Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0063BC282C0 for ; Thu, 24 Jan 2019 00:02:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A1E44218A1 for ; Thu, 24 Jan 2019 00:02:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="BXvZokyz" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726234AbfAXACc (ORCPT ); Wed, 23 Jan 2019 19:02:32 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:40222 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726125AbfAXACc (ORCPT ); Wed, 23 Jan 2019 19:02:32 -0500 Received: by mail-qt1-f196.google.com with SMTP id k12so4565254qtf.7 for ; Wed, 23 Jan 2019 16:02:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=XZ1uyNfdXs4Em4oTsmCNIMCIV03gUuXWEjijGkCMI/g=; b=BXvZokyzLs2fInVFmKOArQoLNsFgdsy9icKPgqdnbggAWSYxcH2VAUPf8TeU44eYgc BkrXkINYkX/xX3hQXjlxoVmJEBIx99vtTQU7yEeQHqoB9S+JHPiL3K9zcNcHQhfJlmLk R6b1BcYpwVPwtD+Zyy5iGZcAr+8OMUqOy0GC0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=XZ1uyNfdXs4Em4oTsmCNIMCIV03gUuXWEjijGkCMI/g=; b=qMzz6XNIgU6gDMqBATSnBkL2jmX0+YnB/6w+ZYsVCPvpeZdU06iwI6ZLvVEwbhHYcr kn7EfvDemwzUKMS+qlDodKIAa2ks29YmXOtbPnpaP92A6oM+NDps5zhHTP8R59d/A3Jb CDJ5RHKvUKdLTLyVuetSG0thCLwlj8fStMtM+7aywDntF8dHegi1mvCq5Os10r9kU8Pr mab0w/JSz2B6rW95D3hpRHOH/yOYu+5L0am9bfd6YhWeeg20lQOjYoNXeJ/twCEh21Bf ca66WPd8r6BGf1ey1v/K2zhym/5QrYvEWaHDzer/b87VNWmPtajtOGy+bHHfs10dT7zR KyZA== X-Gm-Message-State: AJcUukcoP9wZD4DV2E576DXNFk4Sc7CsBvXBdReJCu9mAegOCe4mIz4d +PWRhxRlsZqknSUOwPFS794vcTjE0X4= X-Google-Smtp-Source: ALg8bN6Ax3DCkqKPbVKX6aht2Xr+K8PKCE2f0HNP5FbjKY+RrVB9LStiqrOsIQGWE6QVGNBnz9xk7A== X-Received: by 2002:a0c:b48d:: with SMTP id c13mr3864124qve.91.1548288150169; Wed, 23 Jan 2019 16:02:30 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id c12sm94383797qka.42.2019.01.23.16.02.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jan 2019 16:02:29 -0800 (PST) Subject: Re: [PATCH 5/5] Add chromium policy upstreamed from Gentoo To: Jason Zaman , selinux-refpolicy@vger.kernel.org References: <20190112080344.10031-1-jason@perfinion.com> <20190112080344.10031-5-jason@perfinion.com> From: Chris PeBenito Message-ID: Date: Wed, 23 Jan 2019 18:49:16 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190112080344.10031-5-jason@perfinion.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/12/19 3:03 AM, Jason Zaman wrote: > Signed-off-by: Jason Zaman > --- > policy/modules/apps/chromium.fc | 31 +++ > policy/modules/apps/chromium.if | 139 +++++++++++++ > policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++ > 3 files changed, 512 insertions(+) > create mode 100644 policy/modules/apps/chromium.fc > create mode 100644 policy/modules/apps/chromium.if > create mode 100644 policy/modules/apps/chromium.te > > diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc > new file mode 100644 > index 00000000..534235dc > --- /dev/null > +++ b/policy/modules/apps/chromium.fc > @@ -0,0 +1,31 @@ > +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) > +/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) > + > +/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) > +/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) > + > +/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) > +/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) > + > +/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) > +/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0) > +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) > + > +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) > +HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) > +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) > +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) > diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if > new file mode 100644 > index 00000000..26eb0259 > --- /dev/null > +++ b/policy/modules/apps/chromium.if > @@ -0,0 +1,139 @@ > +## > +## Chromium browser > +## > + > +####################################### > +## > +## Role access for chromium > +## > +## > +## > +## Role allowed access > +## > +## > +## > +## > +## User domain for the role > +## > +## > +# > +interface(`chromium_role',` > + gen_require(` > + type chromium_t; > + type chromium_renderer_t; > + type chromium_sandbox_t; > + type chromium_naclhelper_t; > + type chromium_exec_t; > + ') > + > + role $1 types chromium_t; > + role $1 types chromium_renderer_t; > + role $1 types chromium_sandbox_t; > + role $1 types chromium_naclhelper_t; > + > + # Transition from the user domain to the derived domain > + chromium_domtrans($2) > + > + # Allow ps to show chromium processes and allow the user to signal it > + ps_process_pattern($2, chromium_t) > + ps_process_pattern($2, chromium_renderer_t) > + > + allow $2 chromium_t:process signal_perms; > + allow $2 chromium_renderer_t:process signal_perms; > + allow $2 chromium_naclhelper_t:process signal_perms; > + > + allow chromium_sandbox_t $2:fd use; > + allow chromium_naclhelper_t $2:fd use; > +') > + > +####################################### > +## > +## Read-write access to Chromiums' temporary fifo files > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`chromium_rw_tmp_pipes',` > + gen_require(` > + type chromium_tmp_t; > + ') > + > + rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) > +') > + > +############################################## > +## > +## Automatically use the specified type for resources created in chromium's > +## temporary locations > +## > +## > +## > +## Domain that creates the resource(s) > +## > +## > +## > +## > +## Type of the resource created > +## > +## > +## > +## > +## The name of the resource being created > +## > +## > +# > +interface(`chromium_tmp_filetrans',` > + gen_require(` > + type chromium_tmp_t; > + ') > + > + search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) > + filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) > +') > + > +####################################### > +## > +## Execute a domain transition to the chromium domain (chromium_t) > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`chromium_domtrans',` > + gen_require(` > + type chromium_t; > + type chromium_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, chromium_exec_t, chromium_t) > +') > + > +####################################### > +## > +## Execute chromium in the chromium domain and allow the specified role to access the chromium domain > +## > +## > +## > +## Domain allowed access > +## > +## > +## > +## > +## Role allowed access > +## > +## > +# > +interface(`chromium_run',` > + gen_require(` > + type chromium_t; > + ') > + > + chromium_domtrans($1) > + role $2 types chromium_t; > +') > diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te > new file mode 100644 > index 00000000..5219cb87 > --- /dev/null > +++ b/policy/modules/apps/chromium.te > @@ -0,0 +1,342 @@ > +policy_module(chromium, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +## > +##

> +## Allow chromium to read system information > +##

> +##

> +## Although not needed for regular browsing, this will allow chromium to update > +## its own memory consumption based on system state, support additional > +## debugging, detect specific devices, etc. > +##

> +## > +gen_tunable(chromium_read_system_info, false) > + > +## > +##

> +## Allow chromium to bind to tcp ports > +##

> +##

> +## Although not needed for regular browsing, some chrome extensions need to > +## bind to tcp ports and accept connections. > +##

> +## > +gen_tunable(chromium_bind_tcp_unreserved_ports, false) > + > +## > +##

> +## Allow chromium to read/write USB devices > +##

> +##

> +## Although not needed for regular browsing, used for debugging over usb > +## or using FIDO U2F tokens. > +##

> +## > +gen_tunable(chromium_rw_usb_dev, false) > + > +type chromium_t; > +domain_dyntrans_type(chromium_t) > + > +type chromium_exec_t; > +application_domain(chromium_t, chromium_exec_t) > + > +type chromium_naclhelper_t; > +type chromium_naclhelper_exec_t; > +application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t) > + > +type chromium_sandbox_t; > +type chromium_sandbox_exec_t; > +application_domain(chromium_sandbox_t, chromium_sandbox_exec_t) > + > +type chromium_renderer_t; > +domain_base_type(chromium_renderer_t) > + > +type chromium_tmp_t; > +userdom_user_tmp_file(chromium_tmp_t) > + > +type chromium_tmpfs_t; > +userdom_user_tmpfs_file(chromium_tmpfs_t) > +optional_policy(` > + pulseaudio_tmpfs_content(chromium_tmpfs_t) > +') > + > +type chromium_xdg_config_t; > +xdg_config_content(chromium_xdg_config_t) > + > +type chromium_xdg_cache_t; > +xdg_cache_content(chromium_xdg_cache_t) > + > + > + > +######################################## > +# > +# chromium local policy > +# > + > +# execmem for load in plugins > +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; > +allow chromium_t self:fifo_file rw_fifo_file_perms; > +allow chromium_t self:sem create_sem_perms; > +allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; > +# cap_userns sys_admin for the sandbox > +allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace }; > + > +allow chromium_t chromium_exec_t:file execute_no_trans; > + > +allow chromium_t chromium_renderer_t:dir list_dir_perms; > +allow chromium_t chromium_renderer_t:file rw_file_perms; > +allow chromium_t chromium_renderer_t:fd use; > +allow chromium_t chromium_renderer_t:process signal_perms; > +allow chromium_t chromium_renderer_t:shm rw_shm_perms; > +allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; > +allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; > + > +allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write }; > +allow chromium_t chromium_sandbox_t:unix_stream_socket { read write }; > + > +allow chromium_t chromium_naclhelper_t:process { share }; > + > +# tmp has a wide class access (used for plugins) > +manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > +allow chromium_t chromium_tmp_t:file map; > +manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > +manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > +manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > +manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > +files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) > + > +manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) > +allow chromium_t chromium_tmpfs_t:file map; > +fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) > +fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file) > + > +manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) > +allow chromium_t chromium_xdg_config_t:file map; > +manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) > +manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) > +xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium") > + > +manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) > +allow chromium_t chromium_xdg_cache_t:file map; > +manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) > +xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium") > + > +dyntrans_pattern(chromium_t, chromium_renderer_t) > +domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) > +domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) > + > +kernel_list_proc(chromium_t) > +kernel_read_net_sysctls(chromium_t) > + > +corecmd_exec_bin(chromium_t) > +# Look for /etc/gentoo-release through a shell invocation running find > +corecmd_exec_shell(chromium_t) > + > +corenet_tcp_connect_all_unreserved_ports(chromium_t) > +corenet_tcp_connect_ftp_port(chromium_t) > +corenet_tcp_connect_http_port(chromium_t) > +corenet_udp_bind_generic_node(chromium_t) > +corenet_udp_bind_all_unreserved_ports(chromium_t) > + > +dev_read_sound(chromium_t) > +dev_write_sound(chromium_t) > +dev_read_urand(chromium_t) > +dev_read_rand(chromium_t) > +dev_rw_xserver_misc(chromium_t) > +dev_map_xserver_misc(chromium_t) > + > +domain_dontaudit_search_all_domains_state(chromium_t) > + > +files_list_home(chromium_t) > +files_search_home(chromium_t) > +files_read_usr_files(chromium_t) > +files_map_usr_files(chromium_t) > +files_read_etc_files(chromium_t) > +# During find for /etc/whatever-release we get lots of output otherwise > +files_dontaudit_getattr_all_dirs(chromium_t) > + > +fs_dontaudit_getattr_xattr_fs(chromium_t) > + > +miscfiles_read_all_certs(chromium_t) > +miscfiles_read_localization(chromium_t) > + > +sysnet_dns_name_resolve(chromium_t) > + > +userdom_user_content_access_template(chromium, chromium_t) > +userdom_dontaudit_list_user_home_dirs(chromium_t) > +# Debugging. Also on user_tty_device_t if X is started through "startx" for instance > +userdom_use_user_terminals(chromium_t) > +userdom_manage_user_certs(chromium_t) > +userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki") > + > +xdg_create_cache_dirs(chromium_t) > +xdg_create_config_dirs(chromium_t) > +xdg_create_data_dirs(chromium_t) > +xdg_manage_downloads(chromium_t) > +xdg_read_config_files(chromium_t) > +xdg_read_data_files(chromium_t) > + > +xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) > + > +tunable_policy(`chromium_bind_tcp_unreserved_ports',` > + corenet_tcp_bind_generic_node(chromium_t) > + corenet_tcp_bind_all_unreserved_ports(chromium_t) > + allow chromium_t self:tcp_socket { listen accept }; > +') > + > +tunable_policy(`chromium_rw_usb_dev',` > + dev_rw_generic_usb_dev(chromium_t) > + udev_read_db(chromium_t) > +') > + > +tunable_policy(`chromium_read_system_info',` > + kernel_read_kernel_sysctls(chromium_t) > + # Memory optimizations & optimizations based on OS/version > + kernel_read_system_state(chromium_t) > + > + # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices). > + dev_read_sysfs(chromium_t) > + > + storage_getattr_fixed_disk_dev(chromium_t) > + > + files_read_etc_runtime_files(chromium_t) > + > + dev_dontaudit_getattr_all_chr_files(chromium_t) > + init_dontaudit_getattr_initctl(chromium_t) > +',` > + kernel_dontaudit_read_kernel_sysctl(chromium_t) > + kernel_dontaudit_read_system_state(chromium_t) > + > + dev_dontaudit_read_sysfs(chromium_t) > + > + files_dontaudit_read_etc_runtime_files(chromium_t) > +') > + > +optional_policy(` > + cups_read_config(chromium_t) > + cups_stream_connect(chromium_t) > +') > + > +optional_policy(` > + dbus_all_session_bus_client(chromium_t) > + dbus_system_bus_client(chromium_t) > + > + optional_policy(` > + unconfined_dbus_chat(chromium_t) > + ') > + optional_policy(` > + gnome_dbus_chat_all_gkeyringd(chromium_t) > + ') > + optional_policy(` > + devicekit_dbus_chat_power(chromium_t) > + ') > +') > + > +ifdef(`use_alsa',` > + optional_policy(` > + alsa_domain(chromium_t, chromium_tmpfs_t) > + ') > + > + optional_policy(` > + pulseaudio_domtrans(chromium_t) > + ') > +') > + > +######################################## > +# > +# chromium_renderer local policy > +# > + > +allow chromium_renderer_t self:process execmem; > + > +allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; > +allow chromium_renderer_t self:shm create_shm_perms; > +allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; > +allow chromium_renderer_t self:unix_stream_socket { create getattr read write }; > + > +allow chromium_renderer_t chromium_t:fd use; > +allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; > +allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; > + > +dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access > +dontaudit chromium_renderer_t self:process getsched; > + > +read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t) > + > +rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t) > + > +dev_read_urand(chromium_renderer_t) > + > +files_dontaudit_list_tmp(chromium_renderer_t) > +files_dontaudit_read_etc_files(chromium_renderer_t) > +files_search_var(chromium_renderer_t) > + > +init_sigchld(chromium_renderer_t) > + > +miscfiles_read_localization(chromium_renderer_t) > + > +userdom_dontaudit_use_all_users_fds(chromium_renderer_t) > +userdom_use_user_terminals(chromium_renderer_t) > + > +xdg_read_config_files(chromium_renderer_t) > + > +xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) > + > +tunable_policy(`chromium_read_system_info',` > + kernel_read_kernel_sysctls(chromium_renderer_t) > + kernel_read_system_state(chromium_renderer_t) > +',` > + kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t) > + kernel_dontaudit_read_system_state(chromium_renderer_t) > +') > + > +######################################### > +# > +# Chromium sandbox local policy > +# > + > +allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace }; > +allow chromium_sandbox_t self:process { setrlimit }; > +allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms; > + > +allow chromium_sandbox_t chromium_t:process { share }; > +# /proc access > +allow chromium_sandbox_t chromium_t:dir list_dir_perms; > +allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms; > +allow chromium_sandbox_t chromium_t:file rw_file_perms; > + > +allow chromium_sandbox_t chromium_t:unix_stream_socket { read write }; > +allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write }; > + > +kernel_list_proc(chromium_sandbox_t) > + > +domain_dontaudit_read_all_domains_state(chromium_sandbox_t) > + > +userdom_use_user_ptys(chromium_sandbox_t) > + > +chromium_domtrans(chromium_sandbox_t) > + > +########################################## > +# > +# Chromium nacl helper local policy > +# > + > +allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write }; > + > +domain_mmap_low_uncond(chromium_naclhelper_t) > + > +userdom_use_user_ptys(chromium_naclhelper_t) > + > +tunable_policy(`chromium_read_system_info',` > + kernel_read_kernel_sysctls(chromium_naclhelper_t) > + kernel_read_system_state(chromium_naclhelper_t) > +',` > + kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t) > + kernel_dontaudit_read_system_state(chromium_naclhelper_t) > +') > + This set is merged. -- Chris PeBenito