role',` allow $2 mozilla_t:fd use; allow $2 mozilla_t:shm rw_shm_perms; + allow chrome_sandbox_t $2:fd use; + allow chrome_sandbox_t $2:fifo_file write; + allow chrome_sandbox_t $3:chr_file { read write }; stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) @@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',` interface(`mozilla_domtrans',` gen_require(` type mozilla_t, mozilla_exec_t; + type chrome_browser_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mozilla_exec_t, mozilla_t) + domtrans_pattern($1, chrome_browser_exec_t, mozilla_t) ') ######################################## Index: refpolicy-2.20180701/policy/modules/apps/mozilla.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.te +++ refpolicy-2.20180701/policy/modules/apps/mozilla.te @@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp type mozilla_plugin_tmpfs_t; userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) +type chrome_sandbox_t; +type chrome_sandbox_exec_t; +type chrome_browser_exec_t; +application_domain(mozilla_t, chrome_browser_exec_t) +userdom_user_application_domain(mozilla_t, chrome_browser_exec_t ) +role mozilla_plugin_roles types chrome_sandbox_t; +domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) +allow mozilla_t chrome_sandbox_t:process sigchld; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +ubac_constrained(chrome_sandbox_t) +fs_getattr_xattr_fs(chrome_sandbox_t) + +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:file read_file_perms; +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t mozilla_t:fd use; +allow chrome_sandbox_t mozilla_t:file write; +allow chrome_sandbox_t proc_t:dir read; +allow chrome_sandbox_t self:process setrlimit; +type chrome_sandbox_tmp_t; + +# this is needed for Chrome (not Chromium) startup +allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure }; + +files_tmp_file(chrome_sandbox_tmp_t) +ubac_constrained(chrome_sandbox_tmp_t) +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; +allow mozilla_t self:unix_dgram_socket sendto; +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; +# for V8 +allow mozilla_t self:process execmem; + +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; + optional_policy(` pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) ') @@ -79,8 +118,22 @@ xdg_cache_content(mozilla_xdg_cache_t) # Local policy # +dontaudit chrome_sandbox_t domain:dir getattr; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; +allow chrome_sandbox_t self:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t mozilla_t:process { share sigchld }; +allow mozilla_t chrome_sandbox_t:fd use; +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; +dev_read_sysfs(mozilla_t) +domain_dontaudit_search_all_domains_state(chrome_sandbox_t) + allow mozilla_t self:capability { setgid setuid sys_nice }; -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap }; allow mozilla_t self:fifo_file rw_fifo_file_perms; allow mozilla_t self:shm create_shm_perms; allow mozilla_t self:sem create_sem_perms; @@ -93,6 +146,10 @@ allow mozilla_t mozilla_plugin_t:fd use; allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; + +# for plugins +can_exec(mozilla_t, mozilla_home_t) + userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") @@ -103,6 +160,7 @@ filetrans_pattern(mozilla_t, mozilla_hom manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) allow mozilla_t mozilla_tmp_t:file map; files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) @@ -110,7 +168,11 @@ manage_files_pattern(mozilla_t, mozilla_ manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +# so mozilla can create /var/run/user/PID/pulse +auth_read_var_auth(mozilla_t) + allow mozilla_t mozilla_plugin_tmpfs_t:file map; allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; @@ -125,11 +187,16 @@ xdg_cache_filetrans(mozilla_t, mozilla_x can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) +allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms; + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) kernel_read_system_state(mozilla_t) kernel_read_net_sysctls(mozilla_t) +# for overcommit_memory +kernel_read_vm_overcommit_sysctl(mozilla_t) + corecmd_list_bin(mozilla_t) corecmd_exec_shell(mozilla_t) corecmd_exec_bin(mozilla_t) @@ -174,6 +241,8 @@ dev_read_rand(mozilla_t) dev_read_urand(mozilla_t) dev_rw_dri(mozilla_t) dev_write_sound(mozilla_t) +dev_dontaudit_getattr_all_chr_files(mozilla_t) +dev_dontaudit_getattr_all_blk_files(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) @@ -222,6 +291,7 @@ xdg_manage_downloads(mozilla_t) xserver_rw_mesa_shader_cache(mozilla_t) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) +corenet_tcp_connect_xserver_port(mozilla_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc @@ -121,6 +121,7 @@ ifdef(`distro_debian',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0) /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) Index: refpolicy-2.20180701/policy/modules/roles/xguest.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/xguest.te +++ refpolicy-2.20180701/policy/modules/roles/xguest.te @@ -103,7 +103,7 @@ optional_policy(` ') optional_policy(` - mozilla_role(xguest_r, xguest_t) + mozilla_role(xguest_r, xguest_t, user_devpts_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te +++ refpolicy-2.20180701/policy/modules/roles/staff.te @@ -142,7 +142,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - mozilla_role(staff_r, staff_t) + mozilla_role(staff_r, staff_t, user_devpts_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20180701/policy/modules/roles/sysadm.te @@ -652,7 +652,7 @@ optional_policy(` ') optional_policy(` - mozilla_role(sysadm_r, sysadm_t) + mozilla_role(sysadm_r, sysadm_t, user_devpts_t) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te @@ -114,7 +114,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - mozilla_role(user_r, user_t) + mozilla_role(user_r, user_t, user_devpts_t) ') optional_policy(`