From 482db96eda5501b7f662a83410e3cb222a0e9c3c Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 6 Jan 2012 20:43:41 +0100
Subject: [PATCH]  Remove module for chrome.

---
 policy/modules/apps/chrome.fc          |   6 -
 policy/modules/apps/chrome.if          | 133 ------------------
 policy/modules/apps/chrome.te          | 184 -------------------------
 policy/modules/apps/sandbox.te         |   4 -
 policy/modules/kernel/corecommands.fc  |   3 -
 policy/modules/roles/staff.te          |   4 -
 policy/modules/roles/unconfineduser.te |  15 --
 policy/modules/roles/unprivuser.te     |   4 -
 policy/modules/roles/xguest.te         |   5 -
 policy/modules/system/libraries.fc     |   1 -
 policy/modules/system/userdomain.if    |   4 -
 11 files changed, 363 deletions(-)
 delete mode 100644 policy/modules/apps/chrome.fc
 delete mode 100644 policy/modules/apps/chrome.if
 delete mode 100644 policy/modules/apps/chrome.te

diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
deleted file mode 100644
index 5901e21d..00000000
--- a/policy/modules/apps/chrome.fc
+++ /dev/null
@@ -1,6 +0,0 @@
- /opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-
-/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-
-/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
deleted file mode 100644
index 15533561..00000000
--- a/policy/modules/apps/chrome.if
+++ /dev/null
@@ -1,133 +0,0 @@
-
-## <summary>policy for chrome</summary>
-
-########################################
-## <summary>
-##	Execute a domain transition to run chrome_sandbox.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`chrome_domtrans_sandbox',`
-	gen_require(`
-		type chrome_sandbox_t, chrome_sandbox_exec_t;
-	')
-
-	domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
-	ps_process_pattern(chrome_sandbox_t, $1)
-
-	allow $1 chrome_sandbox_t:fd use;
-
-	ifdef(`hide_broken_symptoms',`
-		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-	')
-')
-
-
-########################################
-## <summary>
-##	Execute chrome_sandbox in the chrome_sandbox domain, and
-##	allow the specified role the chrome_sandbox domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed the chrome_sandbox domain.
-##	</summary>
-## </param>
-#
-interface(`chrome_run_sandbox',`
-	gen_require(`
-		type chrome_sandbox_t;
-		type chrome_sandbox_nacl_t;
-	')
-
-	chrome_domtrans_sandbox($1)
-	role $2 types chrome_sandbox_t;
-	role $2 types chrome_sandbox_nacl_t;
-')
-
-########################################
-## <summary>
-##	Role access for chrome sandbox
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role
-##	</summary>
-## </param>
-#
-interface(`chrome_role_notrans',`
-	gen_require(`
-		type chrome_sandbox_t;
-		type chrome_sandbox_tmpfs_t;
-		type chrome_sandbox_nacl_t;
-	')
-
-	role $1 types chrome_sandbox_t;
-	role $1 types chrome_sandbox_nacl_t;
-
-	ps_process_pattern($2, chrome_sandbox_t)
-	allow $2 chrome_sandbox_t:process signal_perms;
-
-	allow chrome_sandbox_t $2:unix_dgram_socket { read write };
-	allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-	allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
-	allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
-	allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
-	allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
-
-	allow $2 chrome_sandbox_t:shm rw_shm_perms;
-
-	allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Role access for chrome sandbox
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role
-##	</summary>
-## </param>
-#
-interface(`chrome_role',`
-	chrome_role_notrans($1, $2)
-	chrome_domtrans_sandbox($2)
-')
-
-########################################
-## <summary>
-##	Dontaudit read/write to a chrome_sandbox leaks
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`chrome_dontaudit_sandbox_leaks',`
-	gen_require(`
-		type chrome_sandbox_t;
-	')
-
-	dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
-')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
deleted file mode 100644
index aff461c9..00000000
--- a/policy/modules/apps/chrome.te
+++ /dev/null
@@ -1,184 +0,0 @@
-policy_module(chrome,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type chrome_sandbox_t;
-type chrome_sandbox_exec_t;
-application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
-role system_r types chrome_sandbox_t;
-
-type chrome_sandbox_tmp_t;
-files_tmp_file(chrome_sandbox_tmp_t)
-
-type chrome_sandbox_tmpfs_t;
-files_tmpfs_file(chrome_sandbox_tmpfs_t)
-ubac_constrained(chrome_sandbox_tmpfs_t)
-
-type chrome_sandbox_nacl_t;
-type chrome_sandbox_nacl_exec_t;
-application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
-role system_r types chrome_sandbox_nacl_t;
-
-########################################
-#
-# chrome_sandbox local policy
-#
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
-tunable_policy(`deny_ptrace',`',`
-	allow chrome_sandbox_t self:capability sys_ptrace;
-')
-
-allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
-allow chrome_sandbox_t self:process setsched;
-allow chrome_sandbox_t self:fifo_file manage_file_perms;
-allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
-allow chrome_sandbox_t self:shm create_shm_perms;
-allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit chrome_sandbox_t self:memprotect mmap_zero;
-
-manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-
-manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
-
-kernel_read_system_state(chrome_sandbox_t)
-kernel_read_kernel_sysctls(chrome_sandbox_t)
-
-fs_manage_cgroup_dirs(chrome_sandbox_t)
-fs_manage_cgroup_files(chrome_sandbox_t)
-
-corecmd_exec_bin(chrome_sandbox_t)
-
-corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
-corenet_all_recvfrom_netlabel(chrome_sandbox_t)
-corenet_tcp_connect_flash_port(chrome_sandbox_t)
-corenet_tcp_connect_streaming_port(chrome_sandbox_t)
-corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-corenet_tcp_connect_http_port(chrome_sandbox_t)
-corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
-corenet_tcp_connect_squid_port(chrome_sandbox_t)
-corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
-corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-corenet_tcp_connect_speech_port(chrome_sandbox_t)
-
-domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
-
-dev_read_urand(chrome_sandbox_t)
-dev_read_sysfs(chrome_sandbox_t)
-dev_rwx_zero(chrome_sandbox_t)
-
-files_read_etc_files(chrome_sandbox_t)
-files_read_usr_files(chrome_sandbox_t)
-
-fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
-
-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
-userdom_execute_user_tmpfs_files(chrome_sandbox_t)
-
-userdom_use_user_ptys(chrome_sandbox_t)
-userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
-userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
-userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
-userdom_search_user_home_content(chrome_sandbox_t)
-# This one we should figure a way to make it more secure
-userdom_manage_home_certs(chrome_sandbox_t)
-
-miscfiles_read_localization(chrome_sandbox_t)
-miscfiles_read_fonts(chrome_sandbox_t)
-
-sysnet_dns_name_resolve(chrome_sandbox_t)
-
-optional_policy(`
-	gnome_rw_inherited_config(chrome_sandbox_t)
-	gnome_read_home_config(chrome_sandbox_t)
-')
-
-optional_policy(`
-	xserver_use_user_fonts(chrome_sandbox_t)
-	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_search_nfs(chrome_sandbox_t)
-	fs_exec_nfs_files(chrome_sandbox_t)
-	fs_read_nfs_files(chrome_sandbox_t)
-	fs_rw_inherited_nfs_files(chrome_sandbox_t)
-	fs_read_nfs_symlinks(chrome_sandbox_t)
-	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_search_cifs(chrome_sandbox_t)
-	fs_exec_cifs_files(chrome_sandbox_t)
-	fs_rw_inherited_cifs_files(chrome_sandbox_t)
-	fs_read_cifs_files(chrome_sandbox_t)
-	fs_read_cifs_symlinks(chrome_sandbox_t)
-	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-')
-
-tunable_policy(`use_fusefs_home_dirs',`
-    fs_search_fusefs(chrome_sandbox_t)
-    fs_read_fusefs_files(chrome_sandbox_t)
-    fs_exec_fusefs_files(chrome_sandbox_t)
-	fs_read_fusefs_symlinks(chrome_sandbox_t)
-')
-
-optional_policy(`
-	sandbox_use_ptys(chrome_sandbox_t)
-')
-
-
-########################################
-#
-# chrome_sandbox_nacl local policy
-#
-
-allow chrome_sandbox_nacl_t self:process execmem;
-allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
-allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
-allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
-allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
-
-allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
-allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
-
-manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
-
-domain_use_interactive_fds(chrome_sandbox_nacl_t)
-
-dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
-
-domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
-ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
-
-kernel_read_system_state(chrome_sandbox_nacl_t)
-
-dev_read_urand(chrome_sandbox_nacl_t)
-dev_read_sysfs(chrome_sandbox_nacl_t)
-
-files_read_etc_files(chrome_sandbox_nacl_t)
-
-miscfiles_read_localization(chrome_sandbox_nacl_t)
-
-corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
-
-userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
-userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-
-optional_policy(`
-	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
-')
-
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index d8fac49d..f5cb481a 100644
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -443,10 +443,6 @@ optional_policy(`
 	hal_dbus_chat(sandbox_web_type)
 ')
 
-optional_policy(`
-	chrome_domtrans_sandbox(sandbox_web_type)
-')
-
 optional_policy(`
 	pulseaudio_stream_connect(sandbox_web_type)
 	allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 66d88a40..16d0e6f9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -161,9 +161,6 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/opt/google/chrome(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
 /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index fa149734..2489e789 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -78,10 +78,6 @@ optional_policy(`
 	accountsd_read_lib_files(staff_t)
 ')
 
-optional_policy(`
-	chrome_role(staff_r, staff_t)
-')
-
 optional_policy(`
 	colord_dbus_chat(staff_t)
 ')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 4dfd17cf..2794ccdb 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -6,13 +6,6 @@ policy_module(unconfineduser, 1.0.0)
 #
 attribute unconfined_login_domain;
 
-## <desc>
-## <p>
-## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
-## </p>
-## </desc>
-gen_tunable(unconfined_chrome_sandbox_transition, false)
-
 ## <desc>
 ## <p>
 ## Allow vidio playing tools to tun unconfined
@@ -194,14 +187,6 @@ optional_policy(`
 	bind_run_ndc(unconfined_t, unconfined_r)
 ')
 
-optional_policy(`
-	chrome_role_notrans(unconfined_r, unconfined_t)
-
-	tunable_policy(`unconfined_chrome_sandbox_transition',`
-		chrome_domtrans_sandbox(unconfined_t)
-	')
-')
-
 optional_policy(`
 	dbus_role_template(unconfined, unconfined_r, unconfined_t)
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 15550410..dd41b667 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -38,10 +38,6 @@ optional_policy(`
 	colord_dbus_chat(user_t)
 ')
 
-optional_policy(`
-	chrome_role(user_r, user_t)
-')
-
 optional_policy(`
 	gnome_role(user_r, user_t)
 ')
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index c37169a3..b168c0a8 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -91,11 +91,6 @@ optional_policy(`
 	')
 ')
 
-
-optional_policy(`
-	chrome_role(xguest_r, xguest_t)
-')
-
 optional_policy(`
 	hal_dbus_chat(xguest_t)
 ')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 3083e47d..a957a6c0 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -346,7 +346,6 @@ ifdef(`distro_suse',`
 /opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/google/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/google/chrome/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 17cc2fc4..b523cbe0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -687,10 +687,6 @@ template(`userdom_common_user_template',`
 		canna_stream_connect($1_usertype)
 	')
 
-	optional_policy(`
-		chrome_role($1_r, $1_usertype)
-	')
-
 	optional_policy(`
 		colord_read_lib_files($1_usertype)
 	')
-- 
2.47.3