Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp661155pxb; Thu, 14 Jan 2021 15:39:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJx1YGuiASVOTBiJgNrb6NXhRa8oEXmvKidHH8yQDbTJtSsyXh8jptO0QulDlHrqgS3zDmul X-Received: by 2002:a17:906:7215:: with SMTP id m21mr6828835ejk.248.1610667583228; Thu, 14 Jan 2021 15:39:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610667583; cv=none; d=google.com; s=arc-20160816; b=ku2YLxHxMteCPDo5HHosp57OMtJGNrcluhYSRvlxi6DRhpSAO8kxG+QUx//BjNm/u3 0CW3GMzmscGvnYGme3yQiaeGvx8md4LBXzsDZcohVrsNp3JCf80P/jWYaUh5/5zbuLay 3My8zSn9hXRlIio9WNNT0jOMHk7/U4/U1hHRvK0v23V+4ke+EbDxZCqI5bQqi+YIqVyC e3QXxLfgnhad0RdMImepJcbaZ8LHGpHek5iVIDE39RxAq0sWUg5YZyFjcNJoblJwjMp6 RxZR/glvRzwkz1CEc00CxKxzB0reo4zdtSP3PIvxfRix5z5CDwysrQyVKzJ57jJ6xBpm GVjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=L1X1AQqqNF2la5sjdJlyTqF305FB8Xr+LAXLsQlSLKI=; b=Xtr9mR8kWDoePkRQJ0Wuunkz6Bu8nG4ywT4raMTQe7TOl31hShEodciOFIJpIleQrv UrVoA5s5mFrQR7nz/Vd5xibZ5cUhcyGUAwR1mY+DX7qyCmcZ+iFlk6WaUBQS9OTbFJ4o 9LTKU/O+tBavoNOFzo9dc9GOfGImRD7sjAL8+0uMOO9G+lVFDHUnOiQyzbesChMXtkMr bZqTKAQ6oqAl8mt7VHDJ/4OoftGjkJtFuhoCgszm2VVGGAQr67jXNhYZkMZk8gORJ2ey rLxloN5Vt7Tp8FXbda2cFeyoPh0w0YQIn8SwW5YLEwB7ZF29UU1dz35+4z6PiyKk5yHZ IL2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=vuuZI3Kk; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o17si1543395edf.247.2021.01.14.15.39.36; Thu, 14 Jan 2021 15:39:43 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=vuuZI3Kk; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731015AbhANXje (ORCPT + 18 others); Thu, 14 Jan 2021 18:39:34 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:49714 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730994AbhANXje (ORCPT ); Thu, 14 Jan 2021 18:39:34 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 10AEE16176 for ; Fri, 15 Jan 2021 10:38:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610667531; bh=L1X1AQqqNF2la5sjdJlyTqF305FB8Xr+LAXLsQlSLKI=; l=7997; h=Date:From:To:Subject:From; b=vuuZI3Kk4TjLoGDjvmBIoyru2R9J292JriWjsqEbse4SkJ2+WEp6hhgCfrpq3sat8 9PtU7OW0XdNosHJrQ3KwfIJS8V8E7o42GBSHn1epiJZNiKd9VNWb+561iE1SB9P8ep LGGjSnvajzur4WS+JwQSttt/wlif8PRLd84Jf8Hs= Received: by xev.coker.com.au (Postfix, from userid 1001) id 11FC512F9776; Fri, 15 Jan 2021 10:32:06 +1100 (AEDT) Date: Fri, 15 Jan 2021 10:32:06 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] base chrome/chromium patch fixed Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker Index: refpolicy-2.20210115/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20210115/policy/modules/apps/chromium.te @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1) ## ##

+## Allow chromium to access direct rendering interface +##

+##

+## Needed for good performance on complex sites +##

+##
+gen_tunable(chromium_dri, true) + +## +##

## Allow chromium to read system information ##

##

@@ -63,6 +73,9 @@ type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(chromium_tmpfs_t) + pulseaudio_rw_tmpfs_files(chromium_t) + pulseaudio_stream_connect(chromium_t) + pulseaudio_use_fds(chromium_t) ') type chromium_xdg_config_t; @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; +allow chromium_t chromium_sandbox_t:file read_file_perms; allow chromium_t chromium_naclhelper_t:process { share }; @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) +# for /run/user/$UID +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) + manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) kernel_list_proc(chromium_t) +kernel_read_fs_sysctls(chromium_t) +kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t) xdg_read_data_files(chromium_t) xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) +xserver_stream_connect_xdm(chromium_t) + +xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese allow chromium_t self:tcp_socket { listen accept }; ') +tunable_policy(`chromium_dri', ` + dev_rw_dri(chromium_t) +') + tunable_policy(`chromium_rw_usb_dev',` dev_rw_generic_usb_dev(chromium_t) ') @@ -240,8 +266,13 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat_disk(chromium_t) devicekit_dbus_chat_power(chromium_t) ') + + optional_policy(` + systemd_dbus_chat_hostnamed(chromium_t) + ') ') optional_policy(` @@ -251,6 +282,14 @@ optional_policy(` dpkg_read_db(chromium_t) ') +optional_policy(` + networkmanager_dbus_chat(chromium_t) +') + +optional_policy(` + ssh_dontaudit_agent_tmp(chromium_t) +') + ######################################## # # chromium_renderer local policy @@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf dev_read_sysfs(chromium_naclhelper_t) dev_read_urand(chromium_naclhelper_t) +kernel_list_proc(chromium_naclhelper_t) + +miscfiles_read_localization(chromium_naclhelper_t) Index: refpolicy-2.20210115/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.te +++ refpolicy-2.20210115/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## gen_tunable(xserver_object_manager, false) +## +##

+## Allow DRI access +##

+##
+gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20210115/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.if +++ refpolicy-2.20210115/policy/modules/services/xserver.if @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` files_search_tmp($2) # Communicate via System V shared memory. + allow $2 xserver_t:fd use; allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $2 xserver_tmpfs_t:file { map read_file_perms }; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file read_inherited_file_perms; @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache' rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + xdg_search_cache_dirs($1) +') + +######################################## +## +## Manage the mesa shader cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) Index: refpolicy-2.20210115/policy/modules/apps/chromium.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if +++ refpolicy-2.20210115/policy/modules/apps/chromium.if @@ -38,7 +38,14 @@ interface(`chromium_role',` allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; + allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; + allow chromium_t $2:process { signull signal }; + + allow $2 chromium_t:unix_stream_socket connectto; + + # for /tmp/.ICE-unix/* sockets + allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; @@ -109,6 +116,7 @@ interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; + class dbus send_msg; ') corecmd_search_bin($1) Index: refpolicy-2.20210115/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/ssh.if +++ refpolicy-2.20210115/policy/modules/services/ssh.if @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +####################################### +## +## dontaudit access to ssh agent tmp dirs +## +## +## +## Domain not to audit. +## +## +# +interface(`ssh_dontaudit_agent_tmp',` + gen_require(` + type ssh_agent_tmp_t; + ') + + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; +')