From:   Jason Zaman <jason@perfinion.com>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Jason Zaman <jason@perfinion.com>
Subject: [PATCH 5/5] Add chromium policy upstreamed from Gentoo
Date:   Sat, 12 Jan 2019 16:03:44 +0800
Message-Id: <20190112080344.10031-5-jason@perfinion.com>
In-Reply-To: <20190112080344.10031-1-jason@perfinion.com>
References: <20190112080344.10031-1-jason@perfinion.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/apps/chromium.fc |  31 +++
 policy/modules/apps/chromium.if | 139 +++++++++++++
 policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++
 3 files changed, 512 insertions(+)
 create mode 100644 policy/modules/apps/chromium.fc
 create mode 100644 policy/modules/apps/chromium.if
 create mode 100644 policy/modules/apps/chromium.te

diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
new file mode 100644
index 00000000..534235dc
--- /dev/null
+++ b/policy/modules/apps/chromium.fc
@@ -0,0 +1,31 @@
+/opt/google/chrome/chrome				--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/google-chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/libudev.so.0					gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-beta/chrome				--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/chrome_sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/google-chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-beta/libudev.so.0				gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-unstable/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/chrome-sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/google-chrome		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-unstable/libudev.so.0			gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/chromium-browser/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chrome-sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher\.sh		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+
+HOME_DIR/\.cache/chromium(/.*)?					gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/google-chrome(/.*)?				gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.config/chromium(/.*)?				gen_context(system_u:object_r:chromium_xdg_config_t,s0)
+HOME_DIR/\.config/google-chrome(/.*)?				gen_context(system_u:object_r:chromium_xdg_config_t,s0)
diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
new file mode 100644
index 00000000..26eb0259
--- /dev/null
+++ b/policy/modules/apps/chromium.if
@@ -0,0 +1,139 @@
+## <summary>
+##	Chromium browser
+## </summary>
+
+#######################################
+## <summary>
+## 	Role access for chromium
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+## 	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chromium_role',`
+	gen_require(`
+		type chromium_t;
+		type chromium_renderer_t;
+		type chromium_sandbox_t;
+		type chromium_naclhelper_t;
+		type chromium_exec_t;
+	')
+
+	role $1 types chromium_t;
+	role $1 types chromium_renderer_t;
+	role $1 types chromium_sandbox_t;
+	role $1 types chromium_naclhelper_t;
+
+	# Transition from the user domain to the derived domain
+	chromium_domtrans($2)
+
+	# Allow ps to show chromium processes and allow the user to signal it
+	ps_process_pattern($2, chromium_t)
+	ps_process_pattern($2, chromium_renderer_t)
+
+	allow $2 chromium_t:process signal_perms;
+	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_naclhelper_t:process signal_perms;
+
+	allow chromium_sandbox_t $2:fd use;
+	allow chromium_naclhelper_t $2:fd use;
+')
+
+#######################################
+## <summary>
+##	Read-write access to Chromiums' temporary fifo files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_rw_tmp_pipes',`
+	gen_require(`
+		type chromium_tmp_t;
+	')
+
+	rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
+')
+
+##############################################
+## <summary>
+##	Automatically use the specified type for resources created in chromium's
+##	temporary locations
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that creates the resource(s)
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Type of the resource created
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the resource being created
+##	</summary>
+## </param>
+#
+interface(`chromium_tmp_filetrans',`
+	gen_require(`
+		type chromium_tmp_t;
+	')
+
+	search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
+	filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+## 	Execute a domain transition to the chromium domain (chromium_t)
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_domtrans',`
+	gen_require(`
+		type chromium_t;
+		type chromium_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chromium_exec_t, chromium_t)
+')
+
+#######################################
+## <summary>
+## 	Execute chromium in the chromium domain and allow the specified role to access the chromium domain
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_run',`
+	gen_require(`
+		type chromium_t;
+	')
+
+	chromium_domtrans($1)
+	role $2 types chromium_t;
+')
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
new file mode 100644
index 00000000..5219cb87
--- /dev/null
+++ b/policy/modules/apps/chromium.te
@@ -0,0 +1,342 @@
+policy_module(chromium, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow chromium to read system information
+## </p>
+## <p>
+## Although not needed for regular browsing, this will allow chromium to update
+## its own memory consumption based on system state, support additional
+## debugging, detect specific devices, etc.
+## </p>
+## </desc>
+gen_tunable(chromium_read_system_info, false)
+
+## <desc>
+## <p>
+## Allow chromium to bind to tcp ports
+## </p>
+## <p>
+## Although not needed for regular browsing, some chrome extensions need to
+## bind to tcp ports and accept connections.
+## </p>
+## </desc>
+gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
+type chromium_t;
+domain_dyntrans_type(chromium_t)
+
+type chromium_exec_t;
+application_domain(chromium_t, chromium_exec_t)
+
+type chromium_naclhelper_t;
+type chromium_naclhelper_exec_t;
+application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
+
+type chromium_sandbox_t;
+type chromium_sandbox_exec_t;
+application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t)
+
+type chromium_tmp_t;
+userdom_user_tmp_file(chromium_tmp_t)
+
+type chromium_tmpfs_t;
+userdom_user_tmpfs_file(chromium_tmpfs_t)
+optional_policy(`
+	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+')
+
+type chromium_xdg_config_t;
+xdg_config_content(chromium_xdg_config_t)
+
+type chromium_xdg_cache_t;
+xdg_cache_content(chromium_xdg_cache_t)
+
+
+
+########################################
+#
+# chromium local policy
+#
+
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
+allow chromium_t self:sem create_sem_perms;
+allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
+
+allow chromium_t chromium_exec_t:file execute_no_trans;
+
+allow chromium_t chromium_renderer_t:dir list_dir_perms;
+allow chromium_t chromium_renderer_t:file rw_file_perms;
+allow chromium_t chromium_renderer_t:fd use;
+allow chromium_t chromium_renderer_t:process signal_perms;
+allow chromium_t chromium_renderer_t:shm rw_shm_perms;
+allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
+allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
+allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_naclhelper_t:process { share };
+
+# tmp has a wide class access (used for plugins)
+manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+allow chromium_t chromium_tmp_t:file map;
+manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
+
+manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+allow chromium_t chromium_tmpfs_t:file map;
+fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
+fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
+
+manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+allow chromium_t chromium_xdg_config_t:file map;
+manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
+
+manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
+manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
+
+dyntrans_pattern(chromium_t, chromium_renderer_t)
+domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
+domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
+
+kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
+
+corecmd_exec_bin(chromium_t)
+# Look for /etc/gentoo-release through a shell invocation running find
+corecmd_exec_shell(chromium_t)
+
+corenet_tcp_connect_all_unreserved_ports(chromium_t)
+corenet_tcp_connect_ftp_port(chromium_t)
+corenet_tcp_connect_http_port(chromium_t)
+corenet_udp_bind_generic_node(chromium_t)
+corenet_udp_bind_all_unreserved_ports(chromium_t)
+
+dev_read_sound(chromium_t)
+dev_write_sound(chromium_t)
+dev_read_urand(chromium_t)
+dev_read_rand(chromium_t)
+dev_rw_xserver_misc(chromium_t)
+dev_map_xserver_misc(chromium_t)
+
+domain_dontaudit_search_all_domains_state(chromium_t)
+
+files_list_home(chromium_t)
+files_search_home(chromium_t)
+files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
+files_read_etc_files(chromium_t)
+# During find for /etc/whatever-release we get lots of output otherwise
+files_dontaudit_getattr_all_dirs(chromium_t)
+
+fs_dontaudit_getattr_xattr_fs(chromium_t)
+
+miscfiles_read_all_certs(chromium_t)
+miscfiles_read_localization(chromium_t)
+
+sysnet_dns_name_resolve(chromium_t)
+
+userdom_user_content_access_template(chromium, chromium_t)
+userdom_dontaudit_list_user_home_dirs(chromium_t)
+# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
+userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
+
+xdg_create_cache_dirs(chromium_t)
+xdg_create_config_dirs(chromium_t)
+xdg_create_data_dirs(chromium_t)
+xdg_manage_downloads(chromium_t)
+xdg_read_config_files(chromium_t)
+xdg_read_data_files(chromium_t)
+
+xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_bind_tcp_unreserved_ports',`
+	corenet_tcp_bind_generic_node(chromium_t)
+	corenet_tcp_bind_all_unreserved_ports(chromium_t)
+	allow chromium_t self:tcp_socket { listen accept };
+')
+
+tunable_policy(`chromium_rw_usb_dev',`
+	dev_rw_generic_usb_dev(chromium_t)
+	udev_read_db(chromium_t)
+')
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_t)
+	# Memory optimizations & optimizations based on OS/version
+	kernel_read_system_state(chromium_t)
+
+	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
+	dev_read_sysfs(chromium_t)
+
+	storage_getattr_fixed_disk_dev(chromium_t)
+
+	files_read_etc_runtime_files(chromium_t)
+
+	dev_dontaudit_getattr_all_chr_files(chromium_t)
+	init_dontaudit_getattr_initctl(chromium_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_t)
+	kernel_dontaudit_read_system_state(chromium_t)
+
+	dev_dontaudit_read_sysfs(chromium_t)
+
+	files_dontaudit_read_etc_runtime_files(chromium_t)
+')
+
+optional_policy(`
+	cups_read_config(chromium_t)
+	cups_stream_connect(chromium_t)
+')
+
+optional_policy(`
+	dbus_all_session_bus_client(chromium_t)
+	dbus_system_bus_client(chromium_t)
+
+	optional_policy(`
+		unconfined_dbus_chat(chromium_t)
+	')
+	optional_policy(`
+		gnome_dbus_chat_all_gkeyringd(chromium_t)
+	')
+	optional_policy(`
+		devicekit_dbus_chat_power(chromium_t)
+	')
+')
+
+ifdef(`use_alsa',`
+	optional_policy(`
+		alsa_domain(chromium_t, chromium_tmpfs_t)
+	')
+
+	optional_policy(`
+		pulseaudio_domtrans(chromium_t)
+	')
+')
+
+########################################
+#
+# chromium_renderer local policy
+#
+
+allow chromium_renderer_t self:process execmem;
+
+allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
+allow chromium_renderer_t self:shm create_shm_perms;
+allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
+allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
+
+allow chromium_renderer_t chromium_t:fd use;
+allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
+allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
+
+dontaudit chromium_renderer_t chromium_t:dir search;	# /proc/... access
+dontaudit chromium_renderer_t self:process getsched;
+
+read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
+
+rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
+
+dev_read_urand(chromium_renderer_t)
+
+files_dontaudit_list_tmp(chromium_renderer_t)
+files_dontaudit_read_etc_files(chromium_renderer_t)
+files_search_var(chromium_renderer_t)
+
+init_sigchld(chromium_renderer_t)
+
+miscfiles_read_localization(chromium_renderer_t)
+
+userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
+userdom_use_user_terminals(chromium_renderer_t)
+
+xdg_read_config_files(chromium_renderer_t)
+
+xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_renderer_t)
+	kernel_read_system_state(chromium_renderer_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
+	kernel_dontaudit_read_system_state(chromium_renderer_t)
+')
+
+#########################################
+#
+# Chromium sandbox local policy
+#
+
+allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chromium_sandbox_t self:process { setrlimit };
+allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+
+allow chromium_sandbox_t chromium_t:process { share };
+# /proc access
+allow chromium_sandbox_t chromium_t:dir list_dir_perms;
+allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
+allow chromium_sandbox_t chromium_t:file rw_file_perms;
+
+allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
+allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
+
+kernel_list_proc(chromium_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
+
+userdom_use_user_ptys(chromium_sandbox_t)
+
+chromium_domtrans(chromium_sandbox_t)
+
+##########################################
+#
+# Chromium nacl helper local policy
+#
+
+allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
+
+domain_mmap_low_uncond(chromium_naclhelper_t)
+
+userdom_use_user_ptys(chromium_naclhelper_t)
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_naclhelper_t)
+	kernel_read_system_state(chromium_naclhelper_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
+	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
+')
+
-- 
2.19.2