2012-01-06 17:25:56

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] Contribute chrome (sandbox) policy from Fedora to Refpolicy.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please review and Ack.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8HLqQACgkQrlYvE4MpobMYowCcDioOr28h1epiimg9H3vuW05x
zaoAn3tP+GODXl//G92H0mcwsGOH9QJN
=67PF
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chrome.patch
Type: text/x-patch
Size: 9727 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120106/08c5a223/attachment.bin


2012-01-09 20:52:20

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] Contribute chrome (sandbox) policy from Fedora to Refpolicy.

On Fri, Jan 06, 2012 at 12:25:56PM -0500, Daniel J Walsh wrote:
> Please review and Ack.
[...]
> +########################################
> +## <summary>
> +## Role access for chrome sandbox
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role
> +## </summary>
> +## </param>
> +#
> +interface(`chrome_role_notrans',`

Since the module will be called chrome, I can imagine it wouldn't take long
before chrome is put in its own domain. For this reason, I'd try to keep the
_sandbox suffix wherever possible.

Perhaps chrome_role_notrans_sandbox ?

> +########################################
> +## <summary>
> +## Role access for chrome sandbox
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role
> +## </summary>
> +## </param>
> +#
> +interface(`chrome_role',`

chrome_role_sandbox

> +########################################
> +## <summary>
> +## Dontaudit read/write to a chrome_sandbox leaks
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> + gen_require(`
> + type chrome_sandbox_t;
> + ')
> +
> + dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
> +')

I'm missing the interface call here.

chrome_dontaudit_rw_unix_stream_sockets_sandbox?

> +ubac_constrained(chrome_sandbox_tmpfs_t)

I'm not certain, but if you mark this resource as ubac-constrained, doesn't
chrome_sandbox_t need to be marked as such as well? Same for
chrome_sandbox_nacl_t?

Wkr,
Sven Vermeulen