Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4551607ybb; Tue, 14 Apr 2020 09:27:27 -0700 (PDT) X-Google-Smtp-Source: APiQypJMAEq2x1st0+BAmwoy0QyaQknKrs1XDZm3jTm7wrGQzN9RgfgcNMZr6mYY+0i6nOWnwqVv X-Received: by 2002:a17:906:4351:: with SMTP id z17mr970149ejm.346.1586881647728; Tue, 14 Apr 2020 09:27:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586881647; cv=none; d=google.com; s=arc-20160816; b=sY6qQXET42RToTNe5NZ6Z/t86SoaX0uU9bVh98iqhOXIsimqsBCYS91JKv0Rks5Iwx +8aoMCupP08wnwOGZXr6lYrEvux4l1zurqgKKsfAu1V3exA8p7N/78lP0LVKsFhYUngb fa5nkv7bUbJa4H1VgIkQNi1rGUCQmRquMgOsLvCOwlYPMwI9zk3VNdYiIG9/Rp9r7GNM 4XNuQ3WS+AyiqZ+aBWH22ldApoX5gCFhx/kcQOh1R0JkWrE5rSq6z1ReIZ+7lu1Dm1h+ g9mfHrnrFMx6HUWZmflp634aBw8+qufPqwfGawTYqyc3hEW8W5hNh+yRGCAebOIhBwVV LxGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=W+nvC37NjHuxxn/koeykwuYFyp/G6K7nAoGJShjwSrM=; b=rAxdRJqlnGMto8xHJuEattG0JbdOuK2EznOYXeV8hOrx/HpAKKF9tRcgBDs4oHFHqK LTEpNFfPPGQV83+bEZvkOieSOBaTMuMpuoIJkY154Djrl0Kc92DO4ZVBL8KbmELsWQDl 01zhf4UoqVj6rhqhgtJkTv3bkaQJWXDBvO1rSO6sewmLkkAOJADH/wKCpE88u+qAvfvu Klus/maX1GOo0qvH1T/sOh4bORL1LKXOe0A+Vu2KKsxiz7aCa7KuNFlgTTMF3gCTbGlO 1JON/bMzEvopfJDFmO66e4+5JyKH7z4EJ1OCSYnVzbOZRzfvFdzsiNOy4Y2TCpEQPF6/ V9Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=c1Mo4zPf; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch6si3237814edb.50.2020.04.14.09.27.24; Tue, 14 Apr 2020 09:27:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=c1Mo4zPf; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407274AbgDNPGn (ORCPT + 13 others); Tue, 14 Apr 2020 11:06:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729370AbgDNPGY (ORCPT ); Tue, 14 Apr 2020 11:06:24 -0400 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16F16C061A0E for ; Tue, 14 Apr 2020 08:06:24 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id v7so13600044qkc.0 for ; Tue, 14 Apr 2020 08:06:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=W+nvC37NjHuxxn/koeykwuYFyp/G6K7nAoGJShjwSrM=; b=c1Mo4zPfNsGl38TcZdQ6vdwTqduLPCWtS10KO66L5yD/hCYWWn6je3lkuRcjhb9xS6 YnZI/ePP3KQntr26GzR3kHUlIM1300v75pXMjzPp8xo0vfbQbFuyRsj4Pu/V4/oXiAJT jzL11nCD/uWN61jV55v6MZU8eyH3YGvUdfH4g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=W+nvC37NjHuxxn/koeykwuYFyp/G6K7nAoGJShjwSrM=; b=kQUJFMme1on/VmmFfytSZ7lulfiAVtNYBdOgi56Rx2ZBvvaz/Fd8x99RnxYYRZxsds gemsOrYrqic2drT9OmwZMLuELln3VVBzSzdg0fUqh0m09RRE8Sl4Ne/SK6mfwQGbMdSi A+EwUIsoOIGYebMcYVFYz+i7rrdwZC1xTQDAR1BK+xZx3Ng/6NxLQrbmMW+3Nr2jFlIE ZZU2Nq8uSXqDUtrxyqPQFpUG1OnNtK3fSWtwdezLRGAO599zRjJMVBCYxHlG2xpO3t9g RYh/dAu1O/LJXANZFPWnTYBPksTveFoNS5HtlV8j+h45yyRPMkkAf3Vs4n91o5DZ5SPW AscA== X-Gm-Message-State: AGi0PuY7Jc9Bg4SDyALo3DyqMzBEF5hn2Ut2yQxNX72ZSAy2PZySO/ya +eVrC3Etke0H1VdzuWK69WQhtlg4qxI= X-Received: by 2002:a37:8cc1:: with SMTP id o184mr20873278qkd.187.1586876782770; Tue, 14 Apr 2020 08:06:22 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id n31sm10665424qtc.36.2020.04.14.08.06.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2020 08:06:22 -0700 (PDT) Subject: Re: another chromium patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20200410062034.GA61188@xev> From: Chris PeBenito Message-ID: <8f77b264-331a-4485-3238-2f0f21fe07ec@ieee.org> Date: Tue, 14 Apr 2020 10:40:05 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200410062034.GA61188@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/10/20 2:20 AM, Russell Coker wrote: > I removed all the controversion stuff so I think this is ready for inclusion. > > Signed-off-by: Russell Coker > > Chromium policy tweaks and DRI policy > > Index: refpolicy-2.20200410/policy/modules/apps/chromium.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/apps/chromium.te > +++ refpolicy-2.20200410/policy/modules/apps/chromium.te > @@ -63,6 +63,9 @@ type chromium_tmpfs_t; > userdom_user_tmpfs_file(chromium_tmpfs_t) > optional_policy(` > pulseaudio_tmpfs_content(chromium_tmpfs_t) > + pulseaudio_rw_tmpfs_files(chromium_t) > + pulseaudio_stream_connect(chromium_t) > + pulseaudio_use_fds(chromium_t) > ') > > type chromium_xdg_config_t; > @@ -96,6 +99,7 @@ allow chromium_t chromium_renderer_t:uni > > allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; > allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; > +allow chromium_t chromium_sandbox_t:file read_file_perms; > > allow chromium_t chromium_naclhelper_t:process { share }; > > @@ -108,6 +112,9 @@ manage_sock_files_pattern(chromium_t, ch > manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) > > +# for /run/user/$UID > +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) > + > manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) > allow chromium_t chromium_tmpfs_t:file map; > fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) > @@ -129,6 +136,8 @@ domtrans_pattern(chromium_t, chromium_sa > domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) > > kernel_list_proc(chromium_t) > +kernel_read_fs_sysctls(chromium_t) > +kernel_read_kernel_sysctls(chromium_t) > kernel_read_net_sysctls(chromium_t) > > corecmd_exec_bin(chromium_t) > @@ -145,6 +154,9 @@ dev_read_sound(chromium_t) > dev_write_sound(chromium_t) > dev_read_urand(chromium_t) > dev_read_rand(chromium_t) > +tunable_policy(`xserver_allow_dri', ` > + dev_rw_dri(chromium_t) > +') Seems that this would be a chromium tunable. It should also move down with the other tunables, in order of the tunable name. > dev_rw_xserver_misc(chromium_t) > dev_map_xserver_misc(chromium_t) > > @@ -187,6 +199,9 @@ xdg_read_config_files(chromium_t) > xdg_read_data_files(chromium_t) > > xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) > +xserver_stream_connect_xdm(chromium_t) > + > +xserver_manage_mesa_shader_cache(chromium_t) > > tunable_policy(`chromium_bind_tcp_unreserved_ports',` > corenet_tcp_bind_generic_node(chromium_t) > @@ -230,6 +245,10 @@ optional_policy(` > ') > > optional_policy(` > + networkmanager_dbus_chat(chromium_t) > +') Should move down after the dpkg optional. > +optional_policy(` > dbus_all_session_bus_client(chromium_t) > dbus_system_bus_client(chromium_t) > > @@ -242,8 +261,13 @@ optional_policy(` > ') > > optional_policy(` > + devicekit_dbus_chat_disk(chromium_t) > devicekit_dbus_chat_power(chromium_t) > ') > + > + optional_policy(` > + systemd_dbus_chat_hostnamed(chromium_t) > + ') > ') > > optional_policy(` > @@ -253,6 +277,10 @@ optional_policy(` > dpkg_read_db(chromium_t) > ') > > +optional_policy(` > + ssh_dontaudit_agent_tmp(chromium_t) > +') > + > ifdef(`use_alsa',` > optional_policy(` > alsa_domain(chromium_t, chromium_tmpfs_t) > @@ -260,6 +288,7 @@ ifdef(`use_alsa',` > > optional_policy(` > pulseaudio_domtrans(chromium_t) > + pulseaudio_read_home(chromium_t) > ') > ') > @@ -361,3 +390,6 @@ tunable_policy(`chromium_read_system_inf > > dev_read_sysfs(chromium_naclhelper_t) > dev_read_urand(chromium_naclhelper_t) > +kernel_list_proc(chromium_naclhelper_t) > + > +miscfiles_read_localization(chromium_naclhelper_t) > Index: refpolicy-2.20200410/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20200410/policy/modules/services/xserver.te > @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) > ## > gen_tunable(xserver_object_manager, false) > > +## > +##

> +## Allow DRI access > +##

> +##
> +gen_tunable(xserver_allow_dri, false) > + > attribute x_domain; > > # X Events > Index: refpolicy-2.20200410/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20200410/policy/modules/services/xserver.if > @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` > files_search_tmp($2) > > # Communicate via System V shared memory. > + allow $2 xserver_t:fd use; > allow $2 xserver_t:shm r_shm_perms; > - allow $2 xserver_tmpfs_t:file read_file_perms; > + allow $2 xserver_tmpfs_t:file { map read_file_perms }; > > # allow ps to show iceauth > ps_process_pattern($2, iceauth_t) > @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` > allow $2 xdm_tmp_t:sock_file { read write }; > dontaudit $2 xdm_t:tcp_socket { read write }; > > - # Client read xserver shm > - allow $2 xserver_t:fd use; > - allow $2 xserver_tmpfs_t:file read_file_perms; When did this need drop from xorg? > # Read /tmp/.X0-lock > allow $2 xserver_tmp_t:file { getattr read }; > > @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',` > # open office is looking for the following > dev_getattr_agp_dev($2) > dev_dontaudit_rw_dri($2) > + tunable_policy(`xserver_allow_dri',` > + dev_rw_dri($2) > + ') Should go at the bottom of the interface. > # GNOME checks for usb and other devices: > dev_rw_usbfs($2) > > @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache' > > rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + xdg_search_cache_dirs($1) > +') > + > +######################################## > +## > +## Manage the mesa shader cache. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_manage_mesa_shader_cache',` > + gen_require(` > + type mesa_shader_cache_t; > + ') > + > + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > allow $1 mesa_shader_cache_t:file map; > > xdg_search_cache_dirs($1) > Index: refpolicy-2.20200410/policy/modules/apps/chromium.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/apps/chromium.if > +++ refpolicy-2.20200410/policy/modules/apps/chromium.if > @@ -38,7 +38,15 @@ interface(`chromium_role',` > > allow $2 chromium_t:process signal_perms; > allow $2 chromium_renderer_t:process signal_perms; > + allow $2 chromium_sandbox_t:process signal_perms; > allow $2 chromium_naclhelper_t:process signal_perms; > + allow chromium_t $2:process { signull signal }; > + allow $2 chromium_t:file manage_file_perms; > + > + allow $2 chromium_t:unix_stream_socket connectto; > + > + # for /tmp/.ICE-unix/* sockets > + allow chromium_t $2:unix_stream_socket connectto; > > allow chromium_sandbox_t $2:fd use; > allow chromium_naclhelper_t $2:fd use; > @@ -109,6 +117,7 @@ interface(`chromium_domtrans',` > gen_require(` > type chromium_t; > type chromium_exec_t; > + class dbus send_msg; > ') > > corecmd_search_bin($1) > Index: refpolicy-2.20200410/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20200410/policy/modules/services/ssh.if > @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',` > files_search_tmp($1) > delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) > ') > + > +####################################### > +## > +## dontaudit access to ssh agent tmp dirs > +## > +## > +## > +## Domain not to audit. > +## > +## > +# > +interface(`ssh_dontaudit_agent_tmp',` > + gen_require(` > + type ssh_agent_tmp_t; > + ') > + > + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; > +') > -- Chris PeBenito