Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2833646pxb; Tue, 19 Jan 2021 07:14:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJzJIY1YuDxDEXFyXieOcHlGomihooIbiGytozHyeIZDmCDsT+xzIZcQu/CobNmHWWU5+ucC X-Received: by 2002:a05:6402:b88:: with SMTP id cf8mr4007358edb.140.1611069289545; Tue, 19 Jan 2021 07:14:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611069289; cv=none; d=google.com; s=arc-20160816; b=K0FTjGls0OqinFsBnvpmKT1BzjUonhiBtDoIGBNJemZdt4USPoxO7e65Dn4cGa7Ixc qUmg3vVP/pPIxqx7ZfycIgNZcNennhzeKbZjufBz9daWRFcyNzmYiXtSSTR0oE1pszOY Qlr8jtY/h1RJQJ51/Nf4o++cSc/IEec9as5bI9KLNuGOu8n9BUWXhI+4Ydcfa+bhwToZ eRKaWNTipg7JUnofUqad3a2bKBYJw07B0f0i7zgE3LCjWh2+gyAJ1kjc6tRwZ/SdBdyC 2e4P+wrkHN3KGAHs/1K8SCDMav+lO1x5u+00+LxPvQfb+YFURrS5d8vVOzp4vOCtHVrX Cw1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=UbbPldrvk9MOB/fABqxlHTXS7XFiX22dTMZ60jbZqWo=; b=yIAW3fJ3q+ENisF3xnPwGISRlPA4OYr73vJD2jwZmMV2pG2SCpNeluuCzrlinCmLky +7HEBamxB9HKaWgiT3Q5l0GLBnzqbMZVcul8Tc+DQFBwDlcZMqASfNKg+QngfeaQJjuF 7ZaKEKmbLeyHlnMABADlyvS1uazrt4Pl0zqtVWeCOg1NsO+jI9p2CgAmtue6FdlJgfDj EK4NGqKFAIjmGXifBXZCv68aiolzaBbp/DvRs4RNYvwchpHJ2wJwUeyyl+mf3WC6dgZx PrCAXPTP7dyh029Cr+oGqPXU0TDGlJyG2ju/5RXqkWcVU5EczuAm8Zb5UKuxPxM8VaPw 6vBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=B6wzu6mp; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l14si4450171edw.437.2021.01.19.07.14.43; Tue, 19 Jan 2021 07:14:49 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=B6wzu6mp; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390688AbhASPIC (ORCPT + 18 others); Tue, 19 Jan 2021 10:08:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391984AbhASOz5 (ORCPT ); Tue, 19 Jan 2021 09:55:57 -0500 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99CF5C06179E for ; Tue, 19 Jan 2021 06:54:39 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id t17so5587885qtq.2 for ; Tue, 19 Jan 2021 06:54:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=UbbPldrvk9MOB/fABqxlHTXS7XFiX22dTMZ60jbZqWo=; b=B6wzu6mpsK9lZwHbDgEQYppZz3baGetoDW84bhEZBKbgaw1xuDqlZS3ZMttmdfr5OV x3N+Gu0guYG+AYP5hFFAcgDK8rSMuPV2iSTaO1e8fKz20ezjcsGFz/wHaeuxWU4qR65B 0shNnBWItPzb0mSUqD/gqTUfSj5qZBW/J85aA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=UbbPldrvk9MOB/fABqxlHTXS7XFiX22dTMZ60jbZqWo=; b=eBkEuABPUFPFHdcfKfUvQd8GBpq2t1KuRrsCVCpi3V/76Tcqh207Cw1Io/HTRpkyQb o5qGsD/jQxtvqU/qYMdjc7sBATqXcP/XwnCDzb/i9gwMtz978mHPu4FZn9q0Dmg4YCLp Ro+T+mxVuYqHOhUY9dIRmSqrWmJDhUDwjIXf1U38tPNBi5WUArLt4N+1q7w3w7cANvhO EC89874pn4sKMgT0Cq+eaSYeBBYcKhJThMyNQhnzf8veQeMZK/9NwYvyTK/qTJP5TT1P jEaFEYMR3WQGiK5kSrbRq+0v2PmUNPwNFfq+AqjRfPpoaMb2Il200NFEaqhxuzRUcgb7 paAQ== X-Gm-Message-State: AOAM5321hYRgzVvkakeccp47UxsXi4C5jxNE/WFV42kZ2fGLc5E/76L2 fY0sgiejkZ0CHTsBkzvAcsT2gNjD7VkWvA== X-Received: by 2002:ac8:6a06:: with SMTP id t6mr4365118qtr.155.1611068078332; Tue, 19 Jan 2021 06:54:38 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id z30sm12309780qtc.15.2021.01.19.06.54.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Jan 2021 06:54:37 -0800 (PST) Subject: Re: [PATCH] base chrome/chromium patch fixed To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <4dd41dd4-51a2-1452-a4ca-41c70f456aed@ieee.org> Date: Tue, 19 Jan 2021 08:41:08 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/14/21 6:32 PM, Russell Coker wrote: > This patch is the one I described as "another chromium patch" on the 10th of > April last year, but with the issues addressed, and the > chromium_t:file manage_file_perms removed as requested. > > I believe it's ready for inclusion. > > Signed-off-by: Russell Coker Nerged. > Index: refpolicy-2.20210115/policy/modules/apps/chromium.te > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te > +++ refpolicy-2.20210115/policy/modules/apps/chromium.te > @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1) > > ## > ##

> +## Allow chromium to access direct rendering interface > +##

> +##

> +## Needed for good performance on complex sites > +##

> +##
> +gen_tunable(chromium_dri, true) > + > +## > +##

> ## Allow chromium to read system information > ##

> ##

> @@ -63,6 +73,9 @@ type chromium_tmpfs_t; > userdom_user_tmpfs_file(chromium_tmpfs_t) > optional_policy(` > pulseaudio_tmpfs_content(chromium_tmpfs_t) > + pulseaudio_rw_tmpfs_files(chromium_t) > + pulseaudio_stream_connect(chromium_t) > + pulseaudio_use_fds(chromium_t) > ') > > type chromium_xdg_config_t; > @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni > > allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; > allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; > +allow chromium_t chromium_sandbox_t:file read_file_perms; > > allow chromium_t chromium_naclhelper_t:process { share }; > > @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch > manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) > files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) > > +# for /run/user/$UID > +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) > + > manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) > allow chromium_t chromium_tmpfs_t:file map; > fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) > @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa > domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) > > kernel_list_proc(chromium_t) > +kernel_read_fs_sysctls(chromium_t) > +kernel_read_kernel_sysctls(chromium_t) > kernel_read_net_sysctls(chromium_t) > > corecmd_exec_bin(chromium_t) > @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t) > xdg_read_data_files(chromium_t) > > xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) > +xserver_stream_connect_xdm(chromium_t) > + > +xserver_manage_mesa_shader_cache(chromium_t) > > tunable_policy(`chromium_bind_tcp_unreserved_ports',` > corenet_tcp_bind_generic_node(chromium_t) > @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese > allow chromium_t self:tcp_socket { listen accept }; > ') > > +tunable_policy(`chromium_dri', ` > + dev_rw_dri(chromium_t) > +') > + > tunable_policy(`chromium_rw_usb_dev',` > dev_rw_generic_usb_dev(chromium_t) > ') > @@ -240,8 +266,13 @@ optional_policy(` > ') > > optional_policy(` > + devicekit_dbus_chat_disk(chromium_t) > devicekit_dbus_chat_power(chromium_t) > ') > + > + optional_policy(` > + systemd_dbus_chat_hostnamed(chromium_t) > + ') > ') > > optional_policy(` > @@ -251,6 +282,14 @@ optional_policy(` > dpkg_read_db(chromium_t) > ') > > +optional_policy(` > + networkmanager_dbus_chat(chromium_t) > +') > + > +optional_policy(` > + ssh_dontaudit_agent_tmp(chromium_t) > +') > + > ######################################## > # > # chromium_renderer local policy > @@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf > > dev_read_sysfs(chromium_naclhelper_t) > dev_read_urand(chromium_naclhelper_t) > +kernel_list_proc(chromium_naclhelper_t) > + > +miscfiles_read_localization(chromium_naclhelper_t) > Index: refpolicy-2.20210115/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20210115/policy/modules/services/xserver.te > @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) > ## > gen_tunable(xserver_object_manager, false) > > +## > +##

> +## Allow DRI access > +##

> +##
> +gen_tunable(xserver_allow_dri, false) > + > attribute x_domain; > > # X Events > Index: refpolicy-2.20210115/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20210115/policy/modules/services/xserver.if > @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` > files_search_tmp($2) > > # Communicate via System V shared memory. > + allow $2 xserver_t:fd use; > allow $2 xserver_t:shm r_shm_perms; > - allow $2 xserver_tmpfs_t:file read_file_perms; > + allow $2 xserver_tmpfs_t:file { map read_file_perms }; > > # allow ps to show iceauth > ps_process_pattern($2, iceauth_t) > @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` > allow $2 xdm_tmp_t:sock_file { read write }; > dontaudit $2 xdm_t:tcp_socket { read write }; > > - # Client read xserver shm > - allow $2 xserver_t:fd use; > - allow $2 xserver_tmpfs_t:file read_file_perms; > - > # Read /tmp/.X0-lock > allow $2 xserver_tmp_t:file read_inherited_file_perms; > > @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',` > allow $2 xserver_t:shm rw_shm_perms; > allow $2 xserver_tmpfs_t:file rw_file_perms; > ') > + tunable_policy(`xserver_allow_dri',` > + dev_rw_dri($2) > + ') > ') > > ######################################## > @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache' > > rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + xdg_search_cache_dirs($1) > +') > + > +######################################## > +## > +## Manage the mesa shader cache. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_manage_mesa_shader_cache',` > + gen_require(` > + type mesa_shader_cache_t; > + ') > + > + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > allow $1 mesa_shader_cache_t:file map; > > xdg_search_cache_dirs($1) > Index: refpolicy-2.20210115/policy/modules/apps/chromium.if > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if > +++ refpolicy-2.20210115/policy/modules/apps/chromium.if > @@ -38,7 +38,14 @@ interface(`chromium_role',` > > allow $2 chromium_t:process signal_perms; > allow $2 chromium_renderer_t:process signal_perms; > + allow $2 chromium_sandbox_t:process signal_perms; > allow $2 chromium_naclhelper_t:process signal_perms; > + allow chromium_t $2:process { signull signal }; > + > + allow $2 chromium_t:unix_stream_socket connectto; > + > + # for /tmp/.ICE-unix/* sockets > + allow chromium_t $2:unix_stream_socket connectto; > > allow chromium_sandbox_t $2:fd use; > allow chromium_naclhelper_t $2:fd use; > @@ -109,6 +116,7 @@ interface(`chromium_domtrans',` > gen_require(` > type chromium_t; > type chromium_exec_t; > + class dbus send_msg; > ') > > corecmd_search_bin($1) > Index: refpolicy-2.20210115/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20210115/policy/modules/services/ssh.if > @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',` > files_search_tmp($1) > delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) > ') > + > +####################################### > +## > +## dontaudit access to ssh agent tmp dirs > +## > +## > +## > +## Domain not to audit. > +## > +## > +# > +interface(`ssh_dontaudit_agent_tmp',` > + gen_require(` > + type ssh_agent_tmp_t; > + ') > + > + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; > +') > -- Chris PeBenito