Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3633278ybv; Sun, 16 Feb 2020 02:00:31 -0800 (PST) X-Google-Smtp-Source: APXvYqyji7Bq1j/gi1wNaFiHHFe+sT7g83itpy8cvKJnZoC/R+eCC+ks8ICeKJPHXSEkQjiWJPMN X-Received: by 2002:a9d:5d07:: with SMTP id b7mr8690517oti.209.1581847230981; Sun, 16 Feb 2020 02:00:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581847230; cv=none; d=google.com; s=arc-20160816; b=QfyObDfDf648ARlEQTBJq9psmDLLvalnlIjJPVLzbXGr5zNMScrfXgI/PHjRKpznp9 pH/2CK+V9nR4QpVfpHiJjN6Zu7r6geCWS3Z+YsP1gUiPwd49Z8Hm6c+xSGcjzU6PHA6p OTFyFlXYI8/oPt72uW8wJcy7qe3YJ9Mb7ZYVm9C6v/tKQunmqIhP0imOD5B9WINC8wZw wTsnXEh2FQwOrv/a5dlMNcaGTyh2KkVRIN7IQPU24BA3ZHwCmjARzY4PW9yv8Jvyhhwv FQxvp9v2HV0sMsUVZwQZXQSikVZiRbMbtCraqDv7QS/A9XxF2XRK5o46gwPfeXR9UciG EMag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=E+XQxfKTtlNq94hHAQoWX65GDvhkzBNMipGDhNzg++0=; b=qT9rXXpr+CNNF7fUDRoBCOxkFENFs+V0svL8JuRsFJeDU7w4goyuHP1jG9EU3EYz+F H5jL/ImQpBJnmuzCkMCY4oVF+tPGspKL/Hopke4otj020GtnhwdFTYUpMDan0Dd8xaas GnA6kuk7PtvpQv+XcCq6yvkfDNu8Y9l5YHIdfOwPB4kaDpOGl/DsXoVl7pJSlQvMCke1 aqWkM8dwVDv1f5VTBmcP8FYyNwIvxfFGwdK8kCB+9a/anf4Wv3QHnkeWi5sBUUVwTtjX TOQNnz8ppwC2EP+csDbwCbbb1jIlNSyoa4mz9z8xx2WgruMSNc1/N7dQm2EyDwEoKw84 V+hQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=JBXmiCoh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m9si4941422oie.148.2020.02.16.02.00.25; Sun, 16 Feb 2020 02:00:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=JBXmiCoh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725989AbgBPKAZ (ORCPT + 13 others); Sun, 16 Feb 2020 05:00:25 -0500 Received: from mail-pj1-f52.google.com ([209.85.216.52]:36472 "EHLO mail-pj1-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725951AbgBPKAZ (ORCPT ); Sun, 16 Feb 2020 05:00:25 -0500 Received: by mail-pj1-f52.google.com with SMTP id gv17so5927803pjb.1 for ; Sun, 16 Feb 2020 02:00:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=E+XQxfKTtlNq94hHAQoWX65GDvhkzBNMipGDhNzg++0=; b=JBXmiCohvs82nP50e/tEn3+Q+oGfo6/gXmzoEb3zhLSyxnZXeISVfnrf00hbEZX4eg CI8pNyho/zenF9Svrywu+ujNxNwP46a1jwWezN9acM+zNQ8dlUgDl0P/SqbOsLFNx8Y/ L5hWI8kQQklfRABzxnE/tBCl2gU0mxEG3V931P3ghhius9SluZZetIgFpDs4B+MQilNv KvaAHgGHJ7adP9ekCMF3qZVN06tG3IG0a+YXSvIZWS+yZjK2mZY3RvBLbGaPFTF5c88p lX+DO+cj+Ak6a1iKffUJmTUj+0BsHYUUPwgK8pp67VK83Qu2EsKwfX++vt51eBtT7v4q 20sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=E+XQxfKTtlNq94hHAQoWX65GDvhkzBNMipGDhNzg++0=; b=WMsLYBO8piVfVCsVYle1e3q3340hlTjm8A2J9z2jC1nzYQz4ugB6fDFEypGI6i+LBw mCieUAFD1UWgn/erLWWbZpYXUQWUGZH1Yjrwt0aSAbnmvBYH+Btgx4LCFwJhervJa1Pl 6/gLYT3L6YOr+L2JPoaVWvhnzsw6UyzaAYLGVWjGXBdAfyGndkd6LI1tFizgBLZRfMgJ NJ/zIdE/e/qtovKlkbsizrc0ne2n804oIEzs9FrCOrlkweV64hOcho4YaGUqhgogWgGb ZgI/UxWigMysPumh/GbCQjONmqgWRsawMzb9p2GmXBZifuMFAMcAiNKL3HPEhc5gaHyd sNpw== X-Gm-Message-State: APjAAAVFZ/jJDvrItaxB7yZjN7mL8aV56Sb5IKbwcE8/jYElAwRSRUB9 RB/83dYcxn34QL/Ym63FSAKSLgmG29QyHQ== X-Received: by 2002:a17:90a:c216:: with SMTP id e22mr13919700pjt.134.1581847224359; Sun, 16 Feb 2020 02:00:24 -0800 (PST) Received: from localhost ([101.127.140.252]) by smtp.gmail.com with ESMTPSA id l5sm12978812pgu.61.2020.02.16.02.00.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2020 02:00:23 -0800 (PST) Date: Sun, 16 Feb 2020 18:00:21 +0800 From: Jason Zaman To: Russell Coker Cc: "selinux-refpolicy@vger.kernel.org" Subject: Re: Chrome/Chromium patches Message-ID: <20200216100021.GA25357@baraddur.perfinion.com> References: <4241549.o4G3l8VaYd@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4241549.o4G3l8VaYd@xev> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wed, Feb 12, 2020 at 01:30:39PM +1100, Russell Coker wrote: > The attached patch against the git refpolicy from 3 days ago makes Chrome work > with Pulseaudio, DRI, Flash, and lots of little things. Flash is dead. My chrome even pops up a banner every time i start it saying flash is disabled by default and will be completely removed in a few months. Not sure adding the flash is worth it. > Adds tunables chromium_exec_plugins and xserver_allow_dri. > > I think this is ready to merge with the names of the tunables and interfaces > being the only possible changes needed. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > Chromium and DRI policy > > Index: refpolicy-2.20200209/policy/modules/apps/chromium.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.te > +++ refpolicy-2.20200209/policy/modules/apps/chromium.te > @@ -39,6 +39,13 @@ gen_tunable(chromium_bind_tcp_unreserved > ## > gen_tunable(chromium_rw_usb_dev, false) > > +## > +##

> +## Allow chromium to execute it's config (for plugins like Flash) > +##

> +## > +gen_tunable(chromium_exec_plugins, false) > + > type chromium_t; > domain_dyntrans_type(chromium_t) > > @@ -63,6 +70,9 @@ type chromium_tmpfs_t; > userdom_user_tmpfs_file(chromium_tmpfs_t) > optional_policy(` > pulseaudio_tmpfs_content(chromium_tmpfs_t) > + pulseaudio_rw_tmpfs_files(chromium_t) > + pulseaudio_stream_connect(chromium_t) > + pulseaudio_use_fds(chromium_t) > ') > > type chromium_xdg_config_t; > @@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t) > # > > # execmem for load in plugins > -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; > +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull }; > +allow chromium_t self:dir { write add_name }; > +allow chromium_t self:file create; > allow chromium_t self:fifo_file rw_fifo_file_perms; > allow chromium_t self:sem create_sem_perms; > allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; > @@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni > > allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; > allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; > +allow chromium_t chromium_sandbox_t:file read_file_perms; > > allow chromium_t chromium_naclhelper_t:process { share }; > > @@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch > manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) > > +# for /run/user/$UID > +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) > + > manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) > allow chromium_t chromium_tmpfs_t:file map; > fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) > @@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re > domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) > domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) > > +# for self:file create > +kernel_associate_proc(chromium_t) > + > kernel_list_proc(chromium_t) > +kernel_read_kernel_sysctls(chromium_t) > kernel_read_net_sysctls(chromium_t) > > corecmd_exec_bin(chromium_t) > @@ -145,6 +165,9 @@ dev_read_sound(chromium_t) > dev_write_sound(chromium_t) > dev_read_urand(chromium_t) > dev_read_rand(chromium_t) > +tunable_policy(`xserver_allow_dri', ` > + dev_rw_dri(chromium_t) > +') > dev_rw_xserver_misc(chromium_t) > dev_map_xserver_misc(chromium_t) > > @@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t) > userdom_manage_user_certs(chromium_t) > userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki") > > -xdg_create_cache_dirs(chromium_t) > -xdg_create_config_dirs(chromium_t) > -xdg_create_data_dirs(chromium_t) > +xdg_manage_cache(chromium_t) > +xdg_manage_config(chromium_t) > +xdg_manage_data(chromium_t) NAK. Chrome should only be able to create the base ~/.config/cache dirs, not manage other things inside them. The template userdom_user_content_access_template is for this exact thing. By default chrome will have no access then the template generates booleans the user can easily toggle to enable access. That stuff was done specifically to confine things like browsers. > xdg_manage_downloads(chromium_t) > -xdg_read_config_files(chromium_t) > -xdg_read_data_files(chromium_t) > > xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) > +xserver_stream_connect_xdm(chromium_t) > + > +xserver_manage_mesa_shader_cache(chromium_t) > > tunable_policy(`chromium_bind_tcp_unreserved_ports',` > corenet_tcp_bind_generic_node(chromium_t) > @@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',` > udev_read_db(chromium_t) > ') > > +tunable_policy(`chromium_exec_plugins',` > + # sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t > + can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t }) > +') > + Not really sure theres much point to adding this just to remove it in 6 months. > tunable_policy(`chromium_read_system_info',` > kernel_read_kernel_sysctls(chromium_t) > # Memory optimizations & optimizations based on OS/version > @@ -229,6 +258,10 @@ optional_policy(` > ') > > optional_policy(` > + networkmanager_dbus_chat(chromium_t) > +') > + > +optional_policy(` > dbus_all_session_bus_client(chromium_t) > dbus_system_bus_client(chromium_t) > > @@ -241,8 +274,13 @@ optional_policy(` > ') > > optional_policy(` > + devicekit_dbus_chat_disk(chromium_t) > devicekit_dbus_chat_power(chromium_t) > ') > + > + optional_policy(` > + systemd_dbus_chat_hostnamed(chromium_t) > + ') > ') > > optional_policy(` > @@ -252,6 +290,10 @@ optional_policy(` > dpkg_read_db(chromium_t) > ') > > +optional_policy(` > + ssh_dontaudit_agent_tmp(chromium_t) > +') > + > ifdef(`use_alsa',` > optional_policy(` > alsa_domain(chromium_t, chromium_tmpfs_t) > @@ -259,6 +301,7 @@ ifdef(`use_alsa',` > > optional_policy(` > pulseaudio_domtrans(chromium_t) > + pulseaudio_read_home(chromium_t) > ') > ') > > @@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend > > xdg_read_config_files(chromium_renderer_t) > > +# should we have a tunable for this? > +xdg_read_pictures(chromium_t) I personally don't really want my browser to be able to access my photos. A boolean would be good yeah. Maybe name it similar to the ones userdom_user_content_access_template makes? > + > xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) > > tunable_policy(`chromium_read_system_info',` > @@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf > > dev_read_sysfs(chromium_naclhelper_t) > dev_read_urand(chromium_naclhelper_t) > +kernel_list_proc(chromium_naclhelper_t) > + > +miscfiles_read_localization(chromium_naclhelper_t) > Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if > +++ refpolicy-2.20200209/policy/modules/kernel/kernel.if > @@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',` > > ######################################## > ## > +## Associate a file to proc_t (/proc) > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_associate_proc',` > + gen_require(` > + type proc_t; > + ') > + allow $1 proc_t:filesystem associate; > +') > + > +######################################## > +## > ## Send a kill signal to unlabeled processes. > ## > ## > Index: refpolicy-2.20200209/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20200209/policy/modules/services/xserver.te > @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) > ## > gen_tunable(xserver_object_manager, false) > > +## > +##

> +## Allow DRI access > +##

> +## > +gen_tunable(xserver_allow_dri, false) > + > attribute x_domain; > > # X Events > Index: refpolicy-2.20200209/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20200209/policy/modules/services/xserver.if > @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` > files_search_tmp($2) > > # Communicate via System V shared memory. > + allow $2 xserver_t:fd use; > allow $2 xserver_t:shm r_shm_perms; > - allow $2 xserver_tmpfs_t:file read_file_perms; > + allow $2 xserver_tmpfs_t:file { map read_file_perms }; > > # allow ps to show iceauth > ps_process_pattern($2, iceauth_t) > @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` > allow $2 xdm_tmp_t:sock_file { read write }; > dontaudit $2 xdm_t:tcp_socket { read write }; > > - # Client read xserver shm > - allow $2 xserver_t:fd use; > - allow $2 xserver_tmpfs_t:file read_file_perms; > - > # Read /tmp/.X0-lock > allow $2 xserver_tmp_t:file { getattr read }; > > @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',` > # open office is looking for the following > dev_getattr_agp_dev($2) > dev_dontaudit_rw_dri($2) > + tunable_policy(`xserver_allow_dri',` > + dev_rw_dri($2) > + ') This whole dri thing might need to be looked at separately from this patch. It apparently depends on the graphics driver so I used to think it should be a boolean. But other policies just add rw_dri without a boolean so not really sure. Personally on my machine I just add dev_rw_dri(x_domain) and be done with it. > # GNOME checks for usb and other devices: > dev_rw_usbfs($2) > > @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache' > > rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + xdg_search_cache_dirs($1) > +') > + > +######################################## > +## > +## Manage the mesa shader cache. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_manage_mesa_shader_cache',` > + gen_require(` > + type mesa_shader_cache_t; > + ') > + > + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > allow $1 mesa_shader_cache_t:file map; > > xdg_search_cache_dirs($1) > Index: refpolicy-2.20200209/policy/modules/apps/chromium.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.if > +++ refpolicy-2.20200209/policy/modules/apps/chromium.if > @@ -38,7 +38,15 @@ interface(`chromium_role',` > > allow $2 chromium_t:process signal_perms; > allow $2 chromium_renderer_t:process signal_perms; > + allow $2 chromium_sandbox_t:process signal_perms; > allow $2 chromium_naclhelper_t:process signal_perms; > + allow chromium_t $2:process { signull signal }; > + allow $2 chromium_t:file manage_file_perms; > + > + allow $2 chromium_t:unix_stream_socket connectto; > + > + # for /tmp/.ICE-unix/* sockets > + allow chromium_t $2:unix_stream_socket connectto; > > allow chromium_sandbox_t $2:fd use; > allow chromium_naclhelper_t $2:fd use; > @@ -109,6 +117,7 @@ interface(`chromium_domtrans',` > gen_require(` > type chromium_t; > type chromium_exec_t; > + class dbus send_msg; > ') > > corecmd_search_bin($1) > Index: refpolicy-2.20200209/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20200209/policy/modules/services/ssh.if > @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',` > files_search_tmp($1) > delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) > ') > + > +####################################### > +## > +## dontaudit access to ssh agent tmp dirs > +## > +## > +## > +## Domain not to audit. > +## > +## > +# > +interface(`ssh_dontaudit_agent_tmp',` > + gen_require(` > + type ssh_agent_tmp_t; > + ') > + > + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; > +')