]>
Commit | Line | Data |
---|---|---|
3eaa9939 DW |
1 | policy_module(chrome,1.0.0) |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type chrome_sandbox_t; | |
9 | type chrome_sandbox_exec_t; | |
10 | application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) | |
11 | role system_r types chrome_sandbox_t; | |
12 | ||
13 | type chrome_sandbox_tmp_t; | |
14 | files_tmp_file(chrome_sandbox_tmp_t) | |
15 | ||
16 | type chrome_sandbox_tmpfs_t; | |
17 | files_tmpfs_file(chrome_sandbox_tmpfs_t) | |
18 | ubac_constrained(chrome_sandbox_tmpfs_t) | |
19 | ||
69ffb0a2 DW |
20 | type chrome_sandbox_nacl_t; |
21 | type chrome_sandbox_nacl_exec_t; | |
22 | application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) | |
23 | role system_r types chrome_sandbox_nacl_t; | |
480f1aae | 24 | |
3eaa9939 DW |
25 | ######################################## |
26 | # | |
27 | # chrome_sandbox local policy | |
28 | # | |
995bdbb1 | 29 | allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; |
2361af56 DW |
30 | tunable_policy(`deny_ptrace',`',` |
31 | allow chrome_sandbox_t self:capability sys_ptrace; | |
32 | ') | |
33 | ||
3eaa9939 | 34 | allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; |
a768052f | 35 | allow chrome_sandbox_t self:process setsched; |
3eaa9939 DW |
36 | allow chrome_sandbox_t self:fifo_file manage_file_perms; |
37 | allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; | |
38 | allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; | |
39 | allow chrome_sandbox_t self:shm create_shm_perms; | |
fd541edd | 40 | allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; |
480f1aae | 41 | dontaudit chrome_sandbox_t self:memprotect mmap_zero; |
3eaa9939 DW |
42 | |
43 | manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) | |
44 | manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) | |
45 | files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) | |
46 | ||
47 | manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) | |
48 | fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) | |
49 | ||
50 | kernel_read_system_state(chrome_sandbox_t) | |
51 | kernel_read_kernel_sysctls(chrome_sandbox_t) | |
52 | ||
3034a8d9 DW |
53 | fs_manage_cgroup_dirs(chrome_sandbox_t) |
54 | fs_manage_cgroup_files(chrome_sandbox_t) | |
55 | ||
3eaa9939 DW |
56 | corecmd_exec_bin(chrome_sandbox_t) |
57 | ||
12a6885c DW |
58 | corenet_all_recvfrom_unlabeled(chrome_sandbox_t) |
59 | corenet_all_recvfrom_netlabel(chrome_sandbox_t) | |
60 | corenet_tcp_connect_flash_port(chrome_sandbox_t) | |
61 | corenet_tcp_connect_streaming_port(chrome_sandbox_t) | |
62 | corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) | |
63 | corenet_tcp_connect_http_port(chrome_sandbox_t) | |
64 | corenet_tcp_connect_http_cache_port(chrome_sandbox_t) | |
65 | corenet_tcp_connect_squid_port(chrome_sandbox_t) | |
66 | corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) | |
67 | corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) | |
68 | corenet_tcp_connect_ipp_port(chrome_sandbox_t) | |
69 | corenet_tcp_connect_speech_port(chrome_sandbox_t) | |
70 | ||
3eaa9939 DW |
71 | domain_dontaudit_read_all_domains_state(chrome_sandbox_t) |
72 | ||
73 | dev_read_urand(chrome_sandbox_t) | |
74 | dev_read_sysfs(chrome_sandbox_t) | |
75 | dev_rwx_zero(chrome_sandbox_t) | |
76 | ||
77 | files_read_etc_files(chrome_sandbox_t) | |
78 | files_read_usr_files(chrome_sandbox_t) | |
79 | ||
80 | fs_dontaudit_getattr_all_fs(chrome_sandbox_t) | |
81 | ||
c14aaaac | 82 | userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) |
fd455670 | 83 | userdom_execute_user_tmpfs_files(chrome_sandbox_t) |
c14aaaac | 84 | |
3eaa9939 DW |
85 | userdom_use_user_ptys(chrome_sandbox_t) |
86 | userdom_write_inherited_user_tmp_files(chrome_sandbox_t) | |
87 | userdom_read_inherited_user_home_content_files(chrome_sandbox_t) | |
88 | userdom_dontaudit_use_user_terminals(chrome_sandbox_t) | |
96c8cff6 | 89 | userdom_search_user_home_content(chrome_sandbox_t) |
55a7fd92 | 90 | # This one we should figure a way to make it more secure |
91 | userdom_manage_home_certs(chrome_sandbox_t) | |
3eaa9939 DW |
92 | |
93 | miscfiles_read_localization(chrome_sandbox_t) | |
94 | miscfiles_read_fonts(chrome_sandbox_t) | |
95 | ||
12a6885c | 96 | sysnet_dns_name_resolve(chrome_sandbox_t) |
0b8f4cfe | 97 | |
3eaa9939 DW |
98 | optional_policy(` |
99 | gnome_rw_inherited_config(chrome_sandbox_t) | |
82afdf6f | 100 | gnome_read_home_config(chrome_sandbox_t) |
3eaa9939 DW |
101 | ') |
102 | ||
103 | optional_policy(` | |
104 | xserver_use_user_fonts(chrome_sandbox_t) | |
105 | xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) | |
106 | ') | |
107 | ||
108 | tunable_policy(`use_nfs_home_dirs',` | |
0a394bf0 | 109 | fs_search_nfs(chrome_sandbox_t) |
d9be6113 | 110 | fs_exec_nfs_files(chrome_sandbox_t) |
f9cebd7b | 111 | fs_read_nfs_files(chrome_sandbox_t) |
53e1f718 | 112 | fs_rw_inherited_nfs_files(chrome_sandbox_t) |
0a394bf0 | 113 | fs_read_nfs_symlinks(chrome_sandbox_t) |
f9cebd7b | 114 | fs_dontaudit_append_nfs_files(chrome_sandbox_t) |
3eaa9939 DW |
115 | ') |
116 | ||
117 | tunable_policy(`use_samba_home_dirs',` | |
0a394bf0 | 118 | fs_search_cifs(chrome_sandbox_t) |
d9be6113 | 119 | fs_exec_cifs_files(chrome_sandbox_t) |
53e1f718 | 120 | fs_rw_inherited_cifs_files(chrome_sandbox_t) |
f9cebd7b DG |
121 | fs_read_cifs_files(chrome_sandbox_t) |
122 | fs_read_cifs_symlinks(chrome_sandbox_t) | |
3eaa9939 | 123 | fs_dontaudit_append_cifs_files(chrome_sandbox_t) |
3eaa9939 | 124 | ') |
d93ac322 | 125 | |
3ac2b789 MG |
126 | tunable_policy(`use_fusefs_home_dirs',` |
127 | fs_search_fusefs(chrome_sandbox_t) | |
128 | fs_read_fusefs_files(chrome_sandbox_t) | |
129 | fs_exec_fusefs_files(chrome_sandbox_t) | |
130 | fs_read_fusefs_symlinks(chrome_sandbox_t) | |
131 | ') | |
132 | ||
d93ac322 DW |
133 | optional_policy(` |
134 | sandbox_use_ptys(chrome_sandbox_t) | |
135 | ') | |
480f1aae DW |
136 | |
137 | ||
138 | ######################################## | |
139 | # | |
69ffb0a2 | 140 | # chrome_sandbox_nacl local policy |
480f1aae DW |
141 | # |
142 | ||
c14aaaac | 143 | allow chrome_sandbox_nacl_t self:process execmem; |
69ffb0a2 DW |
144 | allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; |
145 | allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; | |
c14aaaac | 146 | allow chrome_sandbox_nacl_t self:shm create_shm_perms; |
fd455670 | 147 | allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; |
00b55b06 DW |
148 | allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; |
149 | allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; | |
c14aaaac DW |
150 | |
151 | allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; | |
152 | allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; | |
69ffb0a2 | 153 | allow chrome_sandbox_t chrome_sandbox_nacl_t:process share; |
480f1aae | 154 | |
c14aaaac DW |
155 | manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) |
156 | fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) | |
157 | ||
158 | domain_use_interactive_fds(chrome_sandbox_nacl_t) | |
159 | ||
69ffb0a2 | 160 | dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; |
480f1aae | 161 | |
69ffb0a2 | 162 | domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) |
3087e2a6 | 163 | ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) |
480f1aae | 164 | |
c14aaaac DW |
165 | kernel_read_system_state(chrome_sandbox_nacl_t) |
166 | ||
167 | dev_read_urand(chrome_sandbox_nacl_t) | |
b257b2a9 | 168 | dev_read_sysfs(chrome_sandbox_nacl_t) |
c14aaaac | 169 | |
69ffb0a2 | 170 | files_read_etc_files(chrome_sandbox_nacl_t) |
480f1aae | 171 | |
69ffb0a2 | 172 | miscfiles_read_localization(chrome_sandbox_nacl_t) |
c14aaaac DW |
173 | |
174 | corecmd_sbin_entry_type(chrome_sandbox_nacl_t) | |
175 | ||
176 | userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) | |
177 | userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) | |
178 | userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) | |
fd455670 | 179 | userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) |
ad141192 DW |
180 | |
181 | optional_policy(` | |
182 | gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) | |
183 | ') | |
184 |