another chromium patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I removed all the controversion stuff so I think this is ready for inclusion.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

Chromium policy tweaks and DRI policy

Index: refpolicy-2.20200410/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20200410/policy/modules/apps/chromium.te
@@ -63,6 +63,9 @@ type chromium_tmpfs_t;
 userdom_user_tmpfs_file(chromium_tmpfs_t)
 optional_policy(`
 	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+	pulseaudio_rw_tmpfs_files(chromium_t)
+	pulseaudio_stream_connect(chromium_t)
+	pulseaudio_use_fds(chromium_t)
 ')
 
 type chromium_xdg_config_t;
@@ -96,6 +99,7 @@ allow chromium_t chromium_renderer_t:uni
 
 allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write };
 allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write };
+allow chromium_t chromium_sandbox_t:file read_file_perms;
 
 allow chromium_t chromium_naclhelper_t:process { share };
 
@@ -108,6 +112,9 @@ manage_sock_files_pattern(chromium_t, ch
 manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
 files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
 
+# for /run/user/$UID
+userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file })
+
 manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
 allow chromium_t chromium_tmpfs_t:file map;
 fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
@@ -129,6 +136,8 @@ domtrans_pattern(chromium_t, chromium_sa
 domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
 
 kernel_list_proc(chromium_t)
+kernel_read_fs_sysctls(chromium_t)
+kernel_read_kernel_sysctls(chromium_t)
 kernel_read_net_sysctls(chromium_t)
 
 corecmd_exec_bin(chromium_t)
@@ -145,6 +154,9 @@ dev_read_sound(chromium_t)
 dev_write_sound(chromium_t)
 dev_read_urand(chromium_t)
 dev_read_rand(chromium_t)
+tunable_policy(`xserver_allow_dri', `
+	dev_rw_dri(chromium_t)
+')
 dev_rw_xserver_misc(chromium_t)
 dev_map_xserver_misc(chromium_t)
 
@@ -187,6 +199,9 @@ xdg_read_config_files(chromium_t)
 xdg_read_data_files(chromium_t)
 
 xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+xserver_stream_connect_xdm(chromium_t)
+
+xserver_manage_mesa_shader_cache(chromium_t)
 
 tunable_policy(`chromium_bind_tcp_unreserved_ports',`
 	corenet_tcp_bind_generic_node(chromium_t)
@@ -230,6 +245,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(chromium_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(chromium_t)
 	dbus_system_bus_client(chromium_t)
 
@@ -242,8 +261,13 @@ optional_policy(`
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(chromium_t)
 		devicekit_dbus_chat_power(chromium_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_hostnamed(chromium_t)
+	')
 ')
 
 optional_policy(`
@@ -253,6 +277,10 @@ optional_policy(`
 	dpkg_read_db(chromium_t)
 ')
 
+optional_policy(`
+	ssh_dontaudit_agent_tmp(chromium_t)
+')
+
 ifdef(`use_alsa',`
 	optional_policy(`
 		alsa_domain(chromium_t, chromium_tmpfs_t)
@@ -260,6 +288,7 @@ ifdef(`use_alsa',`
 
 	optional_policy(`
 		pulseaudio_domtrans(chromium_t)
+		pulseaudio_read_home(chromium_t)
 	')
 ')
 
@@ -361,3 +390,6 @@ tunable_policy(`chromium_read_system_inf
 
 dev_read_sysfs(chromium_naclhelper_t)
 dev_read_urand(chromium_naclhelper_t)
+kernel_list_proc(chromium_naclhelper_t)
+
+miscfiles_read_localization(chromium_naclhelper_t)
Index: refpolicy-2.20200410/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20200410/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20200410/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200410/policy/modules/services/xserver.if
@@ -48,8 +48,9 @@ interface(`xserver_restricted_role',`
 	files_search_tmp($2)
 
 	# Communicate via System V shared memory.
+	allow $2 xserver_t:fd use;
 	allow $2 xserver_t:shm r_shm_perms;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
+	allow $2 xserver_tmpfs_t:file { map read_file_perms };
 
 	# allow ps to show iceauth
 	ps_process_pattern($2, iceauth_t)
@@ -75,10 +76,6 @@ interface(`xserver_restricted_role',`
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
-	# Client read xserver shm
-	allow $2 xserver_t:fd use;
-	allow $2 xserver_tmpfs_t:file read_file_perms;
-
 	# Read /tmp/.X0-lock
 	allow $2 xserver_tmp_t:file { getattr read };
 
@@ -91,6 +88,9 @@ interface(`xserver_restricted_role',`
 	# open office is looking for the following
 	dev_getattr_agp_dev($2)
 	dev_dontaudit_rw_dri($2)
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($2)
 
@@ -1670,6 +1670,26 @@ interface(`xserver_rw_mesa_shader_cache'
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	xdg_search_cache_dirs($1)
+')
+
+########################################
+## <summary>
+##	Manage the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	allow $1 mesa_shader_cache_t:file map;
 
 	xdg_search_cache_dirs($1)
Index: refpolicy-2.20200410/policy/modules/apps/chromium.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/apps/chromium.if
+++ refpolicy-2.20200410/policy/modules/apps/chromium.if
@@ -38,7 +38,15 @@ interface(`chromium_role',`
 
 	allow $2 chromium_t:process signal_perms;
 	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_sandbox_t:process signal_perms;
 	allow $2 chromium_naclhelper_t:process signal_perms;
+	allow chromium_t $2:process { signull signal };
+	allow $2 chromium_t:file manage_file_perms;
+
+	allow $2 chromium_t:unix_stream_socket connectto;
+
+	# for /tmp/.ICE-unix/* sockets
+	allow chromium_t $2:unix_stream_socket connectto;
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
@@ -109,6 +117,7 @@ interface(`chromium_domtrans',`
 	gen_require(`
 		type chromium_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	corecmd_search_bin($1)
Index: refpolicy-2.20200410/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200410/policy/modules/services/ssh.if
@@ -772,3 +772,21 @@ interface(`ssh_delete_tmp',`
 	files_search_tmp($1)
 	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+#######################################
+## <summary>
+##	dontaudit access to ssh agent tmp dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+#
+interface(`ssh_dontaudit_agent_tmp',`
+	gen_require(`
+		type ssh_agent_tmp_t;
+	')
+
+	dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
+')



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux