Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3028817pxb;
        Tue, 12 Jan 2021 04:44:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx6t5doL83EFwVWmDrC7sTEeWe1wGv+9g/RYWyCtB0WDVwKwqa1RLx8Sw+1Oko9chBpizEJ
X-Received: by 2002:a05:6402:2694:: with SMTP id w20mr610464edd.200.1610455492807;
        Tue, 12 Jan 2021 04:44:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610455492; cv=none;
        d=google.com; s=arc-20160816;
        b=P/rtnktWkZoyuuSJICLzxb0IChY7ok2QPuF6JQZSMdYccZYWFF4YHQ5cEk+Hcosovf
         3awv7KVAfQAtbpngSLIVDNVJdusYbmsNhJnQnRQitQymd0txDJAqevczNi34fmFsKkXB
         mD5jk0b0OTFje2CpXdrf3Nw4XxRlxv/wUwC5FL7NFFTqsMAd6fcquEKCFD5xsd5iR9JW
         ZFgKAQfJI0HwAgYKmyO0i4s5yV0JeaGxeeAeiGLQprOG+Q4ry5Nn+q7ITnolwZk6ot4g
         ZSu0UgqG2LNpKKbYXnE+99H6qm/33BnB8QtWEPnpmMjGQNB3yRqsG+VJnEbPFyiwtfmC
         p2Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=J24bm9xEsH5uzMcm8kKPL3v//gkVp99Cyky/dujkLE0=;
        b=fpLoZJ4fU+4PGu5ZFUaw13HicalIoJ/JyHXukKAkKa/oAp9H9V1A92086cJLXC5Tq6
         PxRQsit3LCmqKhV2rIFtIZ05OM9cQqh2gNGn2xeX32h9wYVceOxeEhWfjB31rYp+8nFV
         PuuZeTUi/VYgc42VV2Xt4wl3B+Z+OAgmxXmfuVypSgai19XhQFBP922c8Yp1mhi1TFHe
         Aleod+0e/hUNUFlzLLHMNKt7Klj4fF/zEoMSNjJcK9ZA8M9eD2XR3oThHeqymaLc+5mK
         Odc66SG3vcTrTCx5mKdXqO1nq5Ak0oefzmsYNFGQSzCd6MRPKlAOvCebNIoZfd7Ci/Sc
         N9VQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=gJJvIOvd;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t23si968492ejs.321.2021.01.12.04.44.47;
        Tue, 12 Jan 2021 04:44:52 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=gJJvIOvd;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389019AbhALKMf (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Tue, 12 Jan 2021 05:12:35 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:40430 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2387616AbhALKMe (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 12 Jan 2021 05:12:34 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 27C9B16B68
        for <selinux-refpolicy@vger.kernel.org>; Tue, 12 Jan 2021 21:11:51 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1610446311;
        bh=J24bm9xEsH5uzMcm8kKPL3v//gkVp99Cyky/dujkLE0=; l=8044;
        h=Date:From:To:Subject:From;
        b=gJJvIOvdmPJU7C/K5gorOQGSMAHQkhv/750oh7rGXlT8mj1Avq8TBeDU7XTnxEdM2
         0XYmlWohTMFbNiz32IvXbJtTfO7ksSm9Gft4U0t60ETXqRAkd0taU3rbQF7WCH803N
         H2+zm81w2ZICBUMvRYMYS6+HzR4H0DuB4Bon6wuc=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 5F40312ECF62; Tue, 12 Jan 2021 21:11:46 +1100 (AEDT)
Date:   Tue, 12 Jan 2021 21:11:46 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] base chrome/chromium patch
Message-ID: <X/114hdXlO+f4u3Q@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed.

I believe it's ready for inclusion.


Signed-off-by: Russell Coker <russell@coker.com.au>

Chromium policy tweaks and DRI policy

Index: refpolicy-2.20201210/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20201210/policy/modules/apps/chromium.te
@@ -7,6 +7,16 @@ policy_module(chromium, 1.3.0)
 
 ## <desc>
 ## <p>
+## Allow chromium to access direct rendering interface
+## </p>
+## <p>
+## Needed for good performance on complex sites
+## </p>
+## </desc>
+gen_tunable(chromium_dri, true)
+
+## <desc>
+## <p>
 ## Allow chromium to read system information
 ## </p>
 ## <p>
@@ -63,6 +73,9 @@ type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
 optional_policy(`
 	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+	pulseaudio_rw_tmpfs_files(chromium_t)
+	pulseaudio_stream_connect(chromium_t)
+	pulseaudio_use_fds(chromium_t)
 ')
 
 type chromium_xdg_config_t;
@@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni
 
 allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
 allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
 
@@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch
 manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
 files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
 
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
 manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
 allow chromium_t chromium_tmpfs_t:file map;
 fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
 kernel_list_proc(chromium_t)
+kernel_read_fs_sysctls(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
 
 corecmd_exec_bin(chromium_t)
@@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t)
 xdg_read_data_files(chromium_t)
 
 xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
 
 tunable_policy(`chromium_bind_tcp_unreserved_ports',`
 	corenet_tcp_bind_generic_node(chromium_t)
@@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese
 	allow chromium_t self:tcp_socket { listen accept };
 ')
 
+tunable_policy(`chromium_dri', `
+	dev_rw_dri(chromium_t)
+')
+
 tunable_policy(`chromium_rw_usb_dev',`
 	dev_rw_generic_usb_dev(chromium_t)
 	udev_read_db(chromium_t)
@@ -241,8 +267,13 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(chromium_t)
 		devicekit_dbus_chat_power(chromium_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_hostnamed(chromium_t)
+	')
 ')
 
 optional_policy(`
@@ -252,6 +283,14 @@ optional_policy(`
 	dpkg_read_db(chromium_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
+	ssh_dontaudit_agent_tmp(chromium_t)
+')
+
 ########################################
 #
 # chromium_renderer local policy
@@ -350,3 +389,6 @@ tunable_policy(`chromium_read_system_inf
 
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20201210/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20201210/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20201210/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20201210/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
+	allow $2 xserver_t:fd use;
 	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
+	allow $2 xserver_tmpfs_t:file { map read_file_perms };
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
 	# Read /tmp/.X0-lock
 	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
@@ -119,6 +116,9 @@ interface(`xserver_restricted_role',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 ')
 
 ########################################
@@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	allow $1 mesa_shader_cache_t:file map;
 
 	xdg_search_cache_dirs($1)
Index: refpolicy-2.20201210/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20201210/policy/modules/apps/chromium.if
@@ -38,7 +38,15 @@ interface(`chromium_role',`
 
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
+	allow chromium_t $2:process { signull signal };
+	allow $2 chromium_t:file manage_file_perms;
+
+	allow $2 chromium_t:unix_stream_socket connectto;
+
+	# for /tmp/.ICE-unix/* sockets
+	allow chromium_t $2:unix_stream_socket connectto;
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)
Index: refpolicy-2.20201210/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20201210/policy/modules/services/ssh.if
@@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#######################################
+## <summary>
+##	dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+	gen_require(`
+		type ssh_agent_tmp_t;
+	')
+
+	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')