aboutsummaryrefslogtreecommitdiff
blob: 7e7f44900887053cf7e1cbff19c25d262ebc91dc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
policy_module(chromium, 1.0.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow the use of java plugins
## </p>
## <p>
## Some of these plugins require the use of named pipes (fifo files) that are
## created within the temporary directory of the first browser that instantiated
## the plugin. Hence, if other browsers need access to java plugins, they will
## get search rights in chromium's tmp locations
## </p>
## </desc>
gen_tunable(chromium_use_java, false)

## <desc>
## <p>
## Allow chromium to read system information
## </p>
## <p>
## Although not needed for regular browsing, this will allow chromium to update
## its own memory consumption based on system state, support additional
## debugging, detect specific devices, etc. 
## </p>
## </desc>
gen_tunable(chromium_read_system_info, false)

## <desc>
## <p>
## Allow chromium to bind to tcp ports
## </p>
## <p>
## Although not needed for regular browsing, some chrome extensions need to
## bind to tcp ports and accept connections.
## </p>
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)

## <desc>
## <p>
## Allow chromium to read/write USB devices
## </p>
## <p>
## Although not needed for regular browsing, used for debugging over usb
## or using FIDO U2F tokens.
## </p>
## </desc>
gen_tunable(chromium_rw_usb_dev, false)

type chromium_t;
domain_dyntrans_type(chromium_t)

type chromium_exec_t;
application_domain(chromium_t, chromium_exec_t)

type chromium_naclhelper_t;
type chromium_naclhelper_exec_t;
application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)

type chromium_sandbox_t;
type chromium_sandbox_exec_t;
application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)

type chromium_renderer_t;
domain_base_type(chromium_renderer_t)

type chromium_tmp_t;
userdom_user_tmp_file(chromium_tmp_t)

type chromium_tmpfs_t;
userdom_user_tmpfs_file(chromium_tmpfs_t)
optional_policy(`
	pulseaudio_tmpfs_content(chromium_tmpfs_t)
')

type chromium_xdg_config_t;
xdg_config_home_content(chromium_xdg_config_t)

type chromium_xdg_cache_t;
xdg_cache_home_content(chromium_xdg_cache_t)



########################################
#
# chromium local policy
#

# execmem for load in plugins
allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
# cap_userns sys_admin for the sandbox
allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };

allow chromium_t chromium_exec_t:file execute_no_trans;

allow chromium_t chromium_renderer_t:dir list_dir_perms;
allow chromium_t chromium_renderer_t:file rw_file_perms;
allow chromium_t chromium_renderer_t:fd use;
allow chromium_t chromium_renderer_t:process signal_perms;
allow chromium_t chromium_renderer_t:shm rw_shm_perms;
allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
allow chromium_t chromium_renderer_t:unix_stream_socket { read write };

allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };

allow chromium_t chromium_naclhelper_t:process { share };

# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
allow chromium_t chromium_tmp_t:file map;
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })

manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
allow chromium_t chromium_tmpfs_t:file map;
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)

manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
allow chromium_t chromium_xdg_config_t:file map;
manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")

manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
allow chromium_t chromium_xdg_cache_t:file map;
manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")

dyntrans_pattern(chromium_t, chromium_renderer_t)
domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)

kernel_list_proc(chromium_t)
kernel_read_net_sysctls(chromium_t)

corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
corecmd_exec_shell(chromium_t)

corenet_tcp_connect_all_unreserved_ports(chromium_t)
corenet_tcp_connect_ftp_port(chromium_t)
corenet_tcp_connect_http_port(chromium_t)
corenet_udp_bind_generic_node(chromium_t)
corenet_udp_bind_all_unreserved_ports(chromium_t)

dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
dev_read_urand(chromium_t)
dev_read_rand(chromium_t)
dev_rw_xserver_misc(chromium_t)
dev_map_xserver_misc(chromium_t)

domain_dontaudit_search_all_domains_state(chromium_t)

files_list_home(chromium_t)
files_search_home(chromium_t)
files_read_usr_files(chromium_t)
files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)

fs_dontaudit_getattr_xattr_fs(chromium_t)

getty_dontaudit_use_fds(chromium_t)

miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)

sysnet_dns_name_resolve(chromium_t)

userdom_user_content_access_template(chromium, chromium_t)
userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
userdom_manage_user_certs(chromium_t)
userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")

xdg_create_cache_home_dirs(chromium_t)
xdg_create_config_home_dirs(chromium_t)
xdg_create_data_home_dirs(chromium_t)
xdg_manage_downloads_home(chromium_t)
xdg_read_config_home_files(chromium_t)
xdg_read_data_home_files(chromium_t)

xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)

tunable_policy(`chromium_bind_tcp_unreserved_ports',`
	corenet_tcp_bind_generic_node(chromium_t)
	corenet_tcp_bind_all_unreserved_ports(chromium_t)
	allow chromium_t self:tcp_socket { listen accept };
')

tunable_policy(`chromium_rw_usb_dev',`
	dev_rw_generic_usb_dev(chromium_t)
	udev_read_db(chromium_t)
')

tunable_policy(`chromium_read_system_info',`
	kernel_read_kernel_sysctls(chromium_t)
	# Memory optimizations & optimizations based on OS/version
	kernel_read_system_state(chromium_t)

	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
	dev_read_sysfs(chromium_t)

	storage_getattr_fixed_disk_dev(chromium_t)

	files_read_etc_runtime_files(chromium_t)

	dev_dontaudit_getattr_all_chr_files(chromium_t)
	init_dontaudit_getattr_initctl(chromium_t)
',`
	kernel_dontaudit_read_kernel_sysctls(chromium_t)
	kernel_dontaudit_read_system_state(chromium_t)

	dev_dontaudit_read_sysfs(chromium_t)

	files_dontaudit_read_etc_runtime(chromium_t)
')

optional_policy(`
	cups_read_config(chromium_t)
	cups_stream_connect(chromium_t)
')

optional_policy(`
	dbus_all_session_bus_client(chromium_t)
	dbus_system_bus_client(chromium_t)

	optional_policy(`
		unconfined_dbus_chat(chromium_t)
	')
	optional_policy(`
		gnome_dbus_chat_all_gkeyringd(chromium_t)
	')
	optional_policy(`
		devicekit_dbus_chat_power(chromium_t)
	')
')

optional_policy(`
	flash_manage_home(chromium_t)
')

optional_policy(`
	# Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory
	# and fifo files within. These are then used by the renderer and a
	# freshly forked java process to communicate between each other.
	tunable_policy(`chromium_use_java',`
		java_noatsecure_domtrans(chromium_t)
	')
')

optional_policy(`
	# Chromium reads in .mozilla for user plugins
	mozilla_read_user_home(chromium_t)
')

ifdef(`use_alsa',`
	optional_policy(`
		alsa_domain(chromium_t, chromium_tmpfs_t)
	')

	optional_policy(`
		pulseaudio_domtrans(chromium_t)
	')
')

########################################
#
# chromium_renderer local policy
#

allow chromium_renderer_t self:process execmem;

allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
allow chromium_renderer_t self:shm create_shm_perms;
allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
allow chromium_renderer_t self:unix_stream_socket { create getattr read write };

allow chromium_renderer_t chromium_t:fd use;
allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;

dontaudit chromium_renderer_t chromium_t:dir search;	# /proc/... access
dontaudit chromium_renderer_t self:process getsched;

read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)

rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)

dev_read_urand(chromium_renderer_t)

files_dontaudit_list_tmp(chromium_renderer_t)
files_dontaudit_read_etc_files(chromium_renderer_t)
files_search_var(chromium_renderer_t)

init_sigchld(chromium_renderer_t)

miscfiles_read_localization(chromium_renderer_t)

userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
userdom_use_user_terminals(chromium_renderer_t)

xdg_read_config_home_files(chromium_renderer_t)

xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)

tunable_policy(`chromium_read_system_info',`
	kernel_read_kernel_sysctls(chromium_renderer_t)
	kernel_read_system_state(chromium_renderer_t)
',`
	kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t)
	kernel_dontaudit_read_system_state(chromium_renderer_t)
')

#########################################
#
# Chromium sandbox local policy
#

allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
allow chromium_sandbox_t self:process { setrlimit };
allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;

allow chromium_sandbox_t chromium_t:process { share };
# /proc access
allow chromium_sandbox_t chromium_t:dir list_dir_perms;
allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
allow chromium_sandbox_t chromium_t:file rw_file_perms;

allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };

kernel_list_proc(chromium_sandbox_t)

domain_dontaudit_read_all_domains_state(chromium_sandbox_t)

userdom_use_user_ptys(chromium_sandbox_t)

chromium_domtrans(chromium_sandbox_t)

##########################################
#
# Chromium nacl helper local policy
#

allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };

domain_mmap_low_uncond(chromium_naclhelper_t)

userdom_use_user_ptys(chromium_naclhelper_t)

tunable_policy(`chromium_read_system_info',`
	kernel_read_kernel_sysctls(chromium_naclhelper_t)
	kernel_read_system_state(chromium_naclhelper_t)
',`
	kernel_dontaudit_read_kernel_sysctls(chromium_naclhelper_t)
	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
')