This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20210115/policy/modules/apps/chromium.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.te +++ refpolicy-2.20210115/policy/modules/apps/chromium.te @@ -7,6 +7,16 @@ policy_module(chromium, 1.3.1) ## <desc> ## <p> +## Allow chromium to access direct rendering interface +## </p> +## <p> +## Needed for good performance on complex sites +## </p> +## </desc> +gen_tunable(chromium_dri, true) + +## <desc> +## <p> ## Allow chromium to read system information ## </p> ## <p> @@ -63,6 +73,9 @@ type chromium_tmpfs_t; userdom_user_tmpfs_file(chromium_tmpfs_t) optional_policy(` pulseaudio_tmpfs_content(chromium_tmpfs_t) + pulseaudio_rw_tmpfs_files(chromium_t) + pulseaudio_stream_connect(chromium_t) + pulseaudio_use_fds(chromium_t) ') type chromium_xdg_config_t; @@ -96,6 +109,7 @@ allow chromium_t chromium_renderer_t:uni allow chromium_t chromium_sandbox_t:unix_dgram_socket { getattr read write }; allow chromium_t chromium_sandbox_t:unix_stream_socket { getattr read write }; +allow chromium_t chromium_sandbox_t:file read_file_perms; allow chromium_t chromium_naclhelper_t:process { share }; @@ -108,6 +122,9 @@ manage_sock_files_pattern(chromium_t, ch manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) +# for /run/user/$UID +userdom_user_runtime_filetrans(chromium_t, chromium_tmp_t, { file sock_file }) + manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) @@ -129,6 +146,8 @@ domtrans_pattern(chromium_t, chromium_sa domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t) kernel_list_proc(chromium_t) +kernel_read_fs_sysctls(chromium_t) +kernel_read_kernel_sysctls(chromium_t) kernel_read_net_sysctls(chromium_t) corecmd_exec_bin(chromium_t) @@ -187,6 +206,9 @@ xdg_read_config_files(chromium_t) xdg_read_data_files(chromium_t) xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t) +xserver_stream_connect_xdm(chromium_t) + +xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) @@ -194,6 +216,10 @@ tunable_policy(`chromium_bind_tcp_unrese allow chromium_t self:tcp_socket { listen accept }; ') +tunable_policy(`chromium_dri', ` + dev_rw_dri(chromium_t) +') + tunable_policy(`chromium_rw_usb_dev',` dev_rw_generic_usb_dev(chromium_t) ') @@ -240,8 +266,13 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat_disk(chromium_t) devicekit_dbus_chat_power(chromium_t) ') + + optional_policy(` + systemd_dbus_chat_hostnamed(chromium_t) + ') ') optional_policy(` @@ -251,6 +282,14 @@ optional_policy(` dpkg_read_db(chromium_t) ') +optional_policy(` + networkmanager_dbus_chat(chromium_t) +') + +optional_policy(` + ssh_dontaudit_agent_tmp(chromium_t) +') + ######################################## # # chromium_renderer local policy @@ -349,3 +388,6 @@ tunable_policy(`chromium_read_system_inf dev_read_sysfs(chromium_naclhelper_t) dev_read_urand(chromium_naclhelper_t) +kernel_list_proc(chromium_naclhelper_t) + +miscfiles_read_localization(chromium_naclhelper_t) Index: refpolicy-2.20210115/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.te +++ refpolicy-2.20210115/policy/modules/services/xserver.te @@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false) ## </desc> gen_tunable(xserver_object_manager, false) +## <desc> +## <p> +## Allow DRI access +## </p> +## </desc> +gen_tunable(xserver_allow_dri, false) + attribute x_domain; # X Events Index: refpolicy-2.20210115/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/xserver.if +++ refpolicy-2.20210115/policy/modules/services/xserver.if @@ -48,8 +48,9 @@ interface(`xserver_restricted_role',` files_search_tmp($2) # Communicate via System V shared memory. + allow $2 xserver_t:fd use; allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; + allow $2 xserver_tmpfs_t:file { map read_file_perms }; # allow ps to show iceauth ps_process_pattern($2, iceauth_t) @@ -75,10 +76,6 @@ interface(`xserver_restricted_role',` allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - # Read /tmp/.X0-lock allow $2 xserver_tmp_t:file read_inherited_file_perms; @@ -119,6 +116,9 @@ interface(`xserver_restricted_role',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + tunable_policy(`xserver_allow_dri',` + dev_rw_dri($2) + ') ') ######################################## @@ -1658,6 +1658,26 @@ interface(`xserver_rw_mesa_shader_cache' rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + xdg_search_cache_dirs($1) +') + +######################################## +## <summary> +## Manage the mesa shader cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_manage_mesa_shader_cache',` + gen_require(` + type mesa_shader_cache_t; + ') + + manage_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) + manage_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) allow $1 mesa_shader_cache_t:file map; xdg_search_cache_dirs($1) Index: refpolicy-2.20210115/policy/modules/apps/chromium.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/apps/chromium.if +++ refpolicy-2.20210115/policy/modules/apps/chromium.if @@ -38,7 +38,14 @@ interface(`chromium_role',` allow $2 chromium_t:process signal_perms; allow $2 chromium_renderer_t:process signal_perms; + allow $2 chromium_sandbox_t:process signal_perms; allow $2 chromium_naclhelper_t:process signal_perms; + allow chromium_t $2:process { signull signal }; + + allow $2 chromium_t:unix_stream_socket connectto; + + # for /tmp/.ICE-unix/* sockets + allow chromium_t $2:unix_stream_socket connectto; allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; @@ -109,6 +116,7 @@ interface(`chromium_domtrans',` gen_require(` type chromium_t; type chromium_exec_t; + class dbus send_msg; ') corecmd_search_bin($1) Index: refpolicy-2.20210115/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20210115.orig/policy/modules/services/ssh.if +++ refpolicy-2.20210115/policy/modules/services/ssh.if @@ -774,3 +774,21 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +####################################### +## <summary> +## dontaudit access to ssh agent tmp dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain not to audit. +## </summary> +## </param> +# +interface(`ssh_dontaudit_agent_tmp',` + gen_require(` + type ssh_agent_tmp_t; + ') + + dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms; +')