From Debian package 0.2.20100524-5 * Include Chromium policy in mozilla.pp Updated in 0.2.20100524-9 * Add new paths for chromium-browser to support the version in unstable, needed for backports. This mixes up chromium and mozilla policy pretty thoroughly. Grants execmem to mozilla_t. mozilla_tmp_t was added upstream in f28f89ac (2011-05-02) so I took out the type declaration and permissions. This similarly rendered 623_mozilla_tmp_dirs unnecessary. Index: policy/modules/apps/mozilla.fc =================================================================== --- policy/modules/apps/mozilla.fc.orig +++ policy/modules/apps/mozilla.fc @@ -3,6 +3,7 @@ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin @@ -30,3 +31,5 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/chromium(-browser)?/chromium(-browser)?-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +/usr/lib/chromium(-browser)?/chromium(-browser)? -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) Index: policy/modules/apps/mozilla.if =================================================================== --- policy/modules/apps/mozilla.if.orig +++ policy/modules/apps/mozilla.if @@ -17,16 +17,16 @@ # interface(`mozilla_role',` gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; + type mozilla_t, chrome_sandbox_t, mozilla_exec_t, chrome_browser_exec_t, mozilla_home_t; ') - role $1 types mozilla_t; + role $1 types { mozilla_t chrome_sandbox_t }; - domain_auto_trans($2, mozilla_exec_t, mozilla_t) + domain_auto_trans($2, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t) # Unrestricted inheritance from the caller. allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; - allow mozilla_t $2:fd use; - allow mozilla_t $2:process { sigchld signull }; + allow { mozilla_t chrome_sandbox_t } $2:fd use; + allow { mozilla_t chrome_sandbox_t } $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. @@ -179,10 +179,10 @@ # interface(`mozilla_domtrans',` gen_require(` - type mozilla_t, mozilla_exec_t; + type mozilla_t, mozilla_exec_t, chrome_browser_exec_t; ') - domtrans_pattern($1, mozilla_exec_t, mozilla_t) + domtrans_pattern($1, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t) ') ######################################## Index: policy/modules/apps/mozilla.te =================================================================== --- policy/modules/apps/mozilla.te.orig +++ policy/modules/apps/mozilla.te @@ -19,6 +19,46 @@ application_domain(mozilla_t, mozilla_exec_t) ubac_constrained(mozilla_t) +type chrome_sandbox_t; +type chrome_sandbox_exec_t; +type chrome_browser_exec_t; +application_domain(mozilla_t, chrome_browser_exec_t) +domain_auto_trans(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +ubac_constrained(chrome_sandbox_t) +fs_getattr_xattr_fs(chrome_sandbox_t) +fs_getattr_xattr_fs(mozilla_t) + +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:file read_file_perms; +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t mozilla_t:fd use; +allow chrome_sandbox_t mozilla_t:file write; +allow chrome_sandbox_t proc_t:dir read; +allow chrome_sandbox_t self:process setrlimit; +type chrome_sandbox_tmp_t; +files_tmp_file(chrome_sandbox_tmp_t) +ubac_constrained(chrome_sandbox_tmp_t) +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; +allow mozilla_t self:unix_dgram_socket sendto; +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; +# for V8 +allow mozilla_t self:process execmem; + + +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; + + +ifdef(`distro_debian', ` +# bug in chromium +allow mozilla_t chrome_browser_exec_t:file execmod; +') + type mozilla_conf_t; files_config_file(mozilla_conf_t) @@ -55,6 +100,19 @@ # Local policy # +dontaudit chrome_sandbox_t domain:dir getattr; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +domain_auto_trans(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid net_raw net_raw sys_chroot sys_ptrace sys_admin }; +allow chrome_sandbox_t mozilla_t:process { share sigchld }; +allow mozilla_t chrome_sandbox_t:fd use; +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; +dev_read_sysfs(mozilla_t) + allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms;