[people/stevee/selinux-policy.git] / policy / modules / apps / chrome.te

policy_module(chrome,1.0.0)

########################################
#
# Declarations
#

type chrome_sandbox_t;
type chrome_sandbox_exec_t;
application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
role system_r types chrome_sandbox_t;

type chrome_sandbox_tmp_t;
files_tmp_file(chrome_sandbox_tmp_t)

type chrome_sandbox_tmpfs_t;
files_tmpfs_file(chrome_sandbox_tmpfs_t)
ubac_constrained(chrome_sandbox_tmpfs_t)

type chrome_sandbox_nacl_t;
type chrome_sandbox_nacl_exec_t;
application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
role system_r types chrome_sandbox_nacl_t;

########################################
#
# chrome_sandbox local policy
#
allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
tunable_policy(`deny_ptrace',`',`
	allow chrome_sandbox_t self:capability sys_ptrace;
')

allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:process setsched;
allow chrome_sandbox_t self:fifo_file manage_file_perms;
allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
allow chrome_sandbox_t self:shm create_shm_perms;
allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit chrome_sandbox_t self:memprotect mmap_zero;

manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })

manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)

kernel_read_system_state(chrome_sandbox_t)
kernel_read_kernel_sysctls(chrome_sandbox_t)

fs_manage_cgroup_dirs(chrome_sandbox_t)
fs_manage_cgroup_files(chrome_sandbox_t)

corecmd_exec_bin(chrome_sandbox_t)

corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
corenet_all_recvfrom_netlabel(chrome_sandbox_t)
corenet_tcp_connect_flash_port(chrome_sandbox_t)
corenet_tcp_connect_streaming_port(chrome_sandbox_t)
corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
corenet_tcp_connect_http_port(chrome_sandbox_t)
corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
corenet_tcp_connect_squid_port(chrome_sandbox_t)
corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
corenet_tcp_connect_ipp_port(chrome_sandbox_t)
corenet_tcp_connect_speech_port(chrome_sandbox_t)

domain_dontaudit_read_all_domains_state(chrome_sandbox_t)

dev_read_urand(chrome_sandbox_t)
dev_read_sysfs(chrome_sandbox_t)
dev_rwx_zero(chrome_sandbox_t)

files_read_etc_files(chrome_sandbox_t)
files_read_usr_files(chrome_sandbox_t)

fs_dontaudit_getattr_all_fs(chrome_sandbox_t)

userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
userdom_execute_user_tmpfs_files(chrome_sandbox_t)

userdom_use_user_ptys(chrome_sandbox_t)
userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
userdom_search_user_home_content(chrome_sandbox_t)
# This one we should figure a way to make it more secure
userdom_manage_home_certs(chrome_sandbox_t)

miscfiles_read_localization(chrome_sandbox_t)
miscfiles_read_fonts(chrome_sandbox_t)

sysnet_dns_name_resolve(chrome_sandbox_t)

optional_policy(`
	gnome_rw_inherited_config(chrome_sandbox_t)
	gnome_read_home_config(chrome_sandbox_t)
')

optional_policy(`
	xserver_use_user_fonts(chrome_sandbox_t)
	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_search_nfs(chrome_sandbox_t)
	fs_exec_nfs_files(chrome_sandbox_t)
	fs_read_nfs_files(chrome_sandbox_t)
	fs_rw_inherited_nfs_files(chrome_sandbox_t)
	fs_read_nfs_symlinks(chrome_sandbox_t)
	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_search_cifs(chrome_sandbox_t)
	fs_exec_cifs_files(chrome_sandbox_t)
	fs_rw_inherited_cifs_files(chrome_sandbox_t)
	fs_read_cifs_files(chrome_sandbox_t)
	fs_read_cifs_symlinks(chrome_sandbox_t)
	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
')

tunable_policy(`use_fusefs_home_dirs',`
    fs_search_fusefs(chrome_sandbox_t)
    fs_read_fusefs_files(chrome_sandbox_t)
    fs_exec_fusefs_files(chrome_sandbox_t)
	fs_read_fusefs_symlinks(chrome_sandbox_t)
')

optional_policy(`
	sandbox_use_ptys(chrome_sandbox_t)
')


########################################
#
# chrome_sandbox_nacl local policy
#

allow chrome_sandbox_nacl_t self:process execmem;
allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
allow chrome_sandbox_nacl_t self:shm create_shm_perms;
allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };

allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;

manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)

domain_use_interactive_fds(chrome_sandbox_nacl_t)

dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;

domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)

kernel_read_system_state(chrome_sandbox_nacl_t)

dev_read_urand(chrome_sandbox_nacl_t)
dev_read_sysfs(chrome_sandbox_nacl_t)

files_read_etc_files(chrome_sandbox_nacl_t)

miscfiles_read_localization(chrome_sandbox_nacl_t)

corecmd_sbin_entry_type(chrome_sandbox_nacl_t)

userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)

optional_policy(`
	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
')
Commit	Line	Data
3eaa9939 DW	1	policy_module(chrome,1.0.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type chrome_sandbox_t;
	9	type chrome_sandbox_exec_t;
	10	application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
	11	role system_r types chrome_sandbox_t;
	12
	13	type chrome_sandbox_tmp_t;
	14	files_tmp_file(chrome_sandbox_tmp_t)
	15
	16	type chrome_sandbox_tmpfs_t;
	17	files_tmpfs_file(chrome_sandbox_tmpfs_t)
	18	ubac_constrained(chrome_sandbox_tmpfs_t)
	19
69ffb0a2 DW	20	type chrome_sandbox_nacl_t;
	21	type chrome_sandbox_nacl_exec_t;
	22	application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
	23	role system_r types chrome_sandbox_nacl_t;
480f1aae	24
3eaa9939 DW	25	########################################
	26	#
	27	# chrome_sandbox local policy
	28	#
995bdbb1	29	allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
2361af56 DW	30	tunable_policy(`deny_ptrace',`',`
	31	allow chrome_sandbox_t self:capability sys_ptrace;
	32	')
	33
3eaa9939	34	allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
a768052f	35	allow chrome_sandbox_t self:process setsched;
3eaa9939 DW	36	allow chrome_sandbox_t self:fifo_file manage_file_perms;
	37	allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
	38	allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
	39	allow chrome_sandbox_t self:shm create_shm_perms;
fd541edd	40	allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
480f1aae	41	dontaudit chrome_sandbox_t self:memprotect mmap_zero;
3eaa9939 DW	42
	43	manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
	44	manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
	45	files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
	46
	47	manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
	48	fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
	49
	50	kernel_read_system_state(chrome_sandbox_t)
	51	kernel_read_kernel_sysctls(chrome_sandbox_t)
	52
3034a8d9 DW	53	fs_manage_cgroup_dirs(chrome_sandbox_t)
	54	fs_manage_cgroup_files(chrome_sandbox_t)
	55
3eaa9939 DW	56	corecmd_exec_bin(chrome_sandbox_t)
3eaa9939 DW	57
12a6885c DW	58	corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
	59	corenet_all_recvfrom_netlabel(chrome_sandbox_t)
	60	corenet_tcp_connect_flash_port(chrome_sandbox_t)
	61	corenet_tcp_connect_streaming_port(chrome_sandbox_t)
	62	corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
	63	corenet_tcp_connect_http_port(chrome_sandbox_t)
	64	corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
	65	corenet_tcp_connect_squid_port(chrome_sandbox_t)
	66	corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
	67	corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
	68	corenet_tcp_connect_ipp_port(chrome_sandbox_t)
	69	corenet_tcp_connect_speech_port(chrome_sandbox_t)
	70
3eaa9939 DW	71	domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
	72
	73	dev_read_urand(chrome_sandbox_t)
	74	dev_read_sysfs(chrome_sandbox_t)
	75	dev_rwx_zero(chrome_sandbox_t)
	76
	77	files_read_etc_files(chrome_sandbox_t)
	78	files_read_usr_files(chrome_sandbox_t)
	79
	80	fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
	81
c14aaaac	82	userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
fd455670	83	userdom_execute_user_tmpfs_files(chrome_sandbox_t)
c14aaaac	84
3eaa9939 DW	85	userdom_use_user_ptys(chrome_sandbox_t)
	86	userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
	87	userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
	88	userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
96c8cff6	89	userdom_search_user_home_content(chrome_sandbox_t)
55a7fd92	90	# This one we should figure a way to make it more secure
55a7fd92	91	userdom_manage_home_certs(chrome_sandbox_t)
3eaa9939 DW	92
	93	miscfiles_read_localization(chrome_sandbox_t)
	94	miscfiles_read_fonts(chrome_sandbox_t)
	95
12a6885c	96	sysnet_dns_name_resolve(chrome_sandbox_t)
0b8f4cfe	97
3eaa9939 DW	98	optional_policy(`
3eaa9939 DW	99	gnome_rw_inherited_config(chrome_sandbox_t)
82afdf6f	100	gnome_read_home_config(chrome_sandbox_t)
3eaa9939 DW	101	')
	102
	103	optional_policy(`
	104	xserver_use_user_fonts(chrome_sandbox_t)
	105	xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
	106	')
	107
	108	tunable_policy(`use_nfs_home_dirs',`
0a394bf0	109	fs_search_nfs(chrome_sandbox_t)
d9be6113	110	fs_exec_nfs_files(chrome_sandbox_t)
f9cebd7b	111	fs_read_nfs_files(chrome_sandbox_t)
53e1f718	112	fs_rw_inherited_nfs_files(chrome_sandbox_t)
0a394bf0	113	fs_read_nfs_symlinks(chrome_sandbox_t)
f9cebd7b	114	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
3eaa9939 DW	115	')
	116
	117	tunable_policy(`use_samba_home_dirs',`
0a394bf0	118	fs_search_cifs(chrome_sandbox_t)
d9be6113	119	fs_exec_cifs_files(chrome_sandbox_t)
53e1f718	120	fs_rw_inherited_cifs_files(chrome_sandbox_t)
f9cebd7b DG	121	fs_read_cifs_files(chrome_sandbox_t)
f9cebd7b DG	122	fs_read_cifs_symlinks(chrome_sandbox_t)
3eaa9939	123	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
3eaa9939	124	')
d93ac322	125
3ac2b789 MG	126	tunable_policy(`use_fusefs_home_dirs',`
	127	fs_search_fusefs(chrome_sandbox_t)
	128	fs_read_fusefs_files(chrome_sandbox_t)
	129	fs_exec_fusefs_files(chrome_sandbox_t)
	130	fs_read_fusefs_symlinks(chrome_sandbox_t)
	131	')
	132
d93ac322 DW	133	optional_policy(`
	134	sandbox_use_ptys(chrome_sandbox_t)
	135	')
480f1aae DW	136
	137
	138	########################################
	139	#
69ffb0a2	140	# chrome_sandbox_nacl local policy
480f1aae DW	141	#
480f1aae DW	142
c14aaaac	143	allow chrome_sandbox_nacl_t self:process execmem;
69ffb0a2 DW	144	allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
69ffb0a2 DW	145	allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
c14aaaac	146	allow chrome_sandbox_nacl_t self:shm create_shm_perms;
fd455670	147	allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
00b55b06 DW	148	allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
00b55b06 DW	149	allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
c14aaaac DW	150
	151	allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
	152	allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
69ffb0a2	153	allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
480f1aae	154
c14aaaac DW	155	manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
	156	fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
	157
	158	domain_use_interactive_fds(chrome_sandbox_nacl_t)
	159
69ffb0a2	160	dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
480f1aae	161
69ffb0a2	162	domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
3087e2a6	163	ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
480f1aae	164
c14aaaac DW	165	kernel_read_system_state(chrome_sandbox_nacl_t)
	166
	167	dev_read_urand(chrome_sandbox_nacl_t)
b257b2a9	168	dev_read_sysfs(chrome_sandbox_nacl_t)
c14aaaac	169
69ffb0a2	170	files_read_etc_files(chrome_sandbox_nacl_t)
480f1aae	171
69ffb0a2	172	miscfiles_read_localization(chrome_sandbox_nacl_t)
c14aaaac DW	173
	174	corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
	175
	176	userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
	177	userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
	178	userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
fd455670	179	userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
ad141192 DW	180
	181	optional_policy(`
	182	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
	183	')
	184