Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E4DBC43387 for ; Fri, 11 Jan 2019 01:30:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2E3EF20879 for ; Fri, 11 Jan 2019 01:30:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="FOtXIlqa" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726369AbfAKBas (ORCPT ); Thu, 10 Jan 2019 20:30:48 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:46469 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727846AbfAKBas (ORCPT ); Thu, 10 Jan 2019 20:30:48 -0500 Received: by mail-qt1-f195.google.com with SMTP id y20so16415761qtm.13 for ; Thu, 10 Jan 2019 17:30:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=yHskKh6MGJ+7rLsQlL0aGskqMClhkRdY/D2T7ojbwLw=; b=FOtXIlqaOkilgPMhS76C7zJGxbwDv7Dl3IxvC+3+DSzS65lssQK+t21OEgKdBu3evi vgk6yGoi7sz9bCHti6wdNzZkdV8Z7tjiNLkHkFFMSJ/NMiLDcw64BEHun5q76TEMCdRR v3wASIJRCtjYpf6bWgjmS0/SmVVRbhQ2e4Y5Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=yHskKh6MGJ+7rLsQlL0aGskqMClhkRdY/D2T7ojbwLw=; b=qsmhbU2dwfRzBzUx4QWUFF0wwfKcelYeA4K4g/DdzP1NoUtZtajtiIo4+QG62hWIS+ Zn69QQ5gj7EPo8R0JT2csdq4AREbdwKSNhofhTswfIQ+7sJZgrTS+HvXAEEWsFq2PqWh saGID/Bmty9zN1jJUhUprO7dpC+D7cGWAr+Rtk8KUBgTx5PeDIzRjuevoaD6rNmgMXIH VHHVYQobAyYVWD8kq0SvFdKuhXilRPgf1XMT/ncUhBn2yb3wXMYQgwZ4xrK9wwV6ODpi oZr+0PrQks6AERp1mKENqOhbUInpRzhfHGVgwkm4AtnLzNwG7sDBuLwPd1bu06vuLpL2 Bl4Q== X-Gm-Message-State: AJcUuken6h3qIOcMyDCNOSw8NQv86wsFNSODUdAns+EbLLeQygRJjhQf oSH8vsTFsJzbOI8APxbIAr30VvGNHaw= X-Google-Smtp-Source: ALg8bN5Ze+PWYZijCJAfxMK5O16Di+uB/aZ25Inr2EuMEe7/hsNB8OcGrOdOF2mAf+KgoacKRl/ZgA== X-Received: by 2002:ac8:2ccc:: with SMTP id 12mr11807535qtx.277.1547170247500; Thu, 10 Jan 2019 17:30:47 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id b20sm47210626qkb.17.2019.01.10.17.30.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 17:30:47 -0800 (PST) Subject: Re: [PATCH] chrome/chromium To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org References: <20190108084939.GA28652@xev> <11639347.phjdDo44MW@xev> From: Chris PeBenito Message-ID: <857d83a0-1aba-6e03-59fb-f1c6b451452c@ieee.org> Date: Thu, 10 Jan 2019 20:17:36 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <11639347.phjdDo44MW@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/10/19 12:17 AM, Russell Coker wrote: > On Thursday, 10 January 2019 11:06:23 AM AEDT Chris PeBenito wrote: >>> allow $2 mozilla_t:fd use; >>> allow $2 mozilla_t:shm rw_shm_perms; >>> + allow chrome_sandbox_t $2:fd use; >>> + allow chrome_sandbox_t $2:fifo_file write; >>> + allow chrome_sandbox_t $3:chr_file { read write }; >> >> Beyond that, this simply won't fly because all the seemingly conflicting >> types. A user might think, "what does mozilla have to do with chrome? I >> don't even have mozilla installed!" For this to work, we'd have to go >> down a generic browser policy, with correspondingly generic type names. >> I'm not opposed to this, but that'd be the first step. > > Fair point. Would you like me to submit a patch s/mozilla/webbrowser/g as the > first step towards this? Sure. Don't forget the compat aliases for mozilla. -- Chris PeBenito