From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-580160-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id B848A1381F3
	for <garchives@archives.gentoo.org>; Thu, 11 Apr 2013 20:07:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 182BEE0ACF;
	Thu, 11 Apr 2013 20:07:05 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 8DDB9E0ACF
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Apr 2013 20:07:04 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 3519133DB59
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Apr 2013 20:07:03 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id C3187E4073
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Apr 2013 20:07:01 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1365710737.750d02b5572ce4405d925763debb81bc4d09bf1f.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/chromium.fc policy/modules/contrib/chromium.if policy/modules/contrib/chromium.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 750d02b5572ce4405d925763debb81bc4d09bf1f
X-VCS-Branch: master
Date: Thu, 11 Apr 2013 20:07:01 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: f913cee6-d6f3-479f-bccf-d823a63c0269
X-Archives-Hash: 913146035a6477148279e7c498b78a56

commit:     750d02b5572ce4405d925763debb81bc4d09bf1f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 20:05:37 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 20:05:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=750d02b5

Fix bug 465574 Support non-SELinux enabled chromium

To support the non-SELinux enabled chromium, we introduce two additional
domains: chromium_sandbox_t and chromium_naclhelper_t. The chromium_sandbox_t
process has the highest privileges SELinux-wise (lots of capabilities).

---
 policy/modules/contrib/chromium.fc |    7 +---
 policy/modules/contrib/chromium.if |    9 +++++
 policy/modules/contrib/chromium.te |   64 +++++++++++++++++++++++++++++++++++-
 3 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
index 2302c85..17bbafb 100644
--- a/policy/modules/contrib/chromium.fc
+++ b/policy/modules/contrib/chromium.fc
@@ -1,9 +1,6 @@
 /usr/lib/chromium-browser/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
-
-# Although this should be in the core definitions, it makes more sense to
-# logically keep it close to the module(s) that use it.
-
-/usr/lib/chromium-browser/nacl_helper_bootstrap		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chromium-browser/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
 
 HOME_DIR/\.cache/chromium(/.*)?					gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
 HOME_DIR/\.config/chromium(/.*)?				gen_context(system_u:object_r:chromium_xdg_config_t,s0)

diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
index 5e158e7..3f9301b 100644
--- a/policy/modules/contrib/chromium.if
+++ b/policy/modules/contrib/chromium.if
@@ -21,11 +21,15 @@ interface(`chromium_role',`
 	gen_require(`
 		type chromium_t;
 		type chromium_renderer_t;
+		type chromium_sandbox_t;
+		type chromium_naclhelper_t;
 		type chromium_exec_t;
 	')
 
 	role $1 types chromium_t;
 	role $1 types chromium_renderer_t;
+	role $1 types chromium_sandbox_t;
+	role $1 types chromium_naclhelper_t;
 
 	# Transition from the user domain to the derived domain
 	chromium_domtrans($2)
@@ -33,8 +37,13 @@ interface(`chromium_role',`
 	# Allow ps to show chromium processes and allow the user to signal it
 	ps_process_pattern($2, chromium_t)
 	ps_process_pattern($2, chromium_renderer_t)
+
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_naclhelper_t:process signal_perms;
+
+	allow chromium_sandbox_t $2:fd use;
+	allow chromium_naclhelper_t $2:fd use;
 ')
 #######################################
 ## <summary>

diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 889769e..b9a3217 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -36,6 +36,14 @@ domain_dyntrans_type(chromium_t)
 type chromium_exec_t;
 application_domain(chromium_t, chromium_exec_t)
 
+type chromium_naclhelper_t;
+type chromium_naclhelper_exec_t;
+application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
+
+type chromium_sandbox_t;
+type chromium_sandbox_exec_t;
+application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
+
 type chromium_renderer_t;
 domain_base_type(chromium_renderer_t)
 
@@ -58,12 +66,13 @@ xdg_cache_home_content(chromium_xdg_cache_t)
 # chromium local policy
 #
 
-allow chromium_t self:process { getsched setsched signal };
+allow chromium_t self:process { getsched setrlimit setsched signal };
 allow chromium_t self:fifo_file rw_fifo_file_perms;;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
 
 allow chromium_t chromium_exec_t:file execute_no_trans;
+
 allow chromium_t chromium_renderer_t:dir list_dir_perms;
 allow chromium_t chromium_renderer_t:file rw_file_perms;
 allow chromium_t chromium_renderer_t:fd use;
@@ -72,6 +81,11 @@ allow chromium_t chromium_renderer_t:shm rw_shm_perms;
 allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
 allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
 
+allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
+allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_naclhelper_t:process { share };
+
 allow chromium_t self:process execmem;	# Load in plugins
 
 # tmp has a wide class access (used for plugins)
@@ -96,12 +110,16 @@ manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
 xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
 
 dyntrans_pattern(chromium_t, chromium_renderer_t)
+domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
+domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
 corecmd_exec_bin(chromium_t)
 
 corenet_tcp_connect_all_unreserved_ports(chromium_t)
 corenet_tcp_connect_ftp_port(chromium_t)
 corenet_tcp_connect_http_port(chromium_t)
+corenet_udp_bind_generic_node(chromium_t)
+corenet_udp_bind_all_unreserved_ports(chromium_t)
 
 dev_read_sound(chromium_t)
 dev_write_sound(chromium_t)
@@ -240,3 +258,47 @@ tunable_policy(`chromium_read_system_info',`
 	kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t)
 	kernel_dontaudit_read_system_state(chromium_renderer_t)
 ')
+
+#########################################
+#
+# Chromium sandbox local policy
+#
+
+allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chromium_sandbox_t self:process { setrlimit };
+allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+
+allow chromium_sandbox_t chromium_t:process { share };
+# /proc access
+allow chromium_sandbox_t chromium_t:dir list_dir_perms;
+allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
+allow chromium_sandbox_t chromium_t:file rw_file_perms;
+
+allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
+allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
+
+domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
+
+userdom_use_user_ptys(chromium_sandbox_t)
+
+chromium_domtrans(chromium_sandbox_t)
+
+##########################################
+#
+# Chromium nacl helper local policy
+#
+
+allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
+
+domain_mmap_low_uncond(chromium_naclhelper_t)
+
+userdom_use_user_ptys(chromium_naclhelper_t)
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_naclhelper_t)
+	kernel_read_system_state(chromium_naclhelper_t)
+',`
+	kernel_dontaudit_read_kernel_sysctls(chromium_naclhelper_t)
+	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
+')
+