From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 01FFE1381FD for ; Mon, 23 Jul 2012 20:27:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9E784E0369; Mon, 23 Jul 2012 20:27:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 583ABE0369 for ; Mon, 23 Jul 2012 20:27:31 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 956591B438A for ; Mon, 23 Jul 2012 20:27:30 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 5908BE5436 for ; Mon, 23 Jul 2012 20:27:29 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1342946226.1d887ec84d39722f7ef8929bb2b3f925f5043f00.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/contrib/chromium/, ... X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/chromium.autogen policy/modules/contrib/chromium.fc policy/modules/contrib/chromium.if policy/modules/contrib/chromium.te policy/modules/contrib/chromium/chromium_domtrans.autogen.iface policy/modules/contrib/chromium/chromium_role.part policy/modules/contrib/chromium/chromium_run.autogen.iface policy/modules/roles/staff.te policy/modules/roles/unprivuser.te policy/modules/system/unconfined.te X-VCS-Directories: policy/modules/contrib/ policy/modules/contrib/chromium/ policy/modules/system/ policy/modules/roles/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 1d887ec84d39722f7ef8929bb2b3f925f5043f00 X-VCS-Branch: master Date: Mon, 23 Jul 2012 20:27:29 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dad557ac-2baf-4dd4-9c1e-e8961bc23d7b X-Archives-Hash: 5e9764d49378d7bc398df9955c23d83d commit: 1d887ec84d39722f7ef8929bb2b3f925f5043f00 Author: Sven Vermeulen siphos be> AuthorDate: Sun Jul 22 08:37:06 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Jul 22 08:37:06 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d887ec8 Adding in SELinux policy for chromium --- policy/modules/contrib/chromium.autogen | 9 ++ policy/modules/contrib/chromium.fc | 6 + policy/modules/contrib/chromium.if | 78 +++++++++++ policy/modules/contrib/chromium.te | 142 ++++++++++++++++++++ .../chromium/chromium_domtrans.autogen.iface | 19 +++ policy/modules/contrib/chromium/chromium_role.part | 32 +++++ .../contrib/chromium/chromium_run.autogen.iface | 23 +++ policy/modules/roles/staff.te | 4 + policy/modules/roles/unprivuser.te | 4 + policy/modules/system/unconfined.te | 4 + 10 files changed, 321 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/chromium.autogen b/policy/modules/contrib/chromium.autogen new file mode 100644 index 0000000..aeac21e --- /dev/null +++ b/policy/modules/contrib/chromium.autogen @@ -0,0 +1,9 @@ +MODULE=chromium +SUBDOMAINS= +DESCRIPTION=Chromium browser + +chromium.DOMAIN=chromium_t +chromium.EXEC=chromium_exec_t + +chromium.GENTYPES= +chromium.METHODS=domtrans diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc new file mode 100644 index 0000000..9ec35a2 --- /dev/null +++ b/policy/modules/contrib/chromium.fc @@ -0,0 +1,6 @@ +/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) + +# Although this should be in the core definitions, it makes more sense to +# logically keep it close to the module(s) that use it. + +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if new file mode 100644 index 0000000..d082b5c --- /dev/null +++ b/policy/modules/contrib/chromium.if @@ -0,0 +1,78 @@ +## +## Chromium browser +## + +####################################### +## +## Role access for chromium +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`chromium_role',` + gen_require(` + type chromium_t; + type chromium_renderer_t; + type chromium_exec_t; + ') + + role $1 types chromium_t; + role $1 types chromium_renderer_t; + + # Transition from the user domain to the derived domain + chromium_domtrans($2) + + # Allow ps to show chromium processes and allow the user to signal it + ps_process_pattern($2, chromium_t) + allow $2 chromium_t:process signal_perms; +') +####################################### +## +## Execute a domain transition to the chromium domain (chromium_t) +## +## +## +## Domain allowed access +## +## +# +interface(`chromium_domtrans',` + gen_require(` + type chromium_t; + type chromium_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chromium_exec_t, chromium_t) +') +####################################### +## +## Execute chromium in the chromium domain and allow the specified role to access the chromium domain +## +## +## +## Domain allowed access +## +## +## +## +## Role allowed access +## +## +# +interface(`chromium_run',` + gen_require(` + type chromium_t; + ') + + chromium_domtrans($1) + role $2 types chromium_t; +') diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te new file mode 100644 index 0000000..1e51d7d --- /dev/null +++ b/policy/modules/contrib/chromium.te @@ -0,0 +1,142 @@ +policy_module(chromium-browser, 1.0.0) + +######################################## +# +# Declarations +# + +type chromium_t; +domain_dyntrans_type(chromium_t); + +type chromium_exec_t; +application_domain(chromium_t, chromium_exec_t); + +type chromium_renderer_t; +domain_base_type(chromium_renderer_t); + +type chromium_tmp_t; +userdom_user_tmp_file(chromium_tmp_t); + +type chromium_tmpfs_t; +userdom_user_tmpfs_file(chromium_tmpfs_t); + +######################################## +# +# chromium local policy +# + +allow chromium_t self:fifo_file rw_fifo_file_perms;; +allow chromium_t self:process { getsched setsched signal }; + +allow chromium_t chromium_exec_t:file execute_no_trans; +allow chromium_t chromium_renderer_t:dir list_dir_perms; +allow chromium_t chromium_renderer_t:file read_file_perms; +allow chromium_t chromium_renderer_t:fd use; +allow chromium_t chromium_renderer_t:process signal_perms; +allow chromium_t chromium_renderer_t:shm rw_shm_perms; +allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; +allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; + +dontaudit chromium_t self:process execmem; + +manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); +manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); +manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); +manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t); +files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir }); + +manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t); +fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set); +fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set); + +dyntrans_pattern(chromium_t, chromium_renderer_t); + +kernel_read_kernel_sysctls(chromium_t); + +corecmd_exec_bin(chromium_t); +corecmd_exec_shell(chromium_t); + +corenet_tcp_connect_all_unreserved_ports(chromium_t); +corenet_tcp_connect_ftp_port(chromium_t); +corenet_tcp_connect_http_port(chromium_t); + +dev_read_sysfs(chromium_t); +dev_read_urand(chromium_t); + +files_list_home(chromium_t); +files_read_etc_files(chromium_t); +files_read_etc_runtime_files(chromium_t); +files_read_usr_files(chromium_t); + +fs_dontaudit_getattr_xattr_fs(chromium_t); + +miscfiles_read_localization(chromium_t); + +seutil_libselinux_linked(chromium_t); + +sysnet_dns_name_resolve(chromium_t); +sysnet_read_config(chromium_t); + +userdom_manage_user_home_content_dirs(chromium_t); +userdom_manage_user_home_content_files(chromium_t); +userdom_use_user_ptys(chromium_t); + +xdg_manage_generic_cache_home_content(chromium_t); +xdg_manage_generic_config_home_content(chromium_t); +xdg_manage_generic_data_home_content(chromium_t); + +xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t); +xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t); + +optional_policy(` + cups_read_config(chromium_t); + cups_stream_connect(chromium_t); +') + +optional_policy(` + dbus_session_bus_client(chromium_t); + dbus_system_bus_client(chromium_t); + + optional_policy(` + unconfined_dbus_chat(chromium_t); + ') +') + + +######################################## +# +# chromium_renderer local policy +# + +allow chromium_renderer_t self:process execmem; + +allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; +allow chromium_renderer_t self:shm create_shm_perms; +allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; +allow chromium_renderer_t self:unix_stream_socket { create getattr read write }; + +allow chromium_renderer_t chromium_t:fd use; +allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; +allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; + +dontaudit chromium_renderer_t chromium_t:dir search; +dontaudit chromium_renderer_t self:process getsched; + +kernel_dontaudit_read_system_state(chromium_renderer_t); +kernel_dontaudit_search_sysctl(chromium_renderer_t); + +dev_read_urand(chromium_renderer_t); + +files_list_tmp(chromium_renderer_t); + +files_dontaudit_read_all_symlinks(chromium_renderer_t); +files_dontaudit_search_var(chromium_renderer_t); + +init_sigchld(chromium_renderer_t); + +miscfiles_read_fonts(chromium_renderer_t); +miscfiles_read_localization(chromium_renderer_t); + +userdom_dontaudit_use_user_ptys(chromium_renderer_t); + +xdg_read_generic_config_home_files(chromium_renderer_t); diff --git a/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface b/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface new file mode 100644 index 0000000..8652e30 --- /dev/null +++ b/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface @@ -0,0 +1,19 @@ +####################################### +## +## Execute a domain transition to the chromium domain (chromium_t) +## +## +## +## Domain allowed access +## +## +# +interface(`chromium_domtrans',` + gen_require(` + type chromium_t; + type chromium_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chromium_exec_t, chromium_t) +') diff --git a/policy/modules/contrib/chromium/chromium_role.part b/policy/modules/contrib/chromium/chromium_role.part new file mode 100644 index 0000000..8d679f1 --- /dev/null +++ b/policy/modules/contrib/chromium/chromium_role.part @@ -0,0 +1,32 @@ +####################################### +## +## Role access for chromium +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`chromium_role',` + gen_require(` + type chromium_t; + type chromium_renderer_t; + type chromium_exec_t; + ') + + role $1 types chromium_t; + role $1 types chromium_renderer_t; + + # Transition from the user domain to the derived domain + chromium_domtrans($2) + + # Allow ps to show chromium processes and allow the user to signal it + ps_process_pattern($2, chromium_t) + allow $2 chromium_t:process signal_perms; +') diff --git a/policy/modules/contrib/chromium/chromium_run.autogen.iface b/policy/modules/contrib/chromium/chromium_run.autogen.iface new file mode 100644 index 0000000..c737b3f --- /dev/null +++ b/policy/modules/contrib/chromium/chromium_run.autogen.iface @@ -0,0 +1,23 @@ +####################################### +## +## Execute chromium in the chromium domain and allow the specified role to access the chromium domain +## +## +## +## Domain allowed access +## +## +## +## +## Role allowed access +## +## +# +interface(`chromium_run',` + gen_require(` + type chromium_t; + ') + + chromium_domtrans($1) + role $2 types chromium_t; +') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index b625c18..25807b6 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -23,6 +23,10 @@ optional_policy(` ') optional_policy(` + chromium_role(staff_r, staff_t) +') + +optional_policy(` dbadm_role_change(staff_r) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 59428ec..8029449 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -17,6 +17,10 @@ optional_policy(` ') optional_policy(` + chromium_role(user_r, user_t) +') + +optional_policy(` git_role(user_r, user_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 70ac50b..1167b73 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -72,6 +72,10 @@ optional_policy(` ') optional_policy(` + chromium_role(unconfined_r, unconfined_t) +') + +optional_policy(` cron_unconfined_role(unconfined_r, unconfined_t) ')