[PATCH] base chrome/chromium patch fixed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] base chrome/chromium patch fixed
Date: Fri, 15 Jan 2021 10:32:06 +1100	[thread overview]
Message-ID: <YADUdqCHQxMPCiZ+@xev> (raw)

This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed, and the
chromium_t:file manage_file_perms removed as requested.

I believe it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210115/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20210115/policy/modules/apps/chromium.te
@@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1)
 
 ## <desc>
 ## <p>
+## Allow chromium to access direct rendering interface
+## </p>
+## <p>
+## Needed for good performance on complex sites
+## </p>
+## </desc>
+gen_tunable(chromium_dri, true)
+
+## <desc>
+## <p>
 ## Allow chromium to read system information
 ## </p>
 ## <p>
@@ -63,6 +73,9 @@ type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
 optional_policy(`
 	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+	pulseaudio_rw_tmpfs_files(chromium_t)
+	pulseaudio_stream_connect(chromium_t)
+	pulseaudio_use_fds(chromium_t)
 ')
 
 type chromium_xdg_config_t;
@@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni
 
 allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
 allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
 
@@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch
 manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
 files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
 
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
 manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
 allow chromium_t chromium_tmpfs_t:file map;
 fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
 kernel_list_proc(chromium_t)
+kernel_read_fs_sysctls(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
 
 corecmd_exec_bin(chromium_t)
@@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t)
 xdg_read_data_files(chromium_t)
 
 xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
 
 tunable_policy(`chromium_bind_tcp_unreserved_ports',`
 	corenet_tcp_bind_generic_node(chromium_t)
@@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese
 	allow chromium_t self:tcp_socket { listen accept };
 ')
 
+tunable_policy(`chromium_dri', `
+	dev_rw_dri(chromium_t)
+')
+
 tunable_policy(`chromium_rw_usb_dev',`
 	dev_rw_generic_usb_dev(chromium_t)
 ')
@@ -240,8 +266,13 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(chromium_t)
 		devicekit_dbus_chat_power(chromium_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_hostnamed(chromium_t)
+	')
 ')
 
 optional_policy(`
@@ -251,6 +282,14 @@ optional_policy(`
 	dpkg_read_db(chromium_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
+	ssh_dontaudit_agent_tmp(chromium_t)
+')
+
 ########################################
 #
 # chromium_renderer local policy
@@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf
 
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20210115/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20210115/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20210115/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210115/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
+	allow $2 xserver_t:fd use;
 	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
+	allow $2 xserver_tmpfs_t:file { map read_file_perms };
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
 	# Read /tmp/.X0-lock
 	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
@@ -119,6 +116,9 @@ interface(`xserver_restricted_role',`
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 ')
 
 ########################################
@@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	allow $1 mesa_shader_cache_t:file map;
 
 	xdg_search_cache_dirs($1)
Index: refpolicy-2.20210115/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20210115/policy/modules/apps/chromium.if
@@ -38,7 +38,14 @@ interface(`chromium_role',`
 
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
+	allow chromium_t $2:process { signull signal };
+
+	allow $2 chromium_t:unix_stream_socket connectto;
+
+	# for /tmp/.ICE-unix/* sockets
+	allow chromium_t $2:unix_stream_socket connectto;
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +116,7 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)
Index: refpolicy-2.20210115/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20210115/policy/modules/services/ssh.if
@@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#######################################
+## <summary>
+##	dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+	gen_require(`
+		type ssh_agent_tmp_t;
+	')
+
+	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')

next             reply	other threads:[~2021-01-14 23:39 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-14 23:32 Russell Coker [this message]
2021-01-19 13:41 ` [PATCH] base chrome/chromium patch fixed Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YADUdqCHQxMPCiZ+@xev \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.