Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71F06C43387 for ; Thu, 10 Jan 2019 01:11:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 095CC2075C for ; Thu, 10 Jan 2019 01:11:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=perfinion-com.20150623.gappssmtp.com header.i=@perfinion-com.20150623.gappssmtp.com header.b="arYt+ebl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726606AbfAJBLu (ORCPT ); Wed, 9 Jan 2019 20:11:50 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:42192 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726425AbfAJBLu (ORCPT ); Wed, 9 Jan 2019 20:11:50 -0500 Received: by mail-pl1-f194.google.com with SMTP id y1so4386374plp.9 for ; Wed, 09 Jan 2019 17:11:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=B7R0lsL3jwtlLmBBzbU4ZG5/fYet72qBZ4b6k5nvMF8=; b=arYt+ebl2LbXIA7x/J6WAUnmrJvIBH303KGh3E4650xhSLab4rLXejEo4eGjIsWmBt EOwUcFhgn/0LtnMhvZx9Gg8g0OlXbPRCtn/QdQT1k6an0tzTLtCx1XBnk/WMRmWtsVnI PMOm7X+q2OINR0KJACC4nofvcdI1pj08C0H6WooIoorQxjFlCnZpXX3FDbaOkwxy1uEu VqhqBxd37oAvegQKwfKLoCmIA5ySP0j5dhMYcvMyWkI6/+VJCn8xwYB7Mw3NBAKcquwf f6L0X/7wZzwwRql0MBUyFirTur+zjiejj7JleO7lbNM+jfmEgWPhaRjvlH4IlWHdRB99 alEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=B7R0lsL3jwtlLmBBzbU4ZG5/fYet72qBZ4b6k5nvMF8=; b=XJzRevWfzTlyQ8E3YcXKF19bkF1uHYIS5DVUxkZKlRrP0N+N4Jshg3Ydt7Y4/MF0CN jSbcFWgEmd7Yjo+eKWI6qfdos7WmPmohpoRGXZFR5PGgILd6cWouaxKSRBnSrPvM2iW6 PeUeG6Bm78voSoPH3tzG7inVPoLYP7USazZk+aHFOihgkVomKxTH124/DhGkZFbZxOVI Z/d7GwT2uG7lj+7HZ8XT1eOV4xKmVZrYLJZOuHqMMYucJ5n9CvAGc5IkvhH7JmQ3TOtN pJuNCmsgCKHig+O1hJp9sD1U+oDARQoa5x08tyn5TiHdcRs75hb0qWPp9kvdkIMhFcB2 y0tg== X-Gm-Message-State: AJcUukcKkTlO55ekgjxcuGNG1528Qrgn/FfXQRDDc1bHRLfAJW7Wp2L9 U8Qn85PK87mJHbXNYHGn8EFw+OIenHo= X-Google-Smtp-Source: ALg8bN48uN7FiYM/+rQUSTA4JqIKh8EvIdkpo0fTH8V/rGkvD32zPJVX0DNRR/rQPWLMjqR52hRPJg== X-Received: by 2002:a17:902:765:: with SMTP id 92mr8315784pli.242.1547082709508; Wed, 09 Jan 2019 17:11:49 -0800 (PST) Received: from localhost ([2406:3003:2002:40c2:7952:f8f0:5b6c:6fa3]) by smtp.gmail.com with ESMTPSA id g70sm124691979pfg.98.2019.01.09.17.11.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 17:11:48 -0800 (PST) Date: Thu, 10 Jan 2019 09:11:46 +0800 From: Jason Zaman To: Chris PeBenito Cc: Russell Coker , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] chrome/chromium Message-ID: <20190110011146.GA6715@baraddur.perfinion.com> References: <20190108084939.GA28652@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wed, Jan 09, 2019 at 07:06:23PM -0500, Chris PeBenito wrote: > On 1/8/19 3:49 AM, Russell Coker wrote: > > Here's a policy patch for chrome/chromium. I don't expect this to be accepted > > as-is, Chris tell me what you would like in a patch for inclusion. > > > > Last time I posted this someone else said they had a good patch that they were > > going to submit but that never happened. This reminds me that I was supposed to upstream the chromium policy from Gentoo. I think i didnt before because of the XDG types were not up but they are now. -- Jason > > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.fc > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.fc > > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.fc > > @@ -1,6 +1,9 @@ > > HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0) > > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > > HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > > @@ -15,6 +18,7 @@ HOME_DIR/\.spicec(/.*)? gen_context(syst > > HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > > HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > > > > +/usr/bin/chromium -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) > > @@ -40,3 +44,10 @@ HOME_DIR/zimbrauserdata(/.*)? gen_contex > > /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > > /usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) > > /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > > +/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > > +/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > > +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > > +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > > +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > > +/opt/google/chrome/nacl_helper -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > > + > > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.if > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.if > > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.if > > @@ -14,12 +14,18 @@ > > ## User domain for the role. > > ## > > ## > > +## > > +## > > +## Type of the user tty > > +## > > +## > > # > > interface(`mozilla_role',` > > gen_require(` > > type mozilla_t, mozilla_exec_t, mozilla_home_t; > > type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; > > type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; > > + type chrome_sandbox_t, chrome_browser_exec_t; > > attribute_role mozilla_roles; > > ') > > > > @@ -36,6 +42,7 @@ interface(`mozilla_role',` > > # > > > > domtrans_pattern($2, mozilla_exec_t, mozilla_t) > > + domtrans_pattern($2, chrome_browser_exec_t, mozilla_t) > > > > allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; > > ps_process_pattern($2, mozilla_t) > > @@ -45,6 +52,9 @@ interface(`mozilla_role',` > > > > allow $2 mozilla_t:fd use; > > allow $2 mozilla_t:shm rw_shm_perms; > > + allow chrome_sandbox_t $2:fd use; > > + allow chrome_sandbox_t $2:fifo_file write; > > + allow chrome_sandbox_t $3:chr_file { read write }; > > I didn't really look much farther than here. It seems like this > terminal access is more of a potential to dontaudit, since it is a > sandbox. I'm not clear why we can't simply have > userdom_use_user_terminals(chrome_sandbox_t) in the TE rules, rather > than passing the same type all around. > > Beyond that, this simply won't fly because all the seemingly conflicting > types. A user might think, "what does mozilla have to do with chrome? I > don't even have mozilla installed!" For this to work, we'd have to go > down a generic browser policy, with correspondingly generic type names. > I'm not opposed to this, but that'd be the first step. > > > > stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) > > > > @@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',` > > interface(`mozilla_domtrans',` > > gen_require(` > > type mozilla_t, mozilla_exec_t; > > + type chrome_browser_exec_t; > > ') > > > > corecmd_search_bin($1) > > domtrans_pattern($1, mozilla_exec_t, mozilla_t) > > + domtrans_pattern($1, chrome_browser_exec_t, mozilla_t) > > ') > > > > ######################################## > > Index: refpolicy-2.20180701/policy/modules/apps/mozilla.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/apps/mozilla.te > > +++ refpolicy-2.20180701/policy/modules/apps/mozilla.te > > @@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp > > type mozilla_plugin_tmpfs_t; > > userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) > > > > +type chrome_sandbox_t; > > +type chrome_sandbox_exec_t; > > +type chrome_browser_exec_t; > > +application_domain(mozilla_t, chrome_browser_exec_t) > > +userdom_user_application_domain(mozilla_t, chrome_browser_exec_t ) > > +role mozilla_plugin_roles types chrome_sandbox_t; > > +domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) > > +allow mozilla_t chrome_sandbox_t:process sigchld; > > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > > +ubac_constrained(chrome_sandbox_t) > > +fs_getattr_xattr_fs(chrome_sandbox_t) > > + > > +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; > > +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; > > +allow chrome_sandbox_t mozilla_t:file read_file_perms; > > +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; > > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > > +allow chrome_sandbox_t mozilla_t:fd use; > > +allow chrome_sandbox_t mozilla_t:file write; > > +allow chrome_sandbox_t proc_t:dir read; > > +allow chrome_sandbox_t self:process setrlimit; > > +type chrome_sandbox_tmp_t; > > + > > +# this is needed for Chrome (not Chromium) startup > > +allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure }; > > + > > +files_tmp_file(chrome_sandbox_tmp_t) > > +ubac_constrained(chrome_sandbox_tmp_t) > > +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) > > +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; > > +allow mozilla_t self:unix_dgram_socket sendto; > > +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; > > +# for V8 > > +allow mozilla_t self:process execmem; > > + > > +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; > > +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; > > + > > optional_policy(` > > pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) > > ') > > @@ -79,8 +118,22 @@ xdg_cache_content(mozilla_xdg_cache_t) > > # Local policy > > # > > > > +dontaudit chrome_sandbox_t domain:dir getattr; > > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > > +domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) > > +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; > > +allow chrome_sandbox_t self:fifo_file rw_file_perms; > > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > > +allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace }; > > +allow chrome_sandbox_t mozilla_t:process { share sigchld }; > > +allow mozilla_t chrome_sandbox_t:fd use; > > +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; > > +dev_read_sysfs(mozilla_t) > > +domain_dontaudit_search_all_domains_state(chrome_sandbox_t) > > + > > allow mozilla_t self:capability { setgid setuid sys_nice }; > > -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; > > +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap }; > > allow mozilla_t self:fifo_file rw_fifo_file_perms; > > allow mozilla_t self:shm create_shm_perms; > > allow mozilla_t self:sem create_sem_perms; > > @@ -93,6 +146,10 @@ allow mozilla_t mozilla_plugin_t:fd use; > > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; > > allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; > > + > > +# for plugins > > +can_exec(mozilla_t, mozilla_home_t) > > + > > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") > > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") > > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") > > @@ -103,6 +160,7 @@ filetrans_pattern(mozilla_t, mozilla_hom > > manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > > manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > > manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > > +manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > > allow mozilla_t mozilla_tmp_t:file map; > > files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) > > > > @@ -110,7 +168,11 @@ manage_files_pattern(mozilla_t, mozilla_ > > manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > > manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > > manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > > -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) > > +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > > + > > +# so mozilla can create /var/run/user/PID/pulse > > +auth_read_var_auth(mozilla_t) > > + > > allow mozilla_t mozilla_plugin_tmpfs_t:file map; > > > > allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; > > @@ -125,11 +187,16 @@ xdg_cache_filetrans(mozilla_t, mozilla_x > > > > can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) > > > > +allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms; > > + > > kernel_read_kernel_sysctls(mozilla_t) > > kernel_read_network_state(mozilla_t) > > kernel_read_system_state(mozilla_t) > > kernel_read_net_sysctls(mozilla_t) > > > > +# for overcommit_memory > > +kernel_read_vm_overcommit_sysctl(mozilla_t) > > + > > corecmd_list_bin(mozilla_t) > > corecmd_exec_shell(mozilla_t) > > corecmd_exec_bin(mozilla_t) > > @@ -174,6 +241,8 @@ dev_read_rand(mozilla_t) > > dev_read_urand(mozilla_t) > > dev_rw_dri(mozilla_t) > > dev_write_sound(mozilla_t) > > +dev_dontaudit_getattr_all_chr_files(mozilla_t) > > +dev_dontaudit_getattr_all_blk_files(mozilla_t) > > > > domain_dontaudit_read_all_domains_state(mozilla_t) > > > > @@ -222,6 +291,7 @@ xdg_manage_downloads(mozilla_t) > > > > xserver_rw_mesa_shader_cache(mozilla_t) > > xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) > > +corenet_tcp_connect_xserver_port(mozilla_t) > > xserver_dontaudit_read_xdm_tmp_files(mozilla_t) > > xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) > > > > Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc > > +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > > @@ -121,6 +121,7 @@ ifdef(`distro_debian',` > > /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > > > > /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) > > +/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0) > > > > /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) > > > > Index: refpolicy-2.20180701/policy/modules/roles/xguest.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/roles/xguest.te > > +++ refpolicy-2.20180701/policy/modules/roles/xguest.te > > @@ -103,7 +103,7 @@ optional_policy(` > > ') > > > > optional_policy(` > > - mozilla_role(xguest_r, xguest_t) > > + mozilla_role(xguest_r, xguest_t, user_devpts_t) > > ') > > > > optional_policy(` > > Index: refpolicy-2.20180701/policy/modules/roles/staff.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te > > +++ refpolicy-2.20180701/policy/modules/roles/staff.te > > @@ -142,7 +142,7 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > - mozilla_role(staff_r, staff_t) > > + mozilla_role(staff_r, staff_t, user_devpts_t) > > ') > > > > optional_policy(` > > Index: refpolicy-2.20180701/policy/modules/roles/sysadm.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/roles/sysadm.te > > +++ refpolicy-2.20180701/policy/modules/roles/sysadm.te > > @@ -652,7 +652,7 @@ optional_policy(` > > ') > > > > optional_policy(` > > - mozilla_role(sysadm_r, sysadm_t) > > + mozilla_role(sysadm_r, sysadm_t, user_devpts_t) > > ') > > > > optional_policy(` > > Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te > > +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te > > @@ -114,7 +114,7 @@ ifndef(`distro_redhat',` > > ') > > > > optional_policy(` > > - mozilla_role(user_r, user_t) > > + mozilla_role(user_r, user_t, user_devpts_t) > > ') > > > > optional_policy(` > > > > > -- > Chris PeBenito