+++ /dev/null
-
-## <summary>policy for chrome</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run chrome_sandbox.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`chrome_domtrans_sandbox',`
- gen_require(`
- type chrome_sandbox_t, chrome_sandbox_exec_t;
- ')
-
- domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
- ps_process_pattern(chrome_sandbox_t, $1)
-
- allow $1 chrome_sandbox_t:fd use;
-
- ifdef(`hide_broken_symptoms',`
- fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
- ')
-')
-
-
-########################################
-## <summary>
-## Execute chrome_sandbox in the chrome_sandbox domain, and
-## allow the specified role the chrome_sandbox domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the chrome_sandbox domain.
-## </summary>
-## </param>
-#
-interface(`chrome_run_sandbox',`
- gen_require(`
- type chrome_sandbox_t;
- type chrome_sandbox_nacl_t;
- ')
-
- chrome_domtrans_sandbox($1)
- role $2 types chrome_sandbox_t;
- role $2 types chrome_sandbox_nacl_t;
-')
-
-########################################
-## <summary>
-## Role access for chrome sandbox
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`chrome_role_notrans',`
- gen_require(`
- type chrome_sandbox_t;
- type chrome_sandbox_tmpfs_t;
- type chrome_sandbox_nacl_t;
- ')
-
- role $1 types chrome_sandbox_t;
- role $1 types chrome_sandbox_nacl_t;
-
- ps_process_pattern($2, chrome_sandbox_t)
- allow $2 chrome_sandbox_t:process signal_perms;
-
- allow chrome_sandbox_t $2:unix_dgram_socket { read write };
- allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
- allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
- allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
- allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
- allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
-
- allow $2 chrome_sandbox_t:shm rw_shm_perms;
-
- allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Role access for chrome sandbox
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`chrome_role',`
- chrome_role_notrans($1, $2)
- chrome_domtrans_sandbox($2)
-')
-
-########################################
-## <summary>
-## Dontaudit read/write to a chrome_sandbox leaks
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`chrome_dontaudit_sandbox_leaks',`
- gen_require(`
- type chrome_sandbox_t;
- ')
-
- dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
-')
+++ /dev/null
-policy_module(chrome,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type chrome_sandbox_t;
-type chrome_sandbox_exec_t;
-application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
-role system_r types chrome_sandbox_t;
-
-type chrome_sandbox_tmp_t;
-files_tmp_file(chrome_sandbox_tmp_t)
-
-type chrome_sandbox_tmpfs_t;
-files_tmpfs_file(chrome_sandbox_tmpfs_t)
-ubac_constrained(chrome_sandbox_tmpfs_t)
-
-type chrome_sandbox_nacl_t;
-type chrome_sandbox_nacl_exec_t;
-application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
-role system_r types chrome_sandbox_nacl_t;
-
-########################################
-#
-# chrome_sandbox local policy
-#
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
-tunable_policy(`deny_ptrace',`',`
- allow chrome_sandbox_t self:capability sys_ptrace;
-')
-
-allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
-allow chrome_sandbox_t self:process setsched;
-allow chrome_sandbox_t self:fifo_file manage_file_perms;
-allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
-allow chrome_sandbox_t self:shm create_shm_perms;
-allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit chrome_sandbox_t self:memprotect mmap_zero;
-
-manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-
-manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
-
-kernel_read_system_state(chrome_sandbox_t)
-kernel_read_kernel_sysctls(chrome_sandbox_t)
-
-fs_manage_cgroup_dirs(chrome_sandbox_t)
-fs_manage_cgroup_files(chrome_sandbox_t)
-
-corecmd_exec_bin(chrome_sandbox_t)
-
-corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
-corenet_all_recvfrom_netlabel(chrome_sandbox_t)
-corenet_tcp_connect_flash_port(chrome_sandbox_t)
-corenet_tcp_connect_streaming_port(chrome_sandbox_t)
-corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-corenet_tcp_connect_http_port(chrome_sandbox_t)
-corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
-corenet_tcp_connect_squid_port(chrome_sandbox_t)
-corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
-corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-corenet_tcp_connect_speech_port(chrome_sandbox_t)
-
-domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
-
-dev_read_urand(chrome_sandbox_t)
-dev_read_sysfs(chrome_sandbox_t)
-dev_rwx_zero(chrome_sandbox_t)
-
-files_read_etc_files(chrome_sandbox_t)
-files_read_usr_files(chrome_sandbox_t)
-
-fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
-
-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
-userdom_execute_user_tmpfs_files(chrome_sandbox_t)
-
-userdom_use_user_ptys(chrome_sandbox_t)
-userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
-userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
-userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
-userdom_search_user_home_content(chrome_sandbox_t)
-# This one we should figure a way to make it more secure
-userdom_manage_home_certs(chrome_sandbox_t)
-
-miscfiles_read_localization(chrome_sandbox_t)
-miscfiles_read_fonts(chrome_sandbox_t)
-
-sysnet_dns_name_resolve(chrome_sandbox_t)
-
-optional_policy(`
- gnome_rw_inherited_config(chrome_sandbox_t)
- gnome_read_home_config(chrome_sandbox_t)
-')
-
-optional_policy(`
- xserver_use_user_fonts(chrome_sandbox_t)
- xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_search_nfs(chrome_sandbox_t)
- fs_exec_nfs_files(chrome_sandbox_t)
- fs_read_nfs_files(chrome_sandbox_t)
- fs_rw_inherited_nfs_files(chrome_sandbox_t)
- fs_read_nfs_symlinks(chrome_sandbox_t)
- fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs(chrome_sandbox_t)
- fs_exec_cifs_files(chrome_sandbox_t)
- fs_rw_inherited_cifs_files(chrome_sandbox_t)
- fs_read_cifs_files(chrome_sandbox_t)
- fs_read_cifs_symlinks(chrome_sandbox_t)
- fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-')
-
-tunable_policy(`use_fusefs_home_dirs',`
- fs_search_fusefs(chrome_sandbox_t)
- fs_read_fusefs_files(chrome_sandbox_t)
- fs_exec_fusefs_files(chrome_sandbox_t)
- fs_read_fusefs_symlinks(chrome_sandbox_t)
-')
-
-optional_policy(`
- sandbox_use_ptys(chrome_sandbox_t)
-')
-
-
-########################################
-#
-# chrome_sandbox_nacl local policy
-#
-
-allow chrome_sandbox_nacl_t self:process execmem;
-allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
-allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
-allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
-allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
-
-allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
-allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-allow chrome_sandbox_t chrome_sandbox_nacl_t:process share;
-
-manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
-
-domain_use_interactive_fds(chrome_sandbox_nacl_t)
-
-dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
-
-domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
-ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
-
-kernel_read_system_state(chrome_sandbox_nacl_t)
-
-dev_read_urand(chrome_sandbox_nacl_t)
-dev_read_sysfs(chrome_sandbox_nacl_t)
-
-files_read_etc_files(chrome_sandbox_nacl_t)
-
-miscfiles_read_localization(chrome_sandbox_nacl_t)
-
-corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
-
-userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
-userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-
-optional_policy(`
- gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
-')
-