commit: aea06ce4e637cca4e2560b67fffbc62708752326
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Jul 14 14:30:37 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:55 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aea06ce4
chromium (#965)
* Changes needed for newer versions of chrome/chromium and path names for MS
Edge.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/apps/chromium.fc | 10 +++++++
policy/modules/apps/chromium.if | 3 ++
policy/modules/apps/chromium.te | 48 +++++++++++++++++++++++++++++++
policy/modules/apps/gnome.if | 18 ++++++++++++
policy/modules/apps/wm.if | 19 ++++++++++++
policy/modules/services/dbus.if | 19 ++++++++++++
policy/modules/services/networkmanager.if | 18 ++++++++++++
policy/modules/system/systemd.if | 38 ++++++++++++++++++++++++
8 files changed, 173 insertions(+)
diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
index f45e35224..c20a39ed6 100644
--- a/policy/modules/apps/chromium.fc
+++ b/policy/modules/apps/chromium.fc
@@ -3,6 +3,8 @@
/opt/google/chrome/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
/opt/google/chrome/google-chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
/opt/google/chrome/nacl_.* --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/crashpad_handler --
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_crashpad_handler --
gen_context(system_u:object_r:chromium_exec_t,s0)
/opt/google/chrome-beta/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
/opt/google/chrome-beta/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
@@ -16,8 +18,14 @@
/opt/google/chrome-unstable/google-chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
/opt/google/chrome-unstable/nacl_helper_bootstrap --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/microsoft/msedge/msedge --
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/microsoft/msedge/microsoft-edge --
gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/microsoft/msedge/msedge-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/microsoft/msedge/msedge_crashpad_handler --
gen_context(system_u:object_r:chromium_exec_t,s0)
+
/usr/lib/chromium/chromium --
gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium/chrome_crashpad_handler --
gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
/usr/lib/chromium-browser/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
/usr/lib/chromium-browser/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
@@ -26,5 +34,7 @@
HOME_DIR/\.cache/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
HOME_DIR/\.cache/google-chrome(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/microsoft-edge(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
HOME_DIR/\.config/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
HOME_DIR/\.config/google-chrome(/.*)?
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
+HOME_DIR/\.config/microsoft-edge(/.*)?
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
index e087c8ac0..ce8706442 100644
--- a/policy/modules/apps/chromium.if
+++ b/policy/modules/apps/chromium.if
@@ -52,6 +52,9 @@ template(`chromium_role',`
allow $3 chromium_sandbox_t:process signal_perms;
allow $3 chromium_naclhelper_t:process signal_perms;
allow chromium_t $3:process { signal signull };
+ allow chromium_t $3:unix_stream_socket { read write };
+
+ allow $2 chromium_t:fifo_file write;
allow $3 chromium_t:unix_stream_socket connectto;
diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 94e53816c..0a2486373 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -15,6 +15,20 @@ policy_module(chromium)
## </desc>
gen_tunable(chromium_dri, true)
+## <desc>
+## <p>
+## Allow chromium to execute heap
+## </p>
+## </desc>
+gen_tunable(chromium_exec_heap, false)
+
+## <desc>
+## <p>
+## Allow chromium to ptrace itself
+## </p>
+## </desc>
+gen_tunable(chromium_ptrace, false)
+
## <desc>
## <p>
## Allow chromium to read system information
@@ -115,6 +129,7 @@ allow chromium_t chromium_sandbox_t:unix_stream_socket {
getattr read write };
allow chromium_t chromium_sandbox_t:file read_file_perms;
allow chromium_t chromium_naclhelper_t:process { share };
+allow chromium_t chromium_naclhelper_t:process2 nnp_transition;
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -152,9 +167,12 @@ kernel_associate_proc(chromium_t)
kernel_get_sysvipc_info(chromium_t)
kernel_list_proc(chromium_t)
+kernel_read_device_sysctls(chromium_t)
kernel_read_fs_sysctls(chromium_t)
kernel_read_kernel_sysctls(chromium_t)
kernel_read_net_sysctls(chromium_t)
+kernel_read_psi(chromium_t)
+kernel_read_vm_overcommit_sysctl(chromium_t)
corecmd_exec_bin(chromium_t)
# Look for /etc/gentoo-release through a shell invocation running find
@@ -183,6 +201,9 @@ files_read_usr_files(chromium_t)
files_map_usr_files(chromium_t)
files_read_etc_files(chromium_t)
files_watch_etc_dirs(chromium_t)
+files_watch_root_dirs(chromium_t)
+files_watch_runtime_dirs(chromium_t)
+
# During find for /etc/whatever-release we get lots of output otherwise
files_dontaudit_getattr_all_dirs(chromium_t)
@@ -193,6 +214,8 @@ fs_search_cgroup_dirs(chromium_t)
miscfiles_read_all_certs(chromium_t)
miscfiles_read_localization(chromium_t)
+mount_list_runtime(chromium_t)
+
sysnet_dns_name_resolve(chromium_t)
# for /run/udev/data/*
@@ -226,6 +249,14 @@ tunable_policy(`chromium_dri', `
dev_rw_dri(chromium_t)
')
+tunable_policy(`chromium_exec_heap',`
+ allow chromium_t self:process { execheap };
+')
+
+tunable_policy(`chromium_ptrace',`
+ allow chromium_t self:process { ptrace };
+')
+
tunable_policy(`chromium_rw_usb_dev',`
dev_rw_generic_usb_dev(chromium_t)
')
@@ -253,6 +284,10 @@ tunable_policy(`chromium_read_system_info',`
files_dontaudit_read_etc_runtime_files(chromium_t)
')
+optional_policy(`
+ alsa_read_config(chromium_t)
+')
+
optional_policy(`
cups_read_config(chromium_t)
cups_stream_connect(chromium_t)
@@ -260,7 +295,10 @@ optional_policy(`
optional_policy(`
dbus_all_session_bus_client(chromium_t)
+ dbus_send_fifo_file_all_session_bus(chromium_t)
dbus_system_bus_client(chromium_t)
+ dbus_getattr_session_runtime_socket(chromium_t)
+ dbus_write_session_runtime_socket(chromium_t)
optional_policy(`
unconfined_dbus_chat(chromium_t)
@@ -268,6 +306,7 @@ optional_policy(`
optional_policy(`
gnome_dbus_chat_all_gkeyringd(chromium_t)
+ gnome_watch_xdg_config_dirs(chromium_t)
')
optional_policy(`
@@ -276,6 +315,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_list_resolved_runtime(chromium_t)
systemd_dbus_chat_hostnamed(chromium_t)
')
')
@@ -289,12 +329,17 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(chromium_t)
+ networkmanager_watch_runtime_dirs(chromium_t)
')
optional_policy(`
ssh_dontaudit_agent_tmp(chromium_t)
')
+optional_policy(`
+ wm_mmap_rw_tmpfs_files(chromium_t)
+')
+
########################################
#
# chromium_renderer local policy
@@ -383,6 +428,9 @@ allow chromium_naclhelper_t self:user_namespace create;
allow chromium_naclhelper_t chromium_t:unix_stream_socket { getattr read write
};
allow chromium_naclhelper_t chromium_sandbox_t:unix_stream_socket { getattr
read write };
+allow chromium_naclhelper_t self:cap_userns { sys_admin sys_chroot };
+allow chromium_naclhelper_t self:process { setcap signal };
+
dev_read_sysfs(chromium_naclhelper_t)
dev_read_urand(chromium_naclhelper_t)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 33bc699c1..59891c4ff 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -814,3 +814,21 @@ interface(`gnome_mmap_gstreamer_orcexec',`
allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
')
+
+########################################
+## <summary>
+## watch gnome_xdg_config_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_watch_xdg_config_dirs',`
+ gen_require(`
+ type gnome_xdg_config_t;
+ ')
+
+ allow $1 gnome_xdg_config_t:dir watch;
+')
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index d65518218..d9db68c98 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -184,6 +184,25 @@ interface(`wm_dontaudit_exec_tmp_files',`
dontaudit $1 wm_tmp_t:file exec_file_perms;
')
+########################################
+## <summary>
+## mmap and read-write files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`wm_mmap_rw_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ fs_list_tmpfs($1)
+ allow $1 wm_tmpfs_t:file mmap_rw_file_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to execute
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 699c78b25..332a3823c 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -202,6 +202,25 @@ interface(`dbus_connect_all_session_bus',`
allow $1 session_bus_type:dbus acquire_svc;
')
+#######################################
+## <summary>
+## send file to all session busses.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_fifo_file_all_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ allow session_bus_type $1:fd use;
+ allow session_bus_type $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
#######################################
## <summary>
## Acquire service on specified
diff --git a/policy/modules/services/networkmanager.if
b/policy/modules/services/networkmanager.if
index 364c9a931..353f174e8 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -290,6 +290,24 @@ interface(`networkmanager_read_runtime_files',`
read_files_pattern($1, NetworkManager_runtime_t,
NetworkManager_runtime_t)
')
+########################################
+## <summary>
+## watch networkmanager runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_watch_runtime_dirs',`
+ gen_require(`
+ type NetworkManager_runtime_t;
+ ')
+
+ allow $1 NetworkManager_runtime_t:dir watch;
+')
+
####################################
## <summary>
## Connect to networkmanager over
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 7e58453df..feddd0ace 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2909,6 +2909,44 @@ interface(`systemd_signal_all_user_sessions',`
allow $1 systemd_user_session_type:process signal;
')
+########################################
+## <summary>
+## start all systemd --user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_start_all_user_sessions',`
+ gen_require(`
+ class system { start };
+ attribute systemd_user_session_type;
+ ')
+
+ allow $1 systemd_user_session_type:system start;
+')
+
+########################################
+## <summary>
+## get status of all systemd --user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_all_user_sessions',`
+ gen_require(`
+ class system { status };
+ attribute systemd_user_session_type;
+ ')
+
+ allow $1 systemd_user_session_type:system status;
+')
+
########################################
## <summary>
## Execute systemd-sysusers in the
