diff options
author | Jason Zaman <jason@perfinion.com> | 2019-02-10 12:23:14 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-02-10 12:23:42 +0800 |
commit | 4a9fa0f6f7c5f90dc16db233210cfa4758f08bfc (patch) | |
tree | 2e20f37f68a6c7082ad50448df4e6bc5994c956e | |
parent | remove duplicate userdom_user_home_dir_filetrans_user_cert interface (diff) | |
download | hardened-refpolicy-4a9fa0f6.tar.gz hardened-refpolicy-4a9fa0f6.tar.bz2 hardened-refpolicy-4a9fa0f6.zip |
remove gentoo chromium policy that has been upstreamed
Signed-off-by: Jason Zaman <jason@perfinion.com>
-rw-r--r-- | policy/modules/contrib/chromium.fc | 31 | ||||
-rw-r--r-- | policy/modules/contrib/chromium.if | 139 | ||||
-rw-r--r-- | policy/modules/contrib/chromium.te | 375 | ||||
-rw-r--r-- | policy/modules/roles/staff.te | 4 | ||||
-rw-r--r-- | policy/modules/roles/unprivuser.te | 4 |
5 files changed, 0 insertions, 553 deletions
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc deleted file mode 100644 index 534235dc8..000000000 --- a/policy/modules/contrib/chromium.fc +++ /dev/null @@ -1,31 +0,0 @@ -/opt/google/chrome/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) -/opt/google/chrome/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) - -/opt/google/chrome-beta/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome-beta/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome-beta/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome-beta/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome-beta/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) -/opt/google/chrome-beta/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) - -/opt/google/chrome-unstable/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome-unstable/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome-unstable/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/opt/google/chrome-unstable/google-chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/opt/google/chrome-unstable/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) -/opt/google/chrome-unstable/libudev.so.0 gen_context(system_u:object_r:lib_t,s0) - -/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0) -/usr/lib/chromium-browser/chrome_sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chromium_sandbox_exec_t,s0) -/usr/lib/chromium-browser/chromium-launcher\.sh -- gen_context(system_u:object_r:chromium_exec_t,s0) -/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0) - -HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) -HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_cache_t,s0) -HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) -HOME_DIR/\.config/google-chrome(/.*)? gen_context(system_u:object_r:chromium_xdg_config_t,s0) diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if deleted file mode 100644 index 26eb02591..000000000 --- a/policy/modules/contrib/chromium.if +++ /dev/null @@ -1,139 +0,0 @@ -## <summary> -## Chromium browser -## </summary> - -####################################### -## <summary> -## Role access for chromium -## </summary> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -## <param name="domain"> -## <summary> -## User domain for the role -## </summary> -## </param> -# -interface(`chromium_role',` - gen_require(` - type chromium_t; - type chromium_renderer_t; - type chromium_sandbox_t; - type chromium_naclhelper_t; - type chromium_exec_t; - ') - - role $1 types chromium_t; - role $1 types chromium_renderer_t; - role $1 types chromium_sandbox_t; - role $1 types chromium_naclhelper_t; - - # Transition from the user domain to the derived domain - chromium_domtrans($2) - - # Allow ps to show chromium processes and allow the user to signal it - ps_process_pattern($2, chromium_t) - ps_process_pattern($2, chromium_renderer_t) - - allow $2 chromium_t:process signal_perms; - allow $2 chromium_renderer_t:process signal_perms; - allow $2 chromium_naclhelper_t:process signal_perms; - - allow chromium_sandbox_t $2:fd use; - allow chromium_naclhelper_t $2:fd use; -') - -####################################### -## <summary> -## Read-write access to Chromiums' temporary fifo files -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`chromium_rw_tmp_pipes',` - gen_require(` - type chromium_tmp_t; - ') - - rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) -') - -############################################## -## <summary> -## Automatically use the specified type for resources created in chromium's -## temporary locations -## </summary> -## <param name="domain"> -## <summary> -## Domain that creates the resource(s) -## </summary> -## </param> -## <param name="class"> -## <summary> -## Type of the resource created -## </summary> -## </param> -## <param name="filename" optional="true"> -## <summary> -## The name of the resource being created -## </summary> -## </param> -# -interface(`chromium_tmp_filetrans',` - gen_require(` - type chromium_tmp_t; - ') - - search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) - filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) -') - -####################################### -## <summary> -## Execute a domain transition to the chromium domain (chromium_t) -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -# -interface(`chromium_domtrans',` - gen_require(` - type chromium_t; - type chromium_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chromium_exec_t, chromium_t) -') - -####################################### -## <summary> -## Execute chromium in the chromium domain and allow the specified role to access the chromium domain -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access -## </summary> -## </param> -# -interface(`chromium_run',` - gen_require(` - type chromium_t; - ') - - chromium_domtrans($1) - role $2 types chromium_t; -') diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te deleted file mode 100644 index 7e7f44900..000000000 --- a/policy/modules/contrib/chromium.te +++ /dev/null @@ -1,375 +0,0 @@ -policy_module(chromium, 1.0.0) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Allow the use of java plugins -## </p> -## <p> -## Some of these plugins require the use of named pipes (fifo files) that are -## created within the temporary directory of the first browser that instantiated -## the plugin. Hence, if other browsers need access to java plugins, they will -## get search rights in chromium's tmp locations -## </p> -## </desc> -gen_tunable(chromium_use_java, false) - -## <desc> -## <p> -## Allow chromium to read system information -## </p> -## <p> -## Although not needed for regular browsing, this will allow chromium to update -## its own memory consumption based on system state, support additional -## debugging, detect specific devices, etc. -## </p> -## </desc> -gen_tunable(chromium_read_system_info, false) - -## <desc> -## <p> -## Allow chromium to bind to tcp ports -## </p> -## <p> -## Although not needed for regular browsing, some chrome extensions need to -## bind to tcp ports and accept connections. -## </p> -## </desc> -gen_tunable(chromium_bind_tcp_unreserved_ports, false) - -## <desc> -## <p> -## Allow chromium to read/write USB devices -## </p> -## <p> -## Although not needed for regular browsing, used for debugging over usb -## or using FIDO U2F tokens. -## </p> -## </desc> -gen_tunable(chromium_rw_usb_dev, false) - -type chromium_t; -domain_dyntrans_type(chromium_t) - -type chromium_exec_t; -application_domain(chromium_t, chromium_exec_t) - -type chromium_naclhelper_t; -type chromium_naclhelper_exec_t; -application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t) - -type chromium_sandbox_t; -type chromium_sandbox_exec_t; -application_domain(chromium_sandbox_t, chromium_sandbox_exec_t) - -type chromium_renderer_t; -domain_base_type(chromium_renderer_t) - -type chromium_tmp_t; -userdom_user_tmp_file(chromium_tmp_t) - -type chromium_tmpfs_t; -userdom_user_tmpfs_file(chromium_tmpfs_t) -optional_policy(` - pulseaudio_tmpfs_content(chromium_tmpfs_t) -') - -type chromium_xdg_config_t; -xdg_config_home_content(chromium_xdg_config_t) - -type chromium_xdg_cache_t; -xdg_cache_home_content(chromium_xdg_cache_t) - - - -######################################## -# -# chromium local policy -# - -# execmem for load in plugins -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; -allow chromium_t self:fifo_file rw_fifo_file_perms; -allow chromium_t self:sem create_sem_perms; -allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; -# cap_userns sys_admin for the sandbox -allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace }; - -allow chromium_t chromium_exec_t:file execute_no_trans; - -allow chromium_t chromium_renderer_t:dir list_dir_perms; -allow chromium_t chromium_renderer_t:file rw_file_perms; -allow chromium_t chromium_renderer_t:fd use; -allow chromium_t chromium_renderer_t:process signal_perms; -allow chromium_t chromium_renderer_t:shm rw_shm_perms; -allow chromium_t chromium_renderer_t:unix_dgram_socket { read write }; -allow chromium_t chromium_renderer_t:unix_stream_socket { read write }; - -allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write }; -allow chromium_t chromium_sandbox_t:unix_stream_socket { read write }; - -allow chromium_t chromium_naclhelper_t:process { share }; - -# tmp has a wide class access (used for plugins) -manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -allow chromium_t chromium_tmp_t:file map; -manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) -files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) - -manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) -allow chromium_t chromium_tmpfs_t:file map; -fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) -fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file) - -manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -allow chromium_t chromium_xdg_config_t:file map; -manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) -xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium") - -manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) -allow chromium_t chromium_xdg_cache_t:file map; -manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t) -xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium") - -dyntrans_pattern(chromium_t, chromium_renderer_t) -domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) -domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) - -kernel_list_proc(chromium_t) -kernel_read_net_sysctls(chromium_t) - -corecmd_exec_bin(chromium_t) -# Look for /etc/gentoo-release through a shell invocation running find -corecmd_exec_shell(chromium_t) - -corenet_tcp_connect_all_unreserved_ports(chromium_t) -corenet_tcp_connect_ftp_port(chromium_t) -corenet_tcp_connect_http_port(chromium_t) -corenet_udp_bind_generic_node(chromium_t) -corenet_udp_bind_all_unreserved_ports(chromium_t) - -dev_read_sound(chromium_t) -dev_write_sound(chromium_t) -dev_read_urand(chromium_t) -dev_read_rand(chromium_t) -dev_rw_xserver_misc(chromium_t) -dev_map_xserver_misc(chromium_t) - -domain_dontaudit_search_all_domains_state(chromium_t) - -files_list_home(chromium_t) -files_search_home(chromium_t) -files_read_usr_files(chromium_t) -files_map_usr_files(chromium_t) -files_read_etc_files(chromium_t) -# During find for /etc/whatever-release we get lots of output otherwise -files_dontaudit_getattr_all_dirs(chromium_t) - -fs_dontaudit_getattr_xattr_fs(chromium_t) - -getty_dontaudit_use_fds(chromium_t) - -miscfiles_read_all_certs(chromium_t) -miscfiles_read_localization(chromium_t) - -sysnet_dns_name_resolve(chromium_t) - -userdom_user_content_access_template(chromium, chromium_t) -userdom_dontaudit_list_user_home_dirs(chromium_t) -# Debugging. Also on user_tty_device_t if X is started through "startx" for instance -userdom_use_user_terminals(chromium_t) -userdom_manage_user_certs(chromium_t) -userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki") - -xdg_create_cache_home_dirs(chromium_t) -xdg_create_config_home_dirs(chromium_t) -xdg_create_data_home_dirs(chromium_t) -xdg_manage_downloads_home(chromium_t) -xdg_read_config_home_files(chromium_t) -xdg_read_data_home_files(chromium_t) - -xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) - -tunable_policy(`chromium_bind_tcp_unreserved_ports',` - corenet_tcp_bind_generic_node(chromium_t) - corenet_tcp_bind_all_unreserved_ports(chromium_t) - allow chromium_t self:tcp_socket { listen accept }; -') - -tunable_policy(`chromium_rw_usb_dev',` - dev_rw_generic_usb_dev(chromium_t) - udev_read_db(chromium_t) -') - -tunable_policy(`chromium_read_system_info',` - kernel_read_kernel_sysctls(chromium_t) - # Memory optimizations & optimizations based on OS/version - kernel_read_system_state(chromium_t) - - # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices). - dev_read_sysfs(chromium_t) - - storage_getattr_fixed_disk_dev(chromium_t) - - files_read_etc_runtime_files(chromium_t) - - dev_dontaudit_getattr_all_chr_files(chromium_t) - init_dontaudit_getattr_initctl(chromium_t) -',` - kernel_dontaudit_read_kernel_sysctls(chromium_t) - kernel_dontaudit_read_system_state(chromium_t) - - dev_dontaudit_read_sysfs(chromium_t) - - files_dontaudit_read_etc_runtime(chromium_t) -') - -optional_policy(` - cups_read_config(chromium_t) - cups_stream_connect(chromium_t) -') - -optional_policy(` - dbus_all_session_bus_client(chromium_t) - dbus_system_bus_client(chromium_t) - - optional_policy(` - unconfined_dbus_chat(chromium_t) - ') - optional_policy(` - gnome_dbus_chat_all_gkeyringd(chromium_t) - ') - optional_policy(` - devicekit_dbus_chat_power(chromium_t) - ') -') - -optional_policy(` - flash_manage_home(chromium_t) -') - -optional_policy(` - # Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory - # and fifo files within. These are then used by the renderer and a - # freshly forked java process to communicate between each other. - tunable_policy(`chromium_use_java',` - java_noatsecure_domtrans(chromium_t) - ') -') - -optional_policy(` - # Chromium reads in .mozilla for user plugins - mozilla_read_user_home(chromium_t) -') - -ifdef(`use_alsa',` - optional_policy(` - alsa_domain(chromium_t, chromium_tmpfs_t) - ') - - optional_policy(` - pulseaudio_domtrans(chromium_t) - ') -') - -######################################## -# -# chromium_renderer local policy -# - -allow chromium_renderer_t self:process execmem; - -allow chromium_renderer_t self:fifo_file rw_fifo_file_perms; -allow chromium_renderer_t self:shm create_shm_perms; -allow chromium_renderer_t self:unix_dgram_socket { create read sendto }; -allow chromium_renderer_t self:unix_stream_socket { create getattr read write }; - -allow chromium_renderer_t chromium_t:fd use; -allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms; -allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms; - -dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access -dontaudit chromium_renderer_t self:process getsched; - -read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t) - -rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t) - -dev_read_urand(chromium_renderer_t) - -files_dontaudit_list_tmp(chromium_renderer_t) -files_dontaudit_read_etc_files(chromium_renderer_t) -files_search_var(chromium_renderer_t) - -init_sigchld(chromium_renderer_t) - -miscfiles_read_localization(chromium_renderer_t) - -userdom_dontaudit_use_all_users_fds(chromium_renderer_t) -userdom_use_user_terminals(chromium_renderer_t) - -xdg_read_config_home_files(chromium_renderer_t) - -xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) - -tunable_policy(`chromium_read_system_info',` - kernel_read_kernel_sysctls(chromium_renderer_t) - kernel_read_system_state(chromium_renderer_t) -',` - kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t) - kernel_dontaudit_read_system_state(chromium_renderer_t) -') - -######################################### -# -# Chromium sandbox local policy -# - -allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace }; -allow chromium_sandbox_t self:process { setrlimit }; -allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms; - -allow chromium_sandbox_t chromium_t:process { share }; -# /proc access -allow chromium_sandbox_t chromium_t:dir list_dir_perms; -allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms; -allow chromium_sandbox_t chromium_t:file rw_file_perms; - -allow chromium_sandbox_t chromium_t:unix_stream_socket { read write }; -allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write }; - -kernel_list_proc(chromium_sandbox_t) - -domain_dontaudit_read_all_domains_state(chromium_sandbox_t) - -userdom_use_user_ptys(chromium_sandbox_t) - -chromium_domtrans(chromium_sandbox_t) - -########################################## -# -# Chromium nacl helper local policy -# - -allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write }; - -domain_mmap_low_uncond(chromium_naclhelper_t) - -userdom_use_user_ptys(chromium_naclhelper_t) - -tunable_policy(`chromium_read_system_info',` - kernel_read_kernel_sysctls(chromium_naclhelper_t) - kernel_read_system_state(chromium_naclhelper_t) -',` - kernel_dontaudit_read_kernel_sysctls(chromium_naclhelper_t) - kernel_dontaudit_read_system_state(chromium_naclhelper_t) -') - diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 7379868a4..fbe1829b3 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -229,10 +229,6 @@ ifdef(`distro_gentoo',` ') optional_policy(` - chromium_role(staff_r, staff_t) - ') - - optional_policy(` # bug 531784 devicekit_dbus_chat_disk(staff_t) devicekit_dbus_chat_power(staff_t) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index aa0c518f7..e71c17e92 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -217,10 +217,6 @@ ifdef(`distro_gentoo',` ') optional_policy(` - chromium_role(user_r, user_t) - ') - - optional_policy(` devicekit_dbus_chat_disk(user_t) devicekit_dbus_chat_power(user_t) ') |