Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.7 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F40CC43387 for ; Thu, 10 Jan 2019 00:37:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 324DE214C6 for ; Thu, 10 Jan 2019 00:37:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="NnfPtGCU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726458AbfAJAhI (ORCPT ); Wed, 9 Jan 2019 19:37:08 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:38538 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbfAJAhH (ORCPT ); Wed, 9 Jan 2019 19:37:07 -0500 Received: by mail-qt1-f194.google.com with SMTP id p17so10557760qtl.5 for ; Wed, 09 Jan 2019 16:37:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=LwM+JFwIrdfRyzOUpcbL4ecYq2iL7gi0DB7a/AU/vcY=; b=NnfPtGCUFtgjIcd6n47TrrL8wEEb/XncwT7P3b67YAgeudGBQ5QAUEqczBglvngWWv 4Mg/LwfbqBsIP8TfdqkODC28K/YDzOYLi0a7i8EGG5Hadmx7MF0MhfHWqVF1bac8ckC7 npomYnlN8bRPirArRLVlxH/9tE513JcUARJYo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=LwM+JFwIrdfRyzOUpcbL4ecYq2iL7gi0DB7a/AU/vcY=; b=fZzUbNMLnog2eNrDkppkCm8RKyEuOPDAyyn+ZkMV+OWGNR9NO+ysLSueTRwacELL2b SBgAt6B/MDc+B/4RdDMcVTy0TFVY8/ED6Oe2bN1Lx8KT0JYBcc3oV6MMHCzucH4hkKAS tGOKDcBvh+Tsl8jaFxG/asi5+z3eblkLuWdK5R5pdGGXoZ0tG0N+XD3hY8ayYUoVR5fD JDSF5rUEf7SUrTmvQYPSe3dVfoHWrq64caiIlojCOSgpXj7xvIO67oiL9wmEheLKgfeZ tTtI85hsvugve3j2QDR4QNjFT8FR8qTUdzq0tsmiznrHEOoGims3JIhENfMIGUG/UERz YQxw== X-Gm-Message-State: AJcUuke16M9mCNxOd/xLq5Z3TndQOrg8l0Yr7TtAaqsIeN8SeT5p11jS IDU0Lmu6iBYPn+ztxpZsaLyk7fBywXM= X-Google-Smtp-Source: ALg8bN4vtsP3DJX1SY4y8l3OyYbrC/cWxpf6dGM0Hj7vASJBD5y1+VKwOh9UIFQckhhaqNJoOKOOYw== X-Received: by 2002:ac8:71d0:: with SMTP id i16mr7952893qtp.386.1547080625951; Wed, 09 Jan 2019 16:37:05 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id x200sm37499929qkx.47.2019.01.09.16.37.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 16:37:05 -0800 (PST) Subject: Re: [PATCH] chrome/chromium To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190108084939.GA28652@xev> From: Chris PeBenito Message-ID: Date: Wed, 9 Jan 2019 19:06:23 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190108084939.GA28652@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/8/19 3:49 AM, Russell Coker wrote: > Here's a policy patch for chrome/chromium. I don't expect this to be accepted > as-is, Chris tell me what you would like in a patch for inclusion. > > Last time I posted this someone else said they had a good patch that they were > going to submit but that never happened. > > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.fc > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.fc > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.fc > @@ -1,6 +1,9 @@ > HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0) > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > @@ -15,6 +18,7 @@ HOME_DIR/\.spicec(/.*)? gen_context(syst > HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > > +/usr/bin/chromium -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) > @@ -40,3 +44,10 @@ HOME_DIR/zimbrauserdata(/.*)? gen_contex > /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > /usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) > /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > +/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > +/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/nacl_helper -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > + > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.if > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.if > @@ -14,12 +14,18 @@ > ## User domain for the role. > ## > ## > +## > +## > +## Type of the user tty > +## > +## > # > interface(`mozilla_role',` > gen_require(` > type mozilla_t, mozilla_exec_t, mozilla_home_t; > type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; > type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; > + type chrome_sandbox_t, chrome_browser_exec_t; > attribute_role mozilla_roles; > ') > > @@ -36,6 +42,7 @@ interface(`mozilla_role',` > # > > domtrans_pattern($2, mozilla_exec_t, mozilla_t) > + domtrans_pattern($2, chrome_browser_exec_t, mozilla_t) > > allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; > ps_process_pattern($2, mozilla_t) > @@ -45,6 +52,9 @@ interface(`mozilla_role',` > > allow $2 mozilla_t:fd use; > allow $2 mozilla_t:shm rw_shm_perms; > + allow chrome_sandbox_t $2:fd use; > + allow chrome_sandbox_t $2:fifo_file write; > + allow chrome_sandbox_t $3:chr_file { read write }; I didn't really look much farther than here. It seems like this terminal access is more of a potential to dontaudit, since it is a sandbox. I'm not clear why we can't simply have userdom_use_user_terminals(chrome_sandbox_t) in the TE rules, rather than passing the same type all around. Beyond that, this simply won't fly because all the seemingly conflicting types. A user might think, "what does mozilla have to do with chrome? I don't even have mozilla installed!" For this to work, we'd have to go down a generic browser policy, with correspondingly generic type names. I'm not opposed to this, but that'd be the first step. > stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) > > @@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',` > interface(`mozilla_domtrans',` > gen_require(` > type mozilla_t, mozilla_exec_t; > + type chrome_browser_exec_t; > ') > > corecmd_search_bin($1) > domtrans_pattern($1, mozilla_exec_t, mozilla_t) > + domtrans_pattern($1, chrome_browser_exec_t, mozilla_t) > ') > > ######################################## > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.te > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.te > @@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp > type mozilla_plugin_tmpfs_t; > userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) > > +type chrome_sandbox_t; > +type chrome_sandbox_exec_t; > +type chrome_browser_exec_t; > +application_domain(mozilla_t, chrome_browser_exec_t) > +userdom_user_application_domain(mozilla_t, chrome_browser_exec_t ) > +role mozilla_plugin_roles types chrome_sandbox_t; > +domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) > +allow mozilla_t chrome_sandbox_t:process sigchld; > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > +ubac_constrained(chrome_sandbox_t) > +fs_getattr_xattr_fs(chrome_sandbox_t) > + > +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; > +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; > +allow chrome_sandbox_t mozilla_t:file read_file_perms; > +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > +allow chrome_sandbox_t mozilla_t:fd use; > +allow chrome_sandbox_t mozilla_t:file write; > +allow chrome_sandbox_t proc_t:dir read; > +allow chrome_sandbox_t self:process setrlimit; > +type chrome_sandbox_tmp_t; > + > +# this is needed for Chrome (not Chromium) startup > +allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure }; > + > +files_tmp_file(chrome_sandbox_tmp_t) > +ubac_constrained(chrome_sandbox_tmp_t) > +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) > +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; > +allow mozilla_t self:unix_dgram_socket sendto; > +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; > +# for V8 > +allow mozilla_t self:process execmem; > + > +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; > +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; > + > optional_policy(` > pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) > ') > @@ -79,8 +118,22 @@ xdg_cache_content(mozilla_xdg_cache_t) > # Local policy > # > > +dontaudit chrome_sandbox_t domain:dir getattr; > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > +domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) > +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; > +allow chrome_sandbox_t self:fifo_file rw_file_perms; > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > +allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace }; > +allow chrome_sandbox_t mozilla_t:process { share sigchld }; > +allow mozilla_t chrome_sandbox_t:fd use; > +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; > +dev_read_sysfs(mozilla_t) > +domain_dontaudit_search_all_domains_state(chrome_sandbox_t) > + > allow mozilla_t self:capability { setgid setuid sys_nice }; > -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; > +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap }; > allow mozilla_t self:fifo_file rw_fifo_file_perms; > allow mozilla_t self:shm create_shm_perms; > allow mozilla_t self:sem create_sem_perms; > @@ -93,6 +146,10 @@ allow mozilla_t mozilla_plugin_t:fd use; > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; > allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; > + > +# for plugins > +can_exec(mozilla_t, mozilla_home_t) > + > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") > @@ -103,6 +160,7 @@ filetrans_pattern(mozilla_t, mozilla_hom > manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > +manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > allow mozilla_t mozilla_tmp_t:file map; > files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) > > @@ -110,7 +168,11 @@ manage_files_pattern(mozilla_t, mozilla_ > manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) > +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > + > +# so mozilla can create /var/run/user/PID/pulse > +auth_read_var_auth(mozilla_t) > + > allow mozilla_t mozilla_plugin_tmpfs_t:file map; > > allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; > @@ -125,11 +187,16 @@ xdg_cache_filetrans(mozilla_t, mozilla_x > > can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) > > +allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms; > + > kernel_read_kernel_sysctls(mozilla_t) > kernel_read_network_state(mozilla_t) > kernel_read_system_state(mozilla_t) > kernel_read_net_sysctls(mozilla_t) > > +# for overcommit_memory > +kernel_read_vm_overcommit_sysctl(mozilla_t) > + > corecmd_list_bin(mozilla_t) > corecmd_exec_shell(mozilla_t) > corecmd_exec_bin(mozilla_t) > @@ -174,6 +241,8 @@ dev_read_rand(mozilla_t) > dev_read_urand(mozilla_t) > dev_rw_dri(mozilla_t) > dev_write_sound(mozilla_t) > +dev_dontaudit_getattr_all_chr_files(mozilla_t) > +dev_dontaudit_getattr_all_blk_files(mozilla_t) > > domain_dontaudit_read_all_domains_state(mozilla_t) > > @@ -222,6 +291,7 @@ xdg_manage_downloads(mozilla_t) > > xserver_rw_mesa_shader_cache(mozilla_t) > xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) > +corenet_tcp_connect_xserver_port(mozilla_t) > xserver_dontaudit_read_xdm_tmp_files(mozilla_t) > xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) > > Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > @@ -121,6 +121,7 @@ ifdef(`distro_debian',` > /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > > /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0) > > /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) > > Index: refpolicy-2.20180701/policy/modules/roles/xguest.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/roles/xguest.te > +++ refpolicy-2.20180701/policy/modules/roles/xguest.te > @@ -103,7 +103,7 @@ optional_policy(` > ') > > optional_policy(` > - mozilla_role(xguest_r, xguest_t) > + mozilla_role(xguest_r, xguest_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20180701/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20180701/policy/modules/roles/staff.te > @@ -142,7 +142,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - mozilla_role(staff_r, staff_t) > + mozilla_role(staff_r, staff_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20180701/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20180701/policy/modules/roles/sysadm.te > @@ -652,7 +652,7 @@ optional_policy(` > ') > > optional_policy(` > - mozilla_role(sysadm_r, sysadm_t) > + mozilla_role(sysadm_r, sysadm_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te > @@ -114,7 +114,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - mozilla_role(user_r, user_t) > + mozilla_role(user_r, user_t, user_devpts_t) > ') > > optional_policy(` > -- Chris PeBenito