diff options
| author |   Jason Zaman <jason@perfinion.com> | 2017-05-07 11:39:18 +0800 |
|---|---|---|
| committer | Jason Zaman <jason@perfinion.com> | 2017-05-08 01:40:29 +0800 |
| commit | 83244b1264056d64fe3c979671a68ec3a80cd7dd (patch) | |
| tree | 2f22c880859ebca235570dfc5bea81036c389dc3 | |
| parent | modutils: kmod_tmpfiles_conf_t create should be allowed even for openrc (diff) | |
| download | hardened-refpolicy-83244b12.tar.gz hardened-refpolicy-83244b12.tar.bz2 hardened-refpolicy-83244b12.zip | |
chromium: allow cap_userns for the sandbox
https://patchwork.kernel.org/patch/8785151/
| -rw-r--r-- | policy/modules/contrib/chromium.te | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te index cd1e1116b..a4fba97c0 100644 --- a/policy/modules/contrib/chromium.te +++ b/policy/modules/contrib/chromium.te @@ -89,10 +89,12 @@ xdg_cache_home_content(chromium_xdg_cache_t) # # execmem for load in plugins -allow chromium_t self:process { execmem getsched setcap setrlimit setsched sigkill signal }; -allow chromium_t self:fifo_file rw_fifo_file_perms;; +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; +allow chromium_t self:fifo_file rw_fifo_file_perms; allow chromium_t self:sem create_sem_perms; allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; +# cap_userns sys_admin for the sandbox +allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace }; allow chromium_t chromium_exec_t:file execute_no_trans; @@ -135,6 +137,7 @@ domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) kernel_list_proc(chromium_t) +kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) # Look for /etc/gentoo-release through a shell invocation running find |