Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3875025ybv; Sun, 16 Feb 2020 07:54:37 -0800 (PST) X-Google-Smtp-Source: APXvYqyw4+Ggzncs97X8AlrSa42ZIYoT6PL92AfwnkmpSbOWy36ZHTZGgQ6GpVgQGHD+uJSsdKyA X-Received: by 2002:a05:6830:1188:: with SMTP id u8mr9326788otq.274.1581868477100; Sun, 16 Feb 2020 07:54:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581868477; cv=none; d=google.com; s=arc-20160816; b=XzFyw2mKSlpnd1JxqehAJ3IDkgytnf/qfjFHn2bHzpXP9SiuFfXOw+upxNUmQkGW5D bObXZr+yMEgfYZSt62+XieALAhMZXvBFAhE+dBg3fLZDnixpoiBXPgY+2Jv4+XU460V/ BRrmqQCwtIjf7U7THv45NoEk1+3x4WgXp63LkVA+0d/nUBrYFk265XrHbmUSss3bGnkV qNUqW8ZTUKvE896HiYdVNlpJZzd4gKttXBBlFan68waJ++/EUUGPKGs/CQKc+gSI47zh nMh6MEOvOSkOTwIS0SYPJ1ha/HGjKk9oxWMy73ee6uQqFxLg7TqrIQKDjRSvKLSNh6lv 5uOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=AyXAHmFkIJo9A7yAQguXSGCxldOKf59N6egotCEfh4A=; b=fXl14eANNFnPEN3+r8Vwo6vrtNeCGMD1rkBgEa0IpZLR9MaXyfs3CxgIVbwceCXdyw Ty1Kus9/iWWzKykVqHI+bxhkdDQ9ZjE2X2YEU3aFqTVdRzvX1snajJ/6+SpYId+qe2Br IkY13AZ/zAxDHtp097/lMyQ++pjHJfif+9hjClWtrtGwcKnkIDv4iHMIgMBE+7aF5Rgb 12h7g/wuIqBB7eP4RQ/MXji4Rm+/rTETrSVkgw++yA9MkQgL0WE9JNYgLe+x3wL/LhLU DqDbwkIWAy7PD8QcDqT9tFph0rJjETcuvpS1t0orzc7Ixu80E9ePekk/WHwQBpyjlwOq ZtBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="RkP/Srft"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a143si5355830oii.179.2020.02.16.07.54.34; Sun, 16 Feb 2020 07:54:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="RkP/Srft"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728361AbgBPPyb (ORCPT + 13 others); Sun, 16 Feb 2020 10:54:31 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:33109 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728335AbgBPPya (ORCPT ); Sun, 16 Feb 2020 10:54:30 -0500 Received: by mail-qt1-f195.google.com with SMTP id d5so10458852qto.0 for ; Sun, 16 Feb 2020 07:54:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=AyXAHmFkIJo9A7yAQguXSGCxldOKf59N6egotCEfh4A=; b=RkP/SrftfT+4mq3+IokxzhAcnrCwIuWILx1jkpYpX1MaGAbhZeldi1F8NMnVRJ2CCF e/Sq94aKvXW7D5idS25mar9TDvDqilUZUTTDQwB5i6Yy+u5SACy+2ttmMqphMRwhm6Cd QfIAHHqXwR+BHbRw3G+RBa4qdPJUiWJ7h3Qyg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=AyXAHmFkIJo9A7yAQguXSGCxldOKf59N6egotCEfh4A=; b=qX7A9qV1AX1ge8dacQjA0jNQm6Gqc1KxF3XNJzjdiCr2IBQXDFhv7dn344cyJs2JpS 27uhrNe5B9RAullJLnndsfqD8KFL4X2FD0HFE4frP0HCDNgpBg64BnOQbkQgfVJxmslw ajmIrMxbySzrf1CzpzJ3uMicSP+0kc02mDLe0tDitep7ANlX5g1+Bza5hl2BGh9n6CZl RBRJu8EzUZJbjxjVqTKNgdzCi/MBSc4rLv4+XGZhZl7m3tA+GuDK3zL2N88KcEQt4kyW 6hbUDecyBILDqLwQvtX7QrFGwBKsB+NOHqBDrtWJSeR4s3RsLoQZnL+Gn3snITQzU+7C 8FnA== X-Gm-Message-State: APjAAAXzrYBU+GuKyiXRjw5dC65cnjOCfYsHWiR+AGAPohAGh4uwT1+f 4YfcOWYiQEWxtiQTOpbYw9S+Xd4KWIM= X-Received: by 2002:ac8:7217:: with SMTP id a23mr10296329qtp.241.1581868468568; Sun, 16 Feb 2020 07:54:28 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id 184sm5948495qki.92.2020.02.16.07.54.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Feb 2020 07:54:28 -0800 (PST) Subject: Re: Chrome/Chromium patches To: Jason Zaman , Russell Coker Cc: "selinux-refpolicy@vger.kernel.org" References: <4241549.o4G3l8VaYd@xev> <20200216100021.GA25357@baraddur.perfinion.com> From: Chris PeBenito Message-ID: <56ad4024-71c7-30cf-eba4-997a585d07b3@ieee.org> Date: Sun, 16 Feb 2020 10:54:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200216100021.GA25357@baraddur.perfinion.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/16/20 5:00 AM, Jason Zaman wrote: > On Wed, Feb 12, 2020 at 01:30:39PM +1100, Russell Coker wrote: >> The attached patch against the git refpolicy from 3 days ago makes Chrome work >> with Pulseaudio, DRI, Flash, and lots of little things. > > Flash is dead. My chrome even pops up a banner every time i start it > saying flash is disabled by default and will be completely removed in a > few months. Not sure adding the flash is worth it. Agreed. If there are any flash-specific rules, please remove them. >> Adds tunables chromium_exec_plugins and xserver_allow_dri. >> >> I think this is ready to merge with the names of the tunables and interfaces >> being the only possible changes needed. >> >> -- >> My Main Blog http://etbe.coker.com.au/ >> My Documents Blog http://doc.coker.com.au/ > >> Chromium and DRI policy >> >> Index: refpolicy-2.20200209/policy/modules/apps/chromium.te >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.te >> +++ refpolicy-2.20200209/policy/modules/apps/chromium.te >> @@ -39,6 +39,13 @@ gen_tunable(chromium_bind_tcp_unreserved >> ## >> gen_tunable(chromium_rw_usb_dev, false) >> >> +## >> +##

>> +## Allow chromium to execute it's config (for plugins like Flash) >> +##

>> +## >> +gen_tunable(chromium_exec_plugins, false) >> + >> type chromium_t; >> domain_dyntrans_type(chromium_t) >> >> @@ -63,6 +70,9 @@ type chromium_tmpfs_t; >> userdom_user_tmpfs_file(chromium_tmpfs_t) >> optional_policy(` >> pulseaudio_tmpfs_content(chromium_tmpfs_t) >> + pulseaudio_rw_tmpfs_files(chromium_t) >> + pulseaudio_stream_connect(chromium_t) >> + pulseaudio_use_fds(chromium_t) >> ') >> >> type chromium_xdg_config_t; >> @@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t) >> # >> >> # execmem for load in plugins >> -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; >> +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull }; >> +allow chromium_t self:dir { write add_name }; >> +allow chromium_t self:file create; >> allow chromium_t self:fifo_file rw_fifo_file_perms; >> allow chromium_t self:sem create_sem_perms; >> allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; >> @@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni >> >> allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; >> allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; >> +allow chromium_t chromium_sandbox_t:file read_file_perms; >> >> allow chromium_t chromium_naclhelper_t:process { share }; >> >> @@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch >> manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) >> files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) >> >> +# for /run/user/$UID >> +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) >> + >> manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) >> allow chromium_t chromium_tmpfs_t:file map; >> fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) >> @@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re >> domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) >> domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) >> >> +# for self:file create >> +kernel_associate_proc(chromium_t) Where under /proc/self does this work? >> kernel_list_proc(chromium_t) >> +kernel_read_kernel_sysctls(chromium_t) >> kernel_read_net_sysctls(chromium_t) >> >> corecmd_exec_bin(chromium_t) >> @@ -145,6 +165,9 @@ dev_read_sound(chromium_t) >> dev_write_sound(chromium_t) >> dev_read_urand(chromium_t) >> dev_read_rand(chromium_t) >> +tunable_policy(`xserver_allow_dri', ` >> + dev_rw_dri(chromium_t) >> +') >> dev_rw_xserver_misc(chromium_t) >> dev_map_xserver_misc(chromium_t) >> >> @@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t) >> userdom_manage_user_certs(chromium_t) >> userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki") >> >> -xdg_create_cache_dirs(chromium_t) >> -xdg_create_config_dirs(chromium_t) >> -xdg_create_data_dirs(chromium_t) >> +xdg_manage_cache(chromium_t) >> +xdg_manage_config(chromium_t) >> +xdg_manage_data(chromium_t) > > NAK. Chrome should only be able to create the base ~/.config/cache dirs, > not manage other things inside them. > The template userdom_user_content_access_template is for this exact > thing. By default chrome will have no access then the template generates > booleans the user can easily toggle to enable access. That stuff was > done specifically to confine things like browsers. > >> xdg_manage_downloads(chromium_t) >> -xdg_read_config_files(chromium_t) >> -xdg_read_data_files(chromium_t) >> >> xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) >> +xserver_stream_connect_xdm(chromium_t) >> + >> +xserver_manage_mesa_shader_cache(chromium_t) >> >> tunable_policy(`chromium_bind_tcp_unreserved_ports',` >> corenet_tcp_bind_generic_node(chromium_t) >> @@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',` >> udev_read_db(chromium_t) >> ') >> >> +tunable_policy(`chromium_exec_plugins',` >> + # sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t >> + can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t }) >> +') >> + > > Not really sure theres much point to adding this just to remove it in 6 > months. > > >> tunable_policy(`chromium_read_system_info',` >> kernel_read_kernel_sysctls(chromium_t) >> # Memory optimizations & optimizations based on OS/version >> @@ -229,6 +258,10 @@ optional_policy(` >> ') >> >> optional_policy(` >> + networkmanager_dbus_chat(chromium_t) >> +') >> + >> +optional_policy(` >> dbus_all_session_bus_client(chromium_t) >> dbus_system_bus_client(chromium_t) >> >> @@ -241,8 +274,13 @@ optional_policy(` >> ') >> >> optional_policy(` >> + devicekit_dbus_chat_disk(chromium_t) >> devicekit_dbus_chat_power(chromium_t) >> ') >> + >> + optional_policy(` >> + systemd_dbus_chat_hostnamed(chromium_t) >> + ') >> ') >> >> optional_policy(` >> @@ -252,6 +290,10 @@ optional_policy(` >> dpkg_read_db(chromium_t) >> ') >> >> +optional_policy(` >> + ssh_dontaudit_agent_tmp(chromium_t) >> +') >> + >> ifdef(`use_alsa',` >> optional_policy(` >> alsa_domain(chromium_t, chromium_tmpfs_t) >> @@ -259,6 +301,7 @@ ifdef(`use_alsa',` >> >> optional_policy(` >> pulseaudio_domtrans(chromium_t) >> + pulseaudio_read_home(chromium_t) >> ') >> ') >> >> @@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend >> >> xdg_read_config_files(chromium_renderer_t) >> >> +# should we have a tunable for this? >> +xdg_read_pictures(chromium_t) > > I personally don't really want my browser to be able to access my > photos. A boolean would be good yeah. Maybe name it similar to the ones > userdom_user_content_access_template makes? > >> + >> xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) >> >> tunable_policy(`chromium_read_system_info',` >> @@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf >> >> dev_read_sysfs(chromium_naclhelper_t) >> dev_read_urand(chromium_naclhelper_t) >> +kernel_list_proc(chromium_naclhelper_t) >> + >> +miscfiles_read_localization(chromium_naclhelper_t) >> Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if >> +++ refpolicy-2.20200209/policy/modules/kernel/kernel.if >> @@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',` >> >> ######################################## >> ## >> +## Associate a file to proc_t (/proc) >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +## >> +# >> +interface(`kernel_associate_proc',` >> + gen_require(` >> + type proc_t; >> + ') >> + allow $1 proc_t:filesystem associate; >> +') >> + >> +######################################## >> +## >> ## Send a kill signal to unlabeled processes. >> ## >> ## >> Index: refpolicy-2.20200209/policy/modules/services/xserver.te >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.te >> +++ refpolicy-2.20200209/policy/modules/services/xserver.te >> @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) >> ## >> gen_tunable(xserver_object_manager, false) >> >> +## >> +##

>> +## Allow DRI access >> +##

>> +## >> +gen_tunable(xserver_allow_dri, false) >> + >> attribute x_domain; >> >> # X Events >> Index: refpolicy-2.20200209/policy/modules/services/xserver.if >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if >> +++ refpolicy-2.20200209/policy/modules/services/xserver.if >> @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` >> files_search_tmp($2) >> >> # Communicate via System V shared memory. >> + allow $2 xserver_t:fd use; >> allow $2 xserver_t:shm r_shm_perms; >> - allow $2 xserver_tmpfs_t:file read_file_perms; >> + allow $2 xserver_tmpfs_t:file { map read_file_perms }; >> >> # allow ps to show iceauth >> ps_process_pattern($2, iceauth_t) >> @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` >> allow $2 xdm_tmp_t:sock_file { read write }; >> dontaudit $2 xdm_t:tcp_socket { read write }; >> >> - # Client read xserver shm >> - allow $2 xserver_t:fd use; >> - allow $2 xserver_tmpfs_t:file read_file_perms; >> - >> # Read /tmp/.X0-lock >> allow $2 xserver_tmp_t:file { getattr read }; >> >> @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',` >> # open office is looking for the following >> dev_getattr_agp_dev($2) >> dev_dontaudit_rw_dri($2) >> + tunable_policy(`xserver_allow_dri',` >> + dev_rw_dri($2) >> + ') > > This whole dri thing might need to be looked at separately from this > patch. It apparently depends on the graphics driver so I used to think > it should be a boolean. But other policies just add rw_dri without a > boolean so not really sure. Personally on my machine I just add > dev_rw_dri(x_domain) and be done with it. This is a good point. If we can get some clarity that would be useful, since many things are muddy with X. >> # GNOME checks for usb and other devices: >> dev_rw_usbfs($2) >> >> @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache' >> >> rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) >> rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) >> + xdg_search_cache_dirs($1) >> +') >> + >> +######################################## >> +## >> +## Manage the mesa shader cache. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`xserver_manage_mesa_shader_cache',` >> + gen_require(` >> + type mesa_shader_cache_t; >> + ') >> + >> + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) >> + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) >> allow $1 mesa_shader_cache_t:file map; >> >> xdg_search_cache_dirs($1) >> Index: refpolicy-2.20200209/policy/modules/apps/chromium.if >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.if >> +++ refpolicy-2.20200209/policy/modules/apps/chromium.if >> @@ -38,7 +38,15 @@ interface(`chromium_role',` >> >> allow $2 chromium_t:process signal_perms; >> allow $2 chromium_renderer_t:process signal_perms; >> + allow $2 chromium_sandbox_t:process signal_perms; >> allow $2 chromium_naclhelper_t:process signal_perms; >> + allow chromium_t $2:process { signull signal }; >> + allow $2 chromium_t:file manage_file_perms; >> + >> + allow $2 chromium_t:unix_stream_socket connectto; >> + >> + # for /tmp/.ICE-unix/* sockets >> + allow chromium_t $2:unix_stream_socket connectto; >> >> allow chromium_sandbox_t $2:fd use; >> allow chromium_naclhelper_t $2:fd use; >> @@ -109,6 +117,7 @@ interface(`chromium_domtrans',` >> gen_require(` >> type chromium_t; >> type chromium_exec_t; >> + class dbus send_msg; >> ') >> >> corecmd_search_bin($1) >> Index: refpolicy-2.20200209/policy/modules/services/ssh.if >> =================================================================== >> --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if >> +++ refpolicy-2.20200209/policy/modules/services/ssh.if >> @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',` >> files_search_tmp($1) >> delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) >> ') >> + >> +####################################### >> +## >> +## dontaudit access to ssh agent tmp dirs >> +## >> +## >> +## >> +## Domain not to audit. >> +## >> +## >> +# >> +interface(`ssh_dontaudit_agent_tmp',` >> + gen_require(` >> + type ssh_agent_tmp_t; >> + ') >> + >> + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; >> +') > -- Chris PeBenito