[PATCH] chrome/chromium stranger things

[PATCH] chrome/chromium stranger things

[Russell Coker]

This is some of the other things needed by Chrome/Chromium.  Some is obvious
(like IPP).  The file creation thing under /proc is something Chrome does, I
still don't know why.

I'll submit a patch without that if you like, but I think the rest should
be acceptable without debate.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20201205/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20201205/policy/modules/apps/chromium.te
@@ -90,7 +97,9 @@ xdg_cache_content(chromium_xdg_cache_t)
 #
 
 # execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull };
+allow chromium_t self:dir { write add_name };
+allow chromium_t self:file create;
 allow chromium_t self:fifo_file rw_fifo_file_perms;
 allow chromium_t self:sem create_sem_perms;
 allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -145,7 +154,12 @@ dyntrans_pattern(chromium_t, chromium_re
 domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
+# for self:file create
+kernel_associate_proc(chromium_t)
+
+kernel_get_sysvipc_info(chromium_t)
 kernel_list_proc(chromium_t)
+kernel_read_crypto_sysctls(chromium_t)
 kernel_read_fs_sysctls(chromium_t)
 kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
@@ -157,6 +171,7 @@ corecmd_exec_shell(chromium_t)
 corenet_tcp_connect_all_unreserved_ports(chromium_t)
 corenet_tcp_connect_ftp_port(chromium_t)
 corenet_tcp_connect_http_port(chromium_t)
+corenet_tcp_connect_ipp_port(chromium_t)
 corenet_udp_bind_generic_node(chromium_t)
 corenet_udp_bind_all_unreserved_ports(chromium_t)
 
@@ -328,6 +348,9 @@ userdom_use_user_terminals(chromium_rend
 
 xdg_read_config_files(chromium_renderer_t)
 
+# should we have a tunable for this?
+xdg_read_pictures(chromium_t)
+
 xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
 
 tunable_policy(`chromium_read_system_info',`
Index: refpolicy-2.20201205/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20201205/policy/modules/kernel/kernel.if
@@ -2442,6 +2442,24 @@ interface(`kernel_rw_all_sysctls',`
 
 ########################################
 ## <summary>
+##	Associate a file to proc_t (/proc)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_associate_proc',`
+	gen_require(`
+		type proc_t;
+	')
+	allow $1 proc_t:filesystem associate;
+')
+
+########################################
+## <summary>
 ##	Send a kill signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">