This is some of the other things needed by Chrome/Chromium. Some is obvious
(like IPP). The file creation thing under /proc is something Chrome does, I
still don't know why.
I'll submit a patch without that if you like, but I think the rest should
be acceptable without debate.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Index: refpolicy-2.20201205/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20201205/policy/modules/apps/chromium.te
@@ -90,7 +97,9 @@ xdg_cache_content(chromium_xdg_cache_t)
#
# execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull };
+allow chromium_t self:dir { write add_name };
+allow chromium_t self:file create;
allow chromium_t self:fifo_file rw_fifo_file_perms;
allow chromium_t self:sem create_sem_perms;
allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
@@ -145,7 +154,12 @@ dyntrans_pattern(chromium_t, chromium_re
domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
+# for self:file create
+kernel_associate_proc(chromium_t)
+
+kernel_get_sysvipc_info(chromium_t)
kernel_list_proc(chromium_t)
+kernel_read_crypto_sysctls(chromium_t)
kernel_read_fs_sysctls(chromium_t)
kernel_read_kernel_sysctls(chromium_t)
kernel_read_net_sysctls(chromium_t)
@@ -157,6 +171,7 @@ corecmd_exec_shell(chromium_t)
corenet_tcp_connect_all_unreserved_ports(chromium_t)
corenet_tcp_connect_ftp_port(chromium_t)
corenet_tcp_connect_http_port(chromium_t)
+corenet_tcp_connect_ipp_port(chromium_t)
corenet_udp_bind_generic_node(chromium_t)
corenet_udp_bind_all_unreserved_ports(chromium_t)
@@ -328,6 +348,9 @@ userdom_use_user_terminals(chromium_rend
xdg_read_config_files(chromium_renderer_t)
+# should we have a tunable for this?
+xdg_read_pictures(chromium_t)
+
xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
tunable_policy(`chromium_read_system_info',`
Index: refpolicy-2.20201205/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20201205/policy/modules/kernel/kernel.if
@@ -2442,6 +2442,24 @@ interface(`kernel_rw_all_sysctls',`
########################################
## <summary>
+## Associate a file to proc_t (/proc)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_associate_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+ allow $1 proc_t:filesystem associate;
+')
+
+########################################
+## <summary>
## Send a kill signal to unlabeled processes.
## </summary>
## <param name="domain">
