393 lines
12 KiB
Plaintext
393 lines
12 KiB
Plaintext
policy_module(chromium, 1.3.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow chromium to access direct rendering interface
|
|
## </p>
|
|
## <p>
|
|
## Needed for good performance on complex sites
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(chromium_dri, true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow chromium to read system information
|
|
## </p>
|
|
## <p>
|
|
## Although not needed for regular browsing, this will allow chromium to update
|
|
## its own memory consumption based on system state, support additional
|
|
## debugging, detect specific devices, etc.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(chromium_read_system_info, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow chromium to bind to tcp ports
|
|
## </p>
|
|
## <p>
|
|
## Although not needed for regular browsing, some chrome extensions need to
|
|
## bind to tcp ports and accept connections.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow chromium to read/write USB devices
|
|
## </p>
|
|
## <p>
|
|
## Although not needed for regular browsing, used for debugging over usb
|
|
## or using FIDO U2F tokens.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(chromium_rw_usb_dev, false)
|
|
|
|
type chromium_t;
|
|
domain_dyntrans_type(chromium_t)
|
|
|
|
type chromium_exec_t;
|
|
application_domain(chromium_t, chromium_exec_t)
|
|
|
|
type chromium_naclhelper_t;
|
|
type chromium_naclhelper_exec_t;
|
|
application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
|
|
|
|
type chromium_sandbox_t;
|
|
type chromium_sandbox_exec_t;
|
|
application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
|
|
|
|
type chromium_renderer_t;
|
|
domain_base_type(chromium_renderer_t)
|
|
|
|
type chromium_tmp_t;
|
|
userdom_user_tmp_file(chromium_tmp_t)
|
|
|
|
type chromium_tmpfs_t;
|
|
userdom_user_tmpfs_file(chromium_tmpfs_t)
|
|
optional_policy(`
|
|
pulseaudio_tmpfs_content(chromium_tmpfs_t)
|
|
pulseaudio_rw_tmpfs_files(chromium_t)
|
|
pulseaudio_stream_connect(chromium_t)
|
|
pulseaudio_use_fds(chromium_t)
|
|
')
|
|
|
|
type chromium_xdg_config_t;
|
|
xdg_config_content(chromium_xdg_config_t)
|
|
|
|
type chromium_xdg_cache_t;
|
|
xdg_cache_content(chromium_xdg_cache_t)
|
|
|
|
########################################
|
|
#
|
|
# chromium local policy
|
|
#
|
|
|
|
# execmem for load in plugins
|
|
allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
|
|
allow chromium_t self:fifo_file rw_fifo_file_perms;
|
|
allow chromium_t self:sem create_sem_perms;
|
|
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
|
|
# cap_userns sys_admin for the sandbox
|
|
allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
|
|
|
|
allow chromium_t chromium_exec_t:file execute_no_trans;
|
|
|
|
allow chromium_t chromium_renderer_t:dir list_dir_perms;
|
|
allow chromium_t chromium_renderer_t:file rw_file_perms;
|
|
allow chromium_t chromium_renderer_t:fd use;
|
|
allow chromium_t chromium_renderer_t:process signal_perms;
|
|
allow chromium_t chromium_renderer_t:shm rw_shm_perms;
|
|
allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
|
|
allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
|
|
|
|
allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
|
|
allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
|
|
allow chromium_t chromium_sandbox_t:file read_file_perms;
|
|
|
|
allow chromium_t chromium_naclhelper_t:process { share };
|
|
|
|
# tmp has a wide class access (used for plugins)
|
|
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
|
|
allow chromium_t chromium_tmp_t:file map;
|
|
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
|
|
manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
|
|
manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
|
|
manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
|
|
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
|
|
# for /run/user/$UID
|
|
userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
|
|
|
|
manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
|
|
allow chromium_t chromium_tmpfs_t:file map;
|
|
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
|
|
fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
|
|
|
|
manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
|
|
allow chromium_t chromium_xdg_config_t:file map;
|
|
manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
|
|
manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
|
|
xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
|
|
|
|
manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
|
|
allow chromium_t chromium_xdg_cache_t:file map;
|
|
manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
|
|
xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
|
|
|
|
dyntrans_pattern(chromium_t, chromium_renderer_t)
|
|
domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
|
|
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
|
|
|
|
kernel_list_proc(chromium_t)
|
|
kernel_read_fs_sysctls(chromium_t)
|
|
kernel_read_kernel_sysctls(chromium_t)
|
|
kernel_read_net_sysctls(chromium_t)
|
|
|
|
corecmd_exec_bin(chromium_t)
|
|
# Look for /etc/gentoo-release through a shell invocation running find
|
|
corecmd_exec_shell(chromium_t)
|
|
|
|
corenet_tcp_connect_all_unreserved_ports(chromium_t)
|
|
corenet_tcp_connect_ftp_port(chromium_t)
|
|
corenet_tcp_connect_http_port(chromium_t)
|
|
corenet_udp_bind_generic_node(chromium_t)
|
|
corenet_udp_bind_all_unreserved_ports(chromium_t)
|
|
|
|
dev_read_sound(chromium_t)
|
|
dev_write_sound(chromium_t)
|
|
dev_read_urand(chromium_t)
|
|
dev_read_rand(chromium_t)
|
|
dev_rw_xserver_misc(chromium_t)
|
|
dev_map_xserver_misc(chromium_t)
|
|
|
|
domain_dontaudit_search_all_domains_state(chromium_t)
|
|
domain_use_interactive_fds(chromium_t)
|
|
|
|
files_list_home(chromium_t)
|
|
files_search_home(chromium_t)
|
|
files_read_usr_files(chromium_t)
|
|
files_map_usr_files(chromium_t)
|
|
files_read_etc_files(chromium_t)
|
|
files_watch_etc_dirs(chromium_t)
|
|
# During find for /etc/whatever-release we get lots of output otherwise
|
|
files_dontaudit_getattr_all_dirs(chromium_t)
|
|
|
|
fs_dontaudit_getattr_xattr_fs(chromium_t)
|
|
fs_getattr_tmpfs(chromium_t)
|
|
fs_search_cgroup_dirs(chromium_t)
|
|
|
|
miscfiles_read_all_certs(chromium_t)
|
|
miscfiles_read_localization(chromium_t)
|
|
|
|
sysnet_dns_name_resolve(chromium_t)
|
|
|
|
# for /run/udev/data/*
|
|
udev_read_runtime_files(chromium_t)
|
|
|
|
userdom_user_content_access_template(chromium, chromium_t)
|
|
userdom_dontaudit_list_user_home_dirs(chromium_t)
|
|
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
|
|
userdom_use_user_terminals(chromium_t)
|
|
userdom_manage_user_certs(chromium_t)
|
|
userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
|
|
|
|
xdg_create_cache_dirs(chromium_t)
|
|
xdg_create_config_dirs(chromium_t)
|
|
xdg_create_data_dirs(chromium_t)
|
|
xdg_manage_downloads(chromium_t)
|
|
xdg_read_config_files(chromium_t)
|
|
xdg_read_data_files(chromium_t)
|
|
|
|
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
|
|
xserver_stream_connect_xdm(chromium_t)
|
|
xserver_manage_mesa_shader_cache(chromium_t)
|
|
|
|
tunable_policy(`chromium_bind_tcp_unreserved_ports',`
|
|
corenet_tcp_bind_generic_node(chromium_t)
|
|
corenet_tcp_bind_all_unreserved_ports(chromium_t)
|
|
allow chromium_t self:tcp_socket { listen accept };
|
|
')
|
|
|
|
tunable_policy(`chromium_dri', `
|
|
dev_rw_dri(chromium_t)
|
|
')
|
|
|
|
tunable_policy(`chromium_rw_usb_dev',`
|
|
dev_rw_generic_usb_dev(chromium_t)
|
|
')
|
|
|
|
tunable_policy(`chromium_read_system_info',`
|
|
kernel_read_kernel_sysctls(chromium_t)
|
|
# Memory optimizations & optimizations based on OS/version
|
|
kernel_read_crypto_sysctls(chromium_t)
|
|
kernel_read_system_state(chromium_t)
|
|
|
|
# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
|
|
dev_read_sysfs(chromium_t)
|
|
|
|
storage_getattr_fixed_disk_dev(chromium_t)
|
|
|
|
files_read_etc_runtime_files(chromium_t)
|
|
|
|
dev_dontaudit_getattr_all_chr_files(chromium_t)
|
|
init_dontaudit_getattr_initctl(chromium_t)
|
|
',`
|
|
kernel_dontaudit_read_kernel_sysctl(chromium_t)
|
|
kernel_dontaudit_read_system_state(chromium_t)
|
|
|
|
dev_dontaudit_read_sysfs(chromium_t)
|
|
|
|
files_dontaudit_read_etc_runtime_files(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cups_read_config(chromium_t)
|
|
cups_stream_connect(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_all_session_bus_client(chromium_t)
|
|
dbus_system_bus_client(chromium_t)
|
|
|
|
optional_policy(`
|
|
unconfined_dbus_chat(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_dbus_chat_all_gkeyringd(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
devicekit_dbus_chat_disk(chromium_t)
|
|
devicekit_dbus_chat_power(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_dbus_chat_hostnamed(chromium_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
apt_read_cache(chromium_t)
|
|
apt_read_db(chromium_t)
|
|
dpkg_exec(chromium_t)
|
|
dpkg_read_db(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(chromium_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_dontaudit_agent_tmp(chromium_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# chromium_renderer local policy
|
|
#
|
|
|
|
allow chromium_renderer_t self:process execmem;
|
|
dontaudit chromium_renderer_t self:process getsched;
|
|
allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
|
|
allow chromium_renderer_t self:shm create_shm_perms;
|
|
allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
|
|
allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
|
|
|
|
allow chromium_renderer_t chromium_t:fd use;
|
|
allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
|
|
allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
|
|
|
|
dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
|
|
|
|
read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
|
|
|
|
rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
|
|
|
|
dev_read_urand(chromium_renderer_t)
|
|
|
|
files_dontaudit_list_tmp(chromium_renderer_t)
|
|
files_dontaudit_read_etc_files(chromium_renderer_t)
|
|
files_search_var(chromium_renderer_t)
|
|
|
|
init_sigchld(chromium_renderer_t)
|
|
|
|
miscfiles_read_localization(chromium_renderer_t)
|
|
|
|
userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
|
|
userdom_use_user_terminals(chromium_renderer_t)
|
|
|
|
xdg_read_config_files(chromium_renderer_t)
|
|
|
|
xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
|
|
|
|
tunable_policy(`chromium_read_system_info',`
|
|
kernel_read_kernel_sysctls(chromium_renderer_t)
|
|
kernel_read_system_state(chromium_renderer_t)
|
|
',`
|
|
kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
|
|
kernel_dontaudit_read_system_state(chromium_renderer_t)
|
|
')
|
|
|
|
#########################################
|
|
#
|
|
# Chromium sandbox local policy
|
|
#
|
|
|
|
allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
|
|
allow chromium_sandbox_t self:process { setrlimit };
|
|
allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow chromium_sandbox_t chromium_t:process { share };
|
|
# /proc access
|
|
allow chromium_sandbox_t chromium_t:dir list_dir_perms;
|
|
allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
|
|
allow chromium_sandbox_t chromium_t:file rw_file_perms;
|
|
|
|
allow chromium_sandbox_t chromium_t:unix_stream_socket { getattr read write };
|
|
allow chromium_sandbox_t chromium_t:unix_dgram_socket { getattr read write };
|
|
|
|
kernel_list_proc(chromium_sandbox_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
|
|
domain_use_interactive_fds(chromium_sandbox_t)
|
|
|
|
userdom_use_user_ptys(chromium_sandbox_t)
|
|
|
|
chromium_domtrans(chromium_sandbox_t)
|
|
domtrans_pattern(chromium_sandbox_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
|
|
allow chromium_sandbox_t chromium_naclhelper_t:process share;
|
|
|
|
##########################################
|
|
#
|
|
# Chromium nacl helper local policy
|
|
#
|
|
|
|
allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write };
|
|
allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr read write };
|
|
|
|
dev_read_sysfs(chromium_naclhelper_t)
|
|
dev_read_urand(chromium_naclhelper_t)
|
|
|
|
domain_mmap_low_uncond(chromium_naclhelper_t)
|
|
|
|
kernel_list_proc(chromium_naclhelper_t)
|
|
|
|
miscfiles_read_localization(chromium_naclhelper_t)
|
|
|
|
userdom_use_user_ptys(chromium_naclhelper_t)
|
|
|
|
tunable_policy(`chromium_read_system_info',`
|
|
kernel_read_kernel_sysctls(chromium_naclhelper_t)
|
|
kernel_read_system_state(chromium_naclhelper_t)
|
|
',`
|
|
kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
|
|
kernel_dontaudit_read_system_state(chromium_naclhelper_t)
|
|
')
|