policy/modules/apps/chrome.te

   1 policy_module(chrome,1.0.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type chrome_sandbox_t;
   9 type chrome_sandbox_exec_t;
  10 application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
  11 role system_r types chrome_sandbox_t;
  12
  13 type chrome_sandbox_tmp_t;
  14 files_tmp_file(chrome_sandbox_tmp_t)
  15
  16 type chrome_sandbox_tmpfs_t;
  17 files_tmpfs_file(chrome_sandbox_tmpfs_t)
  18 ubac_constrained(chrome_sandbox_tmpfs_t)
  19
  20 type chrome_sandbox_nacl_t;
  21 type chrome_sandbox_nacl_exec_t;
  22 application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
  23 role system_r types chrome_sandbox_nacl_t;
  24
  25 ########################################
  26 #
  27 # chrome_sandbox local policy
  28 #
  29 allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
  30 tunable_policy(`deny_ptrace',`',`
  31         allow chrome_sandbox_t self:capability sys_ptrace;
  32 ')
  33
  34 allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
  35 allow chrome_sandbox_t self:process setsched;
  36 allow chrome_sandbox_t self:fifo_file manage_file_perms;
  37 allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
  38 allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
  39 allow chrome_sandbox_t self:shm create_shm_perms;
  40 allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
  41 dontaudit chrome_sandbox_t self:memprotect mmap_zero;
  42
  43 manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
  44 manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
  45 files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
  46
  47 manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
  48 fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
  49
  50 kernel_read_system_state(chrome_sandbox_t)
  51 kernel_read_kernel_sysctls(chrome_sandbox_t)
  52
  53 fs_manage_cgroup_dirs(chrome_sandbox_t)
  54 fs_manage_cgroup_files(chrome_sandbox_t)
  55
  56 corecmd_exec_bin(chrome_sandbox_t)
  57
  58 corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
  59 corenet_all_recvfrom_netlabel(chrome_sandbox_t)
  60 corenet_tcp_connect_flash_port(chrome_sandbox_t)
  61 corenet_tcp_connect_streaming_port(chrome_sandbox_t)
  62 corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
  63 corenet_tcp_connect_http_port(chrome_sandbox_t)
  64 corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
  65 corenet_tcp_connect_squid_port(chrome_sandbox_t)
  66 corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
  67 corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
  68 corenet_tcp_connect_ipp_port(chrome_sandbox_t)
  69 corenet_tcp_connect_speech_port(chrome_sandbox_t)
  70
  71 domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
  72
  73 dev_read_urand(chrome_sandbox_t)
  74 dev_read_sysfs(chrome_sandbox_t)
  75 dev_rwx_zero(chrome_sandbox_t)
  76
  77 files_read_etc_files(chrome_sandbox_t)
  78 files_read_usr_files(chrome_sandbox_t)
  79
  80 fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
  81
  82 userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
  83 userdom_execute_user_tmpfs_files(chrome_sandbox_t)
  84
  85 userdom_use_user_ptys(chrome_sandbox_t)
  86 userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
  87 userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
  88 userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
  89 userdom_search_user_home_content(chrome_sandbox_t)
  90 # This one we should figure a way to make it more secure
  91 userdom_manage_home_certs(chrome_sandbox_t)
  92
  93 miscfiles_read_localization(chrome_sandbox_t)
  94 miscfiles_read_fonts(chrome_sandbox_t)
  95
  96 sysnet_dns_name_resolve(chrome_sandbox_t)
  97
  98 optional_policy(`
  99         gnome_rw_inherited_config(chrome_sandbox_t)
 100         gnome_read_home_config(chrome_sandbox_t)
 101 ')
 102
 103 optional_policy(`
 104         xserver_use_user_fonts(chrome_sandbox_t)
 105         xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
 106 ')
 107
 108 tunable_policy(`use_nfs_home_dirs',`
 109         fs_search_nfs(chrome_sandbox_t)
 110         fs_exec_nfs_files(chrome_sandbox_t)
 111         fs_read_nfs_files(chrome_sandbox_t)
 112         fs_rw_inherited_nfs_files(chrome_sandbox_t)
 113         fs_read_nfs_symlinks(chrome_sandbox_t)
 114         fs_dontaudit_append_nfs_files(chrome_sandbox_t)
 115 ')
 116
 117 tunable_policy(`use_samba_home_dirs',`
 118         fs_search_cifs(chrome_sandbox_t)
 119         fs_exec_cifs_files(chrome_sandbox_t)
 120         fs_rw_inherited_cifs_files(chrome_sandbox_t)
 121         fs_read_cifs_files(chrome_sandbox_t)
 122         fs_read_cifs_symlinks(chrome_sandbox_t)
 123         fs_dontaudit_append_cifs_files(chrome_sandbox_t)
 124 ')
 125
 126 tunable_policy(`use_fusefs_home_dirs',`
 127     fs_search_fusefs(chrome_sandbox_t)
 128     fs_read_fusefs_files(chrome_sandbox_t)
 129     fs_exec_fusefs_files(chrome_sandbox_t)
 130         fs_read_fusefs_symlinks(chrome_sandbox_t)
 131 ')
 132
 133 optional_policy(`
 134         sandbox_use_ptys(chrome_sandbox_t)
 135 ')
 136
 137
 138 ########################################
 139 #
 140 # chrome_sandbox_nacl local policy
 141 #
 142
 143 allow chrome_sandbox_nacl_t self:process execmem;
 144 allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
 145 allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
 146 allow chrome_sandbox_nacl_t self:shm create_shm_perms;
 147 allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
 148 allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
 149 allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
 150
 151 allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
 152 allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
 153 allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
 154
 155 manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
 156 fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
 157
 158 domain_use_interactive_fds(chrome_sandbox_nacl_t)
 159
 160 dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
 161
 162 domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
 163 ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
 164
 165 kernel_read_system_state(chrome_sandbox_nacl_t)
 166
 167 dev_read_urand(chrome_sandbox_nacl_t)
 168 dev_read_sysfs(chrome_sandbox_nacl_t)
 169
 170 files_read_etc_files(chrome_sandbox_nacl_t)
 171
 172 miscfiles_read_localization(chrome_sandbox_nacl_t)
 173
 174 corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
 175
 176 userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
 177 userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
 178 userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
 179 userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
 180
 181 optional_policy(`
 182         gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 183 ')
 184