From 4d7eb76fb9b153fb0e9e079f34bbf9b344310f1b Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 11:37:02 -0400 Subject: [PATCH] chromium, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/apps/chromium.if | 63 ++++++++++++++++++------------ policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- 4 files changed, 42 insertions(+), 27 deletions(-) diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if index ec5ffb909..216642abd 100644 --- a/policy/modules/apps/chromium.if +++ b/policy/modules/apps/chromium.if @@ -4,18 +4,29 @@ ## ## Role access for chromium ## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## +## +## +## User domain for the role. +## +## +## +## +## User exec domain for execute and transition access. +## +## ## ## ## Role allowed access ## ## -## -## -## User domain for the role -## -## # -interface(`chromium_role',` +template(`chromium_role',` gen_require(` type chromium_t; type chromium_renderer_t; @@ -24,34 +35,38 @@ interface(`chromium_role',` class dbus send_msg; ') - role $1 types chromium_t; - role $1 types chromium_renderer_t; - role $1 types chromium_sandbox_t; - role $1 types chromium_naclhelper_t; + role $4 types chromium_t; + role $4 types chromium_renderer_t; + role $4 types chromium_sandbox_t; + role $4 types chromium_naclhelper_t; # Transition from the user domain to the derived domain - chromium_domtrans($2) + chromium_domtrans($3) # Allow ps to show chromium processes and allow the user to signal it - ps_process_pattern($2, chromium_t) - ps_process_pattern($2, chromium_renderer_t) + ps_process_pattern($3, chromium_t) + ps_process_pattern($3, chromium_renderer_t) - allow $2 chromium_t:process signal_perms; - allow $2 chromium_renderer_t:process signal_perms; - allow $2 chromium_sandbox_t:process signal_perms; - allow $2 chromium_naclhelper_t:process signal_perms; - allow chromium_t $2:process { signull signal }; + allow $3 chromium_t:process signal_perms; + allow $3 chromium_renderer_t:process signal_perms; + allow $3 chromium_sandbox_t:process signal_perms; + allow $3 chromium_naclhelper_t:process signal_perms; + allow chromium_t $3:process { signull signal }; - allow $2 chromium_t:unix_stream_socket connectto; + allow $3 chromium_t:unix_stream_socket connectto; # for /tmp/.ICE-unix/* sockets - allow chromium_t $2:unix_stream_socket connectto; + allow chromium_t $3:unix_stream_socket connectto; - allow chromium_sandbox_t $2:fd use; - allow chromium_naclhelper_t $2:fd use; + allow chromium_sandbox_t $3:fd use; + allow chromium_naclhelper_t $3:fd use; - allow $2 chromium_t:dbus send_msg; - allow chromium_t $2:dbus send_msg; + allow $3 chromium_t:dbus send_msg; + allow chromium_t $3:dbus send_msg; + + optional_policy(` + systemd_user_app_status($1, chromium_t) + ') ') ####################################### diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 50536cb6d..fb513ee5f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -91,7 +91,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - chromium_role(staff_r, staff_t) + chromium_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 7a263b57e..338bd8364 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1218,7 +1218,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - chromium_role(sysadm_r, sysadm_t) + chromium_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 91fd76d50..0ec0eb7e6 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -55,7 +55,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - chromium_role(user_r, user_t) + chromium_role(user, user_t, user_application_exec_domain, user_r) ') optional_policy(`