#
# sandbox xserver policy
#
-allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:process execstack;
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
+')
+
allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
allow sandbox_xserver_t self:shm create_shm_perms;
allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
# sandbox local policy
#
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_domain self:process execmem;
+')
+
allow sandbox_domain self:fifo_file manage_file_perms;
allow sandbox_domain self:sem create_sem_perms;
allow sandbox_domain self:shm create_shm_perms;
#
# sandbox_x_domain local policy
#
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
+
allow sandbox_x_domain self:fifo_file manage_file_perms;
allow sandbox_x_domain self:sem create_sem_perms;
allow sandbox_x_domain self:shm create_shm_perms;
hal_dbus_chat(sandbox_x_client_t)
')
-optional_policy(`
- nsplugin_read_rw_files(sandbox_x_client_t)
-')
-
########################################
#
# sandbox_web_client_t local policy
hal_dbus_chat(sandbox_web_type)
')
-optional_policy(`
- chrome_domtrans_sandbox(sandbox_web_type)
-')
-
-optional_policy(`
- nsplugin_manage_rw(sandbox_web_type)
- nsplugin_read_rw_files(sandbox_web_type)
- nsplugin_rw_exec(sandbox_web_type)
-')
-
optional_policy(`
pulseaudio_stream_connect(sandbox_web_type)
allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
auth_use_nsswitch(sandbox_net_client_t)
-
-optional_policy(`
- mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
- mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
- mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
- mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
-')