Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/apps/chromium.if
blob: 657953c0a42ad958d542f008b6a561977230424e (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

## <summary>Chromium browser</summary>

#######################################
## <summary>
## 	Role access for chromium
## </summary>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
## <param name="user_exec_domain">
##	<summary>
##	User exec domain for execute and transition access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
#
template(`chromium_role',`
	gen_require(`
		type chromium_t;
		type chromium_renderer_t;
		type chromium_sandbox_t;
		type chromium_naclhelper_t;
		class dbus send_msg;
	')

	role $4 types chromium_t;
	role $4 types chromium_renderer_t;
	role $4 types chromium_sandbox_t;
	role $4 types chromium_naclhelper_t;

	# Transition from the user domain to the derived domain
	chromium_domtrans($3)

	# Allow ps to show chromium processes and allow the user to signal it
	ps_process_pattern($3, chromium_t)
	ps_process_pattern($3, chromium_renderer_t)

	allow $3 chromium_t:process signal_perms;
	allow $3 chromium_renderer_t:process signal_perms;
	allow $3 chromium_sandbox_t:process signal_perms;
	allow $3 chromium_naclhelper_t:process signal_perms;
	allow chromium_t $3:process { signull signal };

	allow $3 chromium_t:unix_stream_socket connectto;

	# for /tmp/.ICE-unix/* sockets
	allow chromium_t $3:unix_stream_socket connectto;

	allow chromium_sandbox_t $3:fd use;
	allow chromium_naclhelper_t $3:fd use;

	allow $3 chromium_t:dbus send_msg;
	allow chromium_t $3:dbus send_msg;

	optional_policy(`
		systemd_user_app_status($1, chromium_t)
	')
')

#######################################
## <summary>
##	Read-write access to Chromiums' temporary fifo files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`chromium_rw_tmp_pipes',`
	gen_require(`
		type chromium_tmp_t;
	')

	rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')

##############################################
## <summary>
##	Automatically use the specified type for resources created in chromium's
##	temporary locations
## </summary>
## <param name="domain">
##	<summary>
##	Domain that creates the resource(s)
##	</summary>
## </param>
## <param name="private_type">
##	<summary>
##	Private file type.
##	</summary>
## </param>
## <param name="class">
##	<summary>
##	Type of the resource created
##	</summary>
## </param>
## <param name="filename" optional="true">
##	<summary>
##	The name of the resource being created
##	</summary>
## </param>
#
interface(`chromium_tmp_filetrans',`
	gen_require(`
		type chromium_tmp_t;
	')

	search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
	filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
')

#######################################
## <summary>
## 	Execute a domain transition to the chromium domain (chromium_t)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
#
interface(`chromium_domtrans',`
	gen_require(`
		type chromium_t;
		type chromium_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, chromium_exec_t, chromium_t)
')

#######################################
## <summary>
## 	Execute chromium in the chromium domain and allow the specified role to access the chromium domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
#
interface(`chromium_run',`
	gen_require(`
		type chromium_t;
	')

	chromium_domtrans($1)
	role $2 types chromium_t;
')