From: jason@perfinion.com (Jason Zaman) Date: Sun, 17 Sep 2017 12:18:12 +0800 Subject: [refpolicy] Chrome patch for discussion In-Reply-To: <20170917032811.b2eyftg5j2wois4n@athena.coker.com.au> References: <20170917032811.b2eyftg5j2wois4n@athena.coker.com.au> Message-ID: <20170917041812.GA29152@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Sep 17, 2017 at 01:28:11PM +1000, Russell Coker via refpolicy wrote: > This patch has been hanging around in my collection for years. I am NOT > suggesting including it as-is. I am sending it for discussion. > > One thing to discuss is whether we use mozilla_t for all browsers (maybe add > a typealias to browser_t or something) or whether we have a chrome_t. I > think that having a single mozilla_t or browser_t is the better option but I'm > not stuck on it. I can rewrite it for a separate chrome_t if that is the > consensus. We've had a chromium_t in gentoo for quite a while https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.te https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.if https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib/chromium.fc I kinda like firefox and chromium separate cuz chrome has a bunch of booleans for chromecast and fido u2f and stuff so then less perms can be given to FF. Also other stuff is that FF can work without execmem if you build with JIT disabled but chrome wont. If we're separating the domains then we can just use the gentoo one instead of having to re-write. I can send it upstream if its good. Any comments on it? > > Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.fc > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.fc > +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.fc > @@ -1,5 +1,8 @@ > HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) > @@ -14,6 +17,7 @@ HOME_DIR/\.spicec(/.*)? gen_context(syst > HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) > > +/usr/bin/chromium -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) > /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) > @@ -39,3 +43,10 @@ HOME_DIR/zimbrauserdata(/.*)? gen_contex > /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > /usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) > /usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) > +/usr/lib/chromium/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > +/usr/lib/chromium/chromium -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) > +/opt/google/chrome/chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > +/opt/google/chrome/nacl_helper -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) > + > Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.if > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.if > +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.if > @@ -14,12 +14,18 @@ > ## User domain for the role. > ## > ## > +## > +## > +## Type of the user tty > +## > +## > # > interface(`mozilla_role',` > gen_require(` > type mozilla_t, mozilla_exec_t, mozilla_home_t; > type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; > type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; > + type chrome_sandbox_t, chrome_browser_exec_t; > attribute_role mozilla_roles; > ') > > @@ -36,6 +42,7 @@ interface(`mozilla_role',` > # > > domtrans_pattern($2, mozilla_exec_t, mozilla_t) > + domtrans_pattern($2, chrome_browser_exec_t, mozilla_t) > > allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; > ps_process_pattern($2, mozilla_t) > @@ -45,6 +52,9 @@ interface(`mozilla_role',` > > allow $2 mozilla_t:fd use; > allow $2 mozilla_t:shm rw_shm_perms; > + allow chrome_sandbox_t $2:fd use; > + allow chrome_sandbox_t $2:fifo_file write; > + allow chrome_sandbox_t $3:chr_file { read write }; > > stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) > > @@ -288,10 +298,12 @@ interface(`mozilla_read_tmp_files',` > interface(`mozilla_domtrans',` > gen_require(` > type mozilla_t, mozilla_exec_t; > + type chrome_browser_exec_t; > ') > > corecmd_search_bin($1) > domtrans_pattern($1, mozilla_exec_t, mozilla_t) > + domtrans_pattern($1, chrome_browser_exec_t, mozilla_t) > ') > > ######################################## > Index: refpolicy-2.20170917/policy/modules/contrib/mozilla.te > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/contrib/mozilla.te > +++ refpolicy-2.20170917/policy/modules/contrib/mozilla.te > @@ -47,6 +47,45 @@ userdom_user_tmp_file(mozilla_plugin_tmp > type mozilla_plugin_tmpfs_t; > userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) > > +type chrome_sandbox_t; > +type chrome_sandbox_exec_t; > +type chrome_browser_exec_t; > +application_domain(mozilla_t, chrome_browser_exec_t) > +userdom_user_application_domain(mozilla_t, chrome_browser_exec_t ) > +role mozilla_plugin_roles types chrome_sandbox_t; > +domain_auto_transition_pattern(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) > +allow mozilla_t chrome_sandbox_t:process sigchld; > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > +ubac_constrained(chrome_sandbox_t) > +fs_getattr_xattr_fs(chrome_sandbox_t) > + > +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; > +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; > +allow chrome_sandbox_t mozilla_t:file read_file_perms; > +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > +allow chrome_sandbox_t mozilla_t:fd use; > +allow chrome_sandbox_t mozilla_t:file write; > +allow chrome_sandbox_t proc_t:dir read; > +allow chrome_sandbox_t self:process setrlimit; > +type chrome_sandbox_tmp_t; > + > +# this is needed for Chrome (not Chromium) startup > +allow chrome_sandbox_t mozilla_t:process { siginh rlimitinh noatsecure }; > + > +files_tmp_file(chrome_sandbox_tmp_t) > +ubac_constrained(chrome_sandbox_tmp_t) > +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) > +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; > +allow mozilla_t self:unix_dgram_socket sendto; > +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; > +# for V8 > +allow mozilla_t self:process execmem; > + > +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; > +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; > + > optional_policy(` > pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) > ') > @@ -76,8 +115,22 @@ optional_policy(` > # Local policy > # > > +dontaudit chrome_sandbox_t domain:dir getattr; > +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) > +domain_auto_transition_pattern(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) > +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; > +allow chrome_sandbox_t self:fifo_file rw_file_perms; > +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; > +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; > +allow chrome_sandbox_t self:capability { chown dac_override fsetid net_raw setgid setuid sys_admin sys_chroot sys_ptrace }; > +allow chrome_sandbox_t mozilla_t:process { share sigchld }; > +allow mozilla_t chrome_sandbox_t:fd use; > +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; > +dev_read_sysfs(mozilla_t) > +domain_dontaudit_search_all_domains_state(chrome_sandbox_t) > + > allow mozilla_t self:capability { setgid setuid sys_nice }; > -allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; > +allow mozilla_t self:process { sigkill signal setsched getsched setrlimit setcap }; > allow mozilla_t self:fifo_file rw_fifo_file_perms; > allow mozilla_t self:shm create_shm_perms; > allow mozilla_t self:sem create_sem_perms; > @@ -90,6 +143,10 @@ allow mozilla_t mozilla_plugin_t:fd use; > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; > allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; > allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; > + > +# for plugins > +can_exec(mozilla_t, mozilla_home_t) > + > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") > userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") > @@ -100,6 +157,7 @@ filetrans_pattern(mozilla_t, mozilla_hom > manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > +manage_sock_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) > allow mozilla_t mozilla_tmp_t:file map; > files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) > > @@ -107,7 +165,10 @@ manage_files_pattern(mozilla_t, mozilla_ > manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) > -fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) > +fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > + > +# so mozilla can create /var/run/user/PID/pulse > +auth_read_var_auth(mozilla_t) > > allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; > allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; > @@ -117,11 +178,16 @@ stream_connect_pattern(mozilla_t, mozill > > can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) > > +allow mozilla_t self:netlink_kobject_uevent_socket create_socket_perms; > + > kernel_read_kernel_sysctls(mozilla_t) > kernel_read_network_state(mozilla_t) > kernel_read_system_state(mozilla_t) > kernel_read_net_sysctls(mozilla_t) > > +# for overcommit_memory > +kernel_read_vm_overcommit_sysctl(mozilla_t) > + > corecmd_list_bin(mozilla_t) > corecmd_exec_shell(mozilla_t) > corecmd_exec_bin(mozilla_t) > @@ -166,6 +232,8 @@ dev_read_rand(mozilla_t) > dev_read_urand(mozilla_t) > dev_rw_dri(mozilla_t) > dev_write_sound(mozilla_t) > +dev_dontaudit_getattr_all_chr_files(mozilla_t) > +dev_dontaudit_getattr_all_blk_files(mozilla_t) > > domain_dontaudit_read_all_domains_state(mozilla_t) > > @@ -207,6 +275,7 @@ mozilla_run_plugin(mozilla_t, mozilla_ro > mozilla_run_plugin_config(mozilla_t, mozilla_roles) > > xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) > +corenet_tcp_connect_xserver_port(mozilla_t) > xserver_dontaudit_read_xdm_tmp_files(mozilla_t) > xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) > > Index: refpolicy-2.20170917/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20170917/policy/modules/kernel/corecommands.fc > @@ -120,6 +120,7 @@ ifdef(`distro_debian',` > /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > > /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/opt/google/chrome/cron/google-chrome -- gen_context(system_u:object_r:bin_t,s0) > > /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) > > Index: refpolicy-2.20170917/policy/modules/contrib/xguest.te > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/contrib/xguest.te > +++ refpolicy-2.20170917/policy/modules/contrib/xguest.te > @@ -103,7 +103,7 @@ optional_policy(` > ') > > optional_policy(` > - mozilla_role(xguest_r, xguest_t) > + mozilla_role(xguest_r, xguest_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20170917/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20170917/policy/modules/roles/staff.te > @@ -142,7 +142,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - mozilla_role(staff_r, staff_t) > + mozilla_role(staff_r, staff_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20170917/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20170917/policy/modules/roles/sysadm.te > @@ -648,7 +648,7 @@ optional_policy(` > ') > > optional_policy(` > - mozilla_role(sysadm_r, sysadm_t) > + mozilla_role(sysadm_r, sysadm_t, user_devpts_t) > ') > > optional_policy(` > Index: refpolicy-2.20170917/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20170917.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20170917/policy/modules/roles/unprivuser.te > @@ -114,7 +114,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - mozilla_role(user_r, user_t) > + mozilla_role(user_r, user_t, user_devpts_t) > ') > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy