commit: e544807b2603f481a895a630a28e25fe4f350b38
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 02:45:27 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep 15 05:33:37 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e544807b
chromium: allow mapping own types
policy/modules/contrib/chromium.if | 4 ++++
policy/modules/contrib/chromium.te | 3 +++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/contrib/chromium.if
b/policy/modules/contrib/chromium.if
index 3f9301b7..26eb0259 100644
--- a/policy/modules/contrib/chromium.if
+++ b/policy/modules/contrib/chromium.if
@@ -45,6 +45,7 @@ interface(`chromium_role',`
allow chromium_sandbox_t $2:fd use;
allow chromium_naclhelper_t $2:fd use;
')
+
#######################################
## <summary>
## Read-write access to Chromiums' temporary fifo files
@@ -62,6 +63,7 @@ interface(`chromium_rw_tmp_pipes',`
rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')
+
##############################################
## <summary>
## Automatically use the specified type for resources created in chromium's
@@ -91,6 +93,7 @@ interface(`chromium_tmp_filetrans',`
search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
')
+
#######################################
## <summary>
## Execute a domain transition to the chromium domain (chromium_t)
@@ -110,6 +113,7 @@ interface(`chromium_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, chromium_exec_t, chromium_t)
')
+
#######################################
## <summary>
## Execute chromium in the chromium domain and allow the specified role to
access the chromium domain
diff --git a/policy/modules/contrib/chromium.te
b/policy/modules/contrib/chromium.te
index a4fba97c..76f2583a 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -113,6 +113,7 @@ allow chromium_t chromium_naclhelper_t:process { share };
# tmp has a wide class access (used for plugins)
manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+allow chromium_t chromium_tmp_t:file map;
manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
@@ -120,10 +121,12 @@ manage_fifo_files_pattern(chromium_t, chromium_tmp_t,
chromium_tmp_t)
files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+allow chromium_t chromium_tmpfs_t:file map;
fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+allow chromium_t chromium_xdg_config_t:file map;
manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t,
chromium_xdg_config_t)
manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
