## Chromium browser ####################################### ## ## Role access for chromium ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # interface(`chromium_role',` gen_require(` type chromium_t; type chromium_renderer_t; type chromium_sandbox_t; type chromium_naclhelper_t; class dbus send_msg; ') role $1 types chromium_t; role $1 types chromium_renderer_t; role $1 types chromium_sandbox_t; role $1 types chromium_naclhelper_t; # Transition from the user domain to the derived domain chromium_domtrans($2) # Allow ps to show chromium processes and allow the user to signal it ps_process_pattern($2, chromium_t) ps_process_pattern($2, chromium_renderer_t) allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; allow chromium_t $2:process { signull signal }; allow $2 chromium_t:unix_stream_socket connectto; # for /tmp/.ICE-unix/* sockets allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; allow $2 chromium_t:dbus send_msg; allow chromium_t $2:dbus send_msg; ') ####################################### ## ## Read-write access to Chromiums' temporary fifo files ## ## ## ## Domain allowed access ## ## # interface(`chromium_rw_tmp_pipes',` gen_require(` type chromium_tmp_t; ') rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) ') ############################################## ## ## Automatically use the specified type for resources created in chromium's ## temporary locations ## ## ## ## Domain that creates the resource(s) ## ## ## ## ## Private file type. ## ## ## ## ## Type of the resource created ## ## ## ## ## The name of the resource being created ## ## # interface(`chromium_tmp_filetrans',` gen_require(` type chromium_tmp_t; ') search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) ') ####################################### ## ## Execute a domain transition to the chromium domain (chromium_t) ## ## ## ## Domain allowed access ## ## # interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; class dbus send_msg; ') corecmd_search_bin($1) domtrans_pattern($1, chromium_exec_t, chromium_t) ') ####################################### ## ## Execute chromium in the chromium domain and allow the specified role to access the chromium domain ## ## ## ## Domain allowed access ## ## ## ## ## Role allowed access ## ## # interface(`chromium_run',` gen_require(` type chromium_t; ') chromium_domtrans($1) role $2 types chromium_t; ')