The attached patch against the git refpolicy from 3 days ago makes Chrome work with Pulseaudio, DRI, Flash, and lots of little things. Adds tunables chromium_exec_plugins and xserver_allow_dri. I think this is ready to merge with the names of the tunables and interfaces being the only possible changes needed. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Chromium and DRI policy Index: refpolicy-2.20200209/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20200209/policy/modules/apps/chromium.te @@ -39,6 +39,13 @@ gen_tunable(chromium_bind_tcp_unreserved ## </desc> gen_tunable(chromium_rw_usb_dev, false) +## <desc> +## <p> +## Allow chromium to execute it's config (for plugins like Flash) +## </p> +## </desc> +gen_tunable(chromium_exec_plugins, false) + type chromium_t; domain_dyntrans_type(chromium_t) @@ -63,6 +70,9 @@ type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(chromium_tmpfs_t) + pulseaudio_rw_tmpfs_files(chromium_t) + pulseaudio_stream_connect(chromium_t) + pulseaudio_use_fds(chromium_t) ') type chromium_xdg_config_t; @@ -77,7 +87,9 @@ xdg_cache_content(chromium_xdg_cache_t) # # execmem for load in plugins -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal }; +allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull }; +allow chromium_t self:dir { write add_name }; +allow chromium_t self:file create; allow chromium_t self:fifo_file rw_fifo_file_perms; allow chromium_t self:sem create_sem_perms; allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms; @@ -96,6 +108,7 @@ allow chromium_t chromium_renderer_t:uni allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; +allow chromium_t chromium_sandbox_t:file read_file_perms; allow chromium_t chromium_naclhelper_t:process { share }; @@ -108,6 +121,9 @@ manage_sock_files_pattern(chromium_t, ch manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) +# for /run/user/$UID +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) + manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) @@ -128,7 +144,11 @@ dyntrans_pattern(chromium_t, chromium_re domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t) domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) +# for self:file create +kernel_associate_proc(chromium_t) + kernel_list_proc(chromium_t) +kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) @@ -145,6 +165,9 @@ dev_read_sound(chromium_t) dev_write_sound(chromium_t) dev_read_urand(chromium_t) dev_read_rand(chromium_t) +tunable_policy(`xserver_allow_dri', ` + dev_rw_dri(chromium_t) +') dev_rw_xserver_misc(chromium_t) dev_map_xserver_misc(chromium_t) @@ -178,14 +201,15 @@ userdom_use_user_terminals(chromium_t) userdom_manage_user_certs(chromium_t) userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki") -xdg_create_cache_dirs(chromium_t) -xdg_create_config_dirs(chromium_t) -xdg_create_data_dirs(chromium_t) +xdg_manage_cache(chromium_t) +xdg_manage_config(chromium_t) +xdg_manage_data(chromium_t) xdg_manage_downloads(chromium_t) -xdg_read_config_files(chromium_t) -xdg_read_data_files(chromium_t) xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) +xserver_stream_connect_xdm(chromium_t) + +xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) @@ -198,6 +222,11 @@ tunable_policy(`chromium_rw_usb_dev',` udev_read_db(chromium_t) ') +tunable_policy(`chromium_exec_plugins',` + # sometimes .config/google-chrome/PepperFlash/32.0.0.142/libpepflashplayer.so gets chromium_tmp_t + can_exec(chromium_t, { chromium_xdg_config_t chromium_tmp_t }) +') + tunable_policy(`chromium_read_system_info',` kernel_read_kernel_sysctls(chromium_t) # Memory optimizations & optimizations based on OS/version @@ -229,6 +258,10 @@ optional_policy(` ') optional_policy(` + networkmanager_dbus_chat(chromium_t) +') + +optional_policy(` dbus_all_session_bus_client(chromium_t) dbus_system_bus_client(chromium_t) @@ -241,8 +274,13 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat_disk(chromium_t) devicekit_dbus_chat_power(chromium_t) ') + + optional_policy(` + systemd_dbus_chat_hostnamed(chromium_t) + ') ') optional_policy(` @@ -252,6 +290,10 @@ optional_policy(` dpkg_read_db(chromium_t) ') +optional_policy(` + ssh_dontaudit_agent_tmp(chromium_t) +') + ifdef(`use_alsa',` optional_policy(` alsa_domain(chromium_t, chromium_tmpfs_t) @@ -259,6 +301,7 @@ ifdef(`use_alsa',` optional_policy(` pulseaudio_domtrans(chromium_t) + pulseaudio_read_home(chromium_t) ') ') @@ -299,6 +342,9 @@ userdom_use_user_terminals(chromium_rend xdg_read_config_files(chromium_renderer_t) +# should we have a tunable for this? +xdg_read_pictures(chromium_t) + xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t) tunable_policy(`chromium_read_system_info',` @@ -360,3 +406,6 @@ tunable_policy(`chromium_read_system_inf dev_read_sysfs(chromium_naclhelper_t) dev_read_urand(chromium_naclhelper_t) +kernel_list_proc(chromium_naclhelper_t) + +miscfiles_read_localization(chromium_naclhelper_t) Index: refpolicy-2.20200209/policy/modules/kernel/kernel.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/kernel/kernel.if +++ refpolicy-2.20200209/policy/modules/kernel/kernel.if @@ -2424,6 +2424,24 @@ interface(`kernel_rw_all_sysctls',` ######################################## ## <summary> +## Associate a file to proc_t (/proc) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`kernel_associate_proc',` + gen_require(` + type proc_t; + ') + allow $1 proc_t:filesystem associate; +') + +######################################## +## <summary> ## Send a kill signal to unlabeled processes. ## </summary> ## <param name="domain"> Index: refpolicy-2.20200209/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/xserver.te +++ refpolicy-2.20200209/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## </desc> gen_tunable(xserver_object_manager, false) +## <desc> +## <p> +## Allow DRI access +## </p> +## </desc> +gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20200209/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if +++ refpolicy-2.20200209/policy/modules/services/xserver.if @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` files_search_tmp($2) # Communicate via System V shared memory. + allow $2 xserver_t:fd use; allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $2 xserver_tmpfs_t:file { map read_file_perms }; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file { getattr read }; @@ -91,6 +88,9 @@ interface(`xserver_restricted_role',` # open office is looking for the following dev_getattr_agp_dev($2) dev_dontaudit_rw_dri($2) + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') # GNOME checks for usb and other devices: dev_rw_usbfs($2) @@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache' rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + xdg_search_cache_dirs($1) +') + +######################################## +## <summary> +## Manage the mesa shader cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_manage_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) Index: refpolicy-2.20200209/policy/modules/apps/chromium.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/apps/chromium.if +++ refpolicy-2.20200209/policy/modules/apps/chromium.if @@ -38,7 +38,15 @@ interface(`chromium_role',` allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; + allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; + allow chromium_t $2:process { signull signal }; + allow $2 chromium_t:file manage_file_perms; + + allow $2 chromium_t:unix_stream_socket connectto; + + # for /tmp/.ICE-unix/* sockets + allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; @@ -109,6 +117,7 @@ interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; + class dbus send_msg; ') corecmd_search_bin($1) Index: refpolicy-2.20200209/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if +++ refpolicy-2.20200209/policy/modules/services/ssh.if @@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +####################################### +## <summary> +## dontaudit access to ssh agent tmp dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain not to audit. +## </summary> +## </param> +# +interface(`ssh_dontaudit_agent_tmp',` + gen_require(` + type ssh_agent_tmp_t; + ') + + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; +')