Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3028817pxb; Tue, 12 Jan 2021 04:44:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJx6t5doL83EFwVWmDrC7sTEeWe1wGv+9g/RYWyCtB0WDVwKwqa1RLx8Sw+1Oko9chBpizEJ X-Received: by 2002:a05:6402:2694:: with SMTP id w20mr610464edd.200.1610455492807; Tue, 12 Jan 2021 04:44:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610455492; cv=none; d=google.com; s=arc-20160816; b=P/rtnktWkZoyuuSJICLzxb0IChY7ok2QPuF6JQZSMdYccZYWFF4YHQ5cEk+Hcosovf 3awv7KVAfQAtbpngSLIVDNVJdusYbmsNhJnQnRQitQymd0txDJAqevczNi34fmFsKkXB mD5jk0b0OTFje2CpXdrf3Nw4XxRlxv/wUwC5FL7NFFTqsMAd6fcquEKCFD5xsd5iR9JW ZFgKAQfJI0HwAgYKmyO0i4s5yV0JeaGxeeAeiGLQprOG+Q4ry5Nn+q7ITnolwZk6ot4g ZSu0UgqG2LNpKKbYXnE+99H6qm/33BnB8QtWEPnpmMjGQNB3yRqsG+VJnEbPFyiwtfmC p2Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=J24bm9xEsH5uzMcm8kKPL3v//gkVp99Cyky/dujkLE0=; b=fpLoZJ4fU+4PGu5ZFUaw13HicalIoJ/JyHXukKAkKa/oAp9H9V1A92086cJLXC5Tq6 PxRQsit3LCmqKhV2rIFtIZ05OM9cQqh2gNGn2xeX32h9wYVceOxeEhWfjB31rYp+8nFV PuuZeTUi/VYgc42VV2Xt4wl3B+Z+OAgmxXmfuVypSgai19XhQFBP922c8Yp1mhi1TFHe Aleod+0e/hUNUFlzLLHMNKt7Klj4fF/zEoMSNjJcK9ZA8M9eD2XR3oThHeqymaLc+5mK Odc66SG3vcTrTCx5mKdXqO1nq5Ak0oefzmsYNFGQSzCd6MRPKlAOvCebNIoZfd7Ci/Sc N9VQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=gJJvIOvd; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t23si968492ejs.321.2021.01.12.04.44.47; Tue, 12 Jan 2021 04:44:52 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=gJJvIOvd; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389019AbhALKMf (ORCPT + 18 others); Tue, 12 Jan 2021 05:12:35 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:40430 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387616AbhALKMe (ORCPT ); Tue, 12 Jan 2021 05:12:34 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 27C9B16B68 for ; Tue, 12 Jan 2021 21:11:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610446311; bh=J24bm9xEsH5uzMcm8kKPL3v//gkVp99Cyky/dujkLE0=; l=8044; h=Date:From:To:Subject:From; b=gJJvIOvdmPJU7C/K5gorOQGSMAHQkhv/750oh7rGXlT8mj1Avq8TBeDU7XTnxEdM2 0XYmlWohTMFbNiz32IvXbJtTfO7ksSm9Gft4U0t60ETXqRAkd0taU3rbQF7WCH803N H2+zm81w2ZICBUMvRYMYS6+HzR4H0DuB4Bon6wuc= Received: by xev.coker.com.au (Postfix, from userid 1001) id 5F40312ECF62; Tue, 12 Jan 2021 21:11:46 +1100 (AEDT) Date: Tue, 12 Jan 2021 21:11:46 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] base chrome/chromium patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed. I believe it's ready for inclusion. Signed-off-by: Russell Coker Chromium policy tweaks and DRI policy Index: refpolicy-2.20201210/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20201210.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20201210/policy/modules/apps/chromium.te @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.0) ## ##

+## Allow chromium to access direct rendering interface +##

+##

+## Needed for good performance on complex sites +##

+##
+gen_tunable(chromium_dri, true) + +## +##

## Allow chromium to read system information ##

##

@@ -63,6 +73,9 @@ type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(chromium_tmpfs_t) + pulseaudio_rw_tmpfs_files(chromium_t) + pulseaudio_stream_connect(chromium_t) + pulseaudio_use_fds(chromium_t) ') type chromium_xdg_config_t; @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; +allow chromium_t chromium_sandbox_t:file read_file_perms; allow chromium_t chromium_naclhelper_t:process { share }; @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) +# for /run/user/$UID +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) + manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) kernel_list_proc(chromium_t) +kernel_read_fs_sysctls(chromium_t) +kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t) xdg_read_data_files(chromium_t) xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) +xserver_stream_connect_xdm(chromium_t) + +xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese allow chromium_t self:tcp_socket { listen accept }; ') +tunable_policy(`chromium_dri', ` + dev_rw_dri(chromium_t) +') + tunable_policy(`chromium_rw_usb_dev',` dev_rw_generic_usb_dev(chromium_t) udev_read_db(chromium_t) @@ -241,8 +267,13 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat_disk(chromium_t) devicekit_dbus_chat_power(chromium_t) ') + + optional_policy(` + systemd_dbus_chat_hostnamed(chromium_t) + ') ') optional_policy(` @@ -252,6 +283,14 @@ optional_policy(` dpkg_read_db(chromium_t) ') +optional_policy(` + networkmanager_dbus_chat(chromium_t) +') + +optional_policy(` + ssh_dontaudit_agent_tmp(chromium_t) +') + ######################################## # # chromium_renderer local policy @@ -350,3 +389,6 @@ tunable_policy(`chromium_read_system_inf dev_read_sysfs(chromium_naclhelper_t) dev_read_urand(chromium_naclhelper_t) +kernel_list_proc(chromium_naclhelper_t) + +miscfiles_read_localization(chromium_naclhelper_t) Index: refpolicy-2.20201210/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20201210.orig/policy/modules/services/xserver.te +++ refpolicy-2.20201210/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## gen_tunable(xserver_object_manager, false) +## +##

+## Allow DRI access +##

+##
+gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20201210/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20201210.orig/policy/modules/services/xserver.if +++ refpolicy-2.20201210/policy/modules/services/xserver.if @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` files_search_tmp($2) # Communicate via System V shared memory. + allow $2 xserver_t:fd use; allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $2 xserver_tmpfs_t:file { map read_file_perms }; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file read_inherited_file_perms; @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache' rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + xdg_search_cache_dirs($1) +') + +######################################## +## +## Manage the mesa shader cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) Index: refpolicy-2.20201210/policy/modules/apps/chromium.if =================================================================== --- refpolicy-2.20201210.orig/policy/modules/apps/chromium.if +++ refpolicy-2.20201210/policy/modules/apps/chromium.if @@ -38,7 +38,15 @@ interface(`chromium_role',` allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; + allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; + allow chromium_t $2:process { signull signal }; + allow $2 chromium_t:file manage_file_perms; + + allow $2 chromium_t:unix_stream_socket connectto; + + # for /tmp/.ICE-unix/* sockets + allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; @@ -109,6 +117,7 @@ interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; + class dbus send_msg; ') corecmd_search_bin($1) Index: refpolicy-2.20201210/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20201210.orig/policy/modules/services/ssh.if +++ refpolicy-2.20201210/policy/modules/services/ssh.if @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +####################################### +## +## dontaudit access to ssh agent tmp dirs +## +## +## +## Domain not to audit. +## +## +# +interface(`ssh_dontaudit_agent_tmp',` + gen_require(` + type ssh_agent_tmp_t; + ') + + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; +')