#
# sandbox xserver policy
#
-allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:process execstack;
+
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_xserver_t self:process execmem;
+')
+
allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
allow sandbox_xserver_t self:shm create_shm_perms;
allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
corenet_sendrecv_all_client_packets(sandbox_xserver_t)
-dev_search_sysfs(sandbox_xserver_t)
+dev_read_sysfs(sandbox_xserver_t)
dev_rwx_zero(sandbox_xserver_t)
dev_read_urand(sandbox_xserver_t)
# sandbox local policy
#
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_domain self:process execmem;
+')
+
allow sandbox_domain self:fifo_file manage_file_perms;
allow sandbox_domain self:sem create_sem_perms;
allow sandbox_domain self:shm create_shm_perms;
#
# sandbox_x_domain local policy
#
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+ allow sandbox_x_domain self:process execmem;
+')
+
allow sandbox_x_domain self:fifo_file manage_file_perms;
allow sandbox_x_domain self:sem create_sem_perms;
allow sandbox_x_domain self:shm create_shm_perms;
allow sandbox_x_domain self:msgq create_msgq_perms;
-allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
-allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms };
-
-allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
dontaudit sandbox_x_domain sandbox_x_domain:process signal;
dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow sandbox_x_domain self:shm create_shm_perms;
-allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
-dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
term_create_pty(sandbox_x_domain,sandbox_devpts_t)
auth_dontaudit_read_login_records(sandbox_x_domain)
auth_dontaudit_write_login_records(sandbox_x_domain)
-auth_use_nsswitch(sandbox_x_domain)
auth_search_pam_console_data(sandbox_x_domain)
init_read_utmp(sandbox_x_domain)
allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
allow sandbox_x_client_t self:udp_socket create_socket_perms;
allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
-allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
dev_read_rand(sandbox_x_client_t)
hal_dbus_chat(sandbox_x_client_t)
')
-optional_policy(`
- nsplugin_read_rw_files(sandbox_x_client_t)
-')
-
########################################
#
# sandbox_web_client_t local policy
#
typeattribute sandbox_web_client_t sandbox_web_type;
+auth_use_nsswitch(sandbox_web_client_t)
+
allow sandbox_web_type self:capability { setuid setgid };
allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
dontaudit sandbox_web_type self:process setrlimit;
allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
allow sandbox_web_type self:udp_socket create_socket_perms;
allow sandbox_web_type self:dbus { acquire_svc send_msg };
-allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
kernel_request_load_module(sandbox_web_type)
corenet_tcp_connect_squid_port(sandbox_web_type)
corenet_tcp_connect_flash_port(sandbox_web_type)
corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
corenet_tcp_connect_ipp_port(sandbox_web_type)
corenet_tcp_connect_streaming_port(sandbox_web_type)
corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
-auth_use_nsswitch(sandbox_web_type)
-
dbus_system_bus_client(sandbox_web_type)
dbus_read_config(sandbox_web_type)
selinux_get_fs_mount(sandbox_web_type)
hal_dbus_chat(sandbox_web_type)
')
-optional_policy(`
- chrome_domtrans_sandbox(sandbox_web_type)
-')
-
-optional_policy(`
- nsplugin_manage_rw(sandbox_web_type)
- nsplugin_read_rw_files(sandbox_web_type)
- nsplugin_rw_exec(sandbox_web_type)
-')
-
optional_policy(`
pulseaudio_stream_connect(sandbox_web_type)
allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-optional_policy(`
- mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
- mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
- mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
- mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
-')
+auth_use_nsswitch(sandbox_net_client_t)