commit: 4a9fa0f6f7c5f90dc16db233210cfa4758f08bfc
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 10 04:23:14 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:23:42 2019 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a9fa0f6
remove gentoo chromium policy that has been upstreamed
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/contrib/chromium.fc | 31 ---
policy/modules/contrib/chromium.if | 139 --------------
policy/modules/contrib/chromium.te | 375 -------------------------------------
policy/modules/roles/staff.te | 4 -
policy/modules/roles/unprivuser.te | 4 -
5 files changed, 553 deletions(-)
diff --git a/policy/modules/contrib/chromium.fc
b/policy/modules/contrib/chromium.fc
deleted file mode 100644
index 534235dc..00000000
--- a/policy/modules/contrib/chromium.fc
+++ /dev/null
@@ -1,31 +0,0 @@
-/opt/google/chrome/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome/google-chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome/nacl_helper_bootstrap --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome/libudev.so.0
gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-beta/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-beta/google-chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-beta/nacl_helper_bootstrap --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-beta/libudev.so.0
gen_context(system_u:object_r:lib_t,s0)
-
-/opt/google/chrome-unstable/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/opt/google/chrome-unstable/google-chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/opt/google/chrome-unstable/nacl_helper_bootstrap --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-/opt/google/chrome-unstable/libudev.so.0
gen_context(system_u:object_r:lib_t,s0)
-
-/usr/lib/chromium-browser/chrome --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/chrome_sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chrome-sandbox --
gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
-/usr/lib/chromium-browser/chromium-launcher\.sh --
gen_context(system_u:object_r:chromium_exec_t,s0)
-/usr/lib/chromium-browser/nacl_helper_bootstrap --
gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
-
-HOME_DIR/\.cache/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.cache/google-chrome(/.*)?
gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
-HOME_DIR/\.config/chromium(/.*)?
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
-HOME_DIR/\.config/google-chrome(/.*)?
gen_context(system_u:object_r:chromium_xdg_config_t,s0)
diff --git a/policy/modules/contrib/chromium.if
b/policy/modules/contrib/chromium.if
deleted file mode 100644
index 26eb0259..00000000
--- a/policy/modules/contrib/chromium.if
+++ /dev/null
@@ -1,139 +0,0 @@
-## <summary>
-## Chromium browser
-## </summary>
-
-#######################################
-## <summary>
-## Role access for chromium
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`chromium_role',`
- gen_require(`
- type chromium_t;
- type chromium_renderer_t;
- type chromium_sandbox_t;
- type chromium_naclhelper_t;
- type chromium_exec_t;
- ')
-
- role $1 types chromium_t;
- role $1 types chromium_renderer_t;
- role $1 types chromium_sandbox_t;
- role $1 types chromium_naclhelper_t;
-
- # Transition from the user domain to the derived domain
- chromium_domtrans($2)
-
- # Allow ps to show chromium processes and allow the user to signal it
- ps_process_pattern($2, chromium_t)
- ps_process_pattern($2, chromium_renderer_t)
-
- allow $2 chromium_t:process signal_perms;
- allow $2 chromium_renderer_t:process signal_perms;
- allow $2 chromium_naclhelper_t:process signal_perms;
-
- allow chromium_sandbox_t $2:fd use;
- allow chromium_naclhelper_t $2:fd use;
-')
-
-#######################################
-## <summary>
-## Read-write access to Chromiums' temporary fifo files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_rw_tmp_pipes',`
- gen_require(`
- type chromium_tmp_t;
- ')
-
- rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
-')
-
-##############################################
-## <summary>
-## Automatically use the specified type for resources created in chromium's
-## temporary locations
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain that creates the resource(s)
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Type of the resource created
-## </summary>
-## </param>
-## <param name="filename" optional="true">
-## <summary>
-## The name of the resource being created
-## </summary>
-## </param>
-#
-interface(`chromium_tmp_filetrans',`
- gen_require(`
- type chromium_tmp_t;
- ')
-
- search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
- filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
-')
-
-#######################################
-## <summary>
-## Execute a domain transition to the chromium domain (chromium_t)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_domtrans',`
- gen_require(`
- type chromium_t;
- type chromium_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, chromium_exec_t, chromium_t)
-')
-
-#######################################
-## <summary>
-## Execute chromium in the chromium domain and allow the specified role to
access the chromium domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-#
-interface(`chromium_run',`
- gen_require(`
- type chromium_t;
- ')
-
- chromium_domtrans($1)
- role $2 types chromium_t;
-')
diff --git a/policy/modules/contrib/chromium.te
b/policy/modules/contrib/chromium.te
deleted file mode 100644
index 7e7f4490..00000000
--- a/policy/modules/contrib/chromium.te
+++ /dev/null
@@ -1,375 +0,0 @@
-policy_module(chromium, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Allow the use of java plugins
-## </p>
-## <p>
-## Some of these plugins require the use of named pipes (fifo files) that are
-## created within the temporary directory of the first browser that
instantiated
-## the plugin. Hence, if other browsers need access to java plugins, they will
-## get search rights in chromium's tmp locations
-## </p>
-## </desc>
-gen_tunable(chromium_use_java, false)
-
-## <desc>
-## <p>
-## Allow chromium to read system information
-## </p>
-## <p>
-## Although not needed for regular browsing, this will allow chromium to update
-## its own memory consumption based on system state, support additional
-## debugging, detect specific devices, etc.
-## </p>
-## </desc>
-gen_tunable(chromium_read_system_info, false)
-
-## <desc>
-## <p>
-## Allow chromium to bind to tcp ports
-## </p>
-## <p>
-## Although not needed for regular browsing, some chrome extensions need to
-## bind to tcp ports and accept connections.
-## </p>
-## </desc>
-gen_tunable(chromium_bind_tcp_unreserved_ports, false)
-
-## <desc>
-## <p>
-## Allow chromium to read/write USB devices
-## </p>
-## <p>
-## Although not needed for regular browsing, used for debugging over usb
-## or using FIDO U2F tokens.
-## </p>
-## </desc>
-gen_tunable(chromium_rw_usb_dev, false)
-
-type chromium_t;
-domain_dyntrans_type(chromium_t)
-
-type chromium_exec_t;
-application_domain(chromium_t, chromium_exec_t)
-
-type chromium_naclhelper_t;
-type chromium_naclhelper_exec_t;
-application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
-
-type chromium_sandbox_t;
-type chromium_sandbox_exec_t;
-application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
-
-type chromium_renderer_t;
-domain_base_type(chromium_renderer_t)
-
-type chromium_tmp_t;
-userdom_user_tmp_file(chromium_tmp_t)
-
-type chromium_tmpfs_t;
-userdom_user_tmpfs_file(chromium_tmpfs_t)
-optional_policy(`
- pulseaudio_tmpfs_content(chromium_tmpfs_t)
-')
-
-type chromium_xdg_config_t;
-xdg_config_home_content(chromium_xdg_config_t)
-
-type chromium_xdg_cache_t;
-xdg_cache_home_content(chromium_xdg_cache_t)
-
-
-
-########################################
-#
-# chromium local policy
-#
-
-# execmem for load in plugins
-allow chromium_t self:process { execmem getsched getcap setcap setrlimit
setsched sigkill signal };
-allow chromium_t self:fifo_file rw_fifo_file_perms;
-allow chromium_t self:sem create_sem_perms;
-allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
-# cap_userns sys_admin for the sandbox
-allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
-
-allow chromium_t chromium_exec_t:file execute_no_trans;
-
-allow chromium_t chromium_renderer_t:dir list_dir_perms;
-allow chromium_t chromium_renderer_t:file rw_file_perms;
-allow chromium_t chromium_renderer_t:fd use;
-allow chromium_t chromium_renderer_t:process signal_perms;
-allow chromium_t chromium_renderer_t:shm rw_shm_perms;
-allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
-allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
-
-allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
-allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
-
-allow chromium_t chromium_naclhelper_t:process { share };
-
-# tmp has a wide class access (used for plugins)
-manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-allow chromium_t chromium_tmp_t:file map;
-manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
-files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
-
-manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
-allow chromium_t chromium_tmpfs_t:file map;
-fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
-fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
-
-manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
-allow chromium_t chromium_xdg_config_t:file map;
-manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t,
chromium_xdg_config_t)
-manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
-xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
-
-manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
-allow chromium_t chromium_xdg_cache_t:file map;
-manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
-xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
-
-dyntrans_pattern(chromium_t, chromium_renderer_t)
-domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
-domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
-
-kernel_list_proc(chromium_t)
-kernel_read_net_sysctls(chromium_t)
-
-corecmd_exec_bin(chromium_t)
-# Look for /etc/gentoo-release through a shell invocation running find
-corecmd_exec_shell(chromium_t)
-
-corenet_tcp_connect_all_unreserved_ports(chromium_t)
-corenet_tcp_connect_ftp_port(chromium_t)
-corenet_tcp_connect_http_port(chromium_t)
-corenet_udp_bind_generic_node(chromium_t)
-corenet_udp_bind_all_unreserved_ports(chromium_t)
-
-dev_read_sound(chromium_t)
-dev_write_sound(chromium_t)
-dev_read_urand(chromium_t)
-dev_read_rand(chromium_t)
-dev_rw_xserver_misc(chromium_t)
-dev_map_xserver_misc(chromium_t)
-
-domain_dontaudit_search_all_domains_state(chromium_t)
-
-files_list_home(chromium_t)
-files_search_home(chromium_t)
-files_read_usr_files(chromium_t)
-files_map_usr_files(chromium_t)
-files_read_etc_files(chromium_t)
-# During find for /etc/whatever-release we get lots of output otherwise
-files_dontaudit_getattr_all_dirs(chromium_t)
-
-fs_dontaudit_getattr_xattr_fs(chromium_t)
-
-getty_dontaudit_use_fds(chromium_t)
-
-miscfiles_read_all_certs(chromium_t)
-miscfiles_read_localization(chromium_t)
-
-sysnet_dns_name_resolve(chromium_t)
-
-userdom_user_content_access_template(chromium, chromium_t)
-userdom_dontaudit_list_user_home_dirs(chromium_t)
-# Debugging. Also on user_tty_device_t if X is started through "startx" for
instance
-userdom_use_user_terminals(chromium_t)
-userdom_manage_user_certs(chromium_t)
-userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
-
-xdg_create_cache_home_dirs(chromium_t)
-xdg_create_config_home_dirs(chromium_t)
-xdg_create_data_home_dirs(chromium_t)
-xdg_manage_downloads_home(chromium_t)
-xdg_read_config_home_files(chromium_t)
-xdg_read_data_home_files(chromium_t)
-
-xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
-
-tunable_policy(`chromium_bind_tcp_unreserved_ports',`
- corenet_tcp_bind_generic_node(chromium_t)
- corenet_tcp_bind_all_unreserved_ports(chromium_t)
- allow chromium_t self:tcp_socket { listen accept };
-')
-
-tunable_policy(`chromium_rw_usb_dev',`
- dev_rw_generic_usb_dev(chromium_t)
- udev_read_db(chromium_t)
-')
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_t)
- # Memory optimizations & optimizations based on OS/version
- kernel_read_system_state(chromium_t)
-
- # Debugging (sys/kernel/debug) and device information (sys/bus and
sys/devices).
- dev_read_sysfs(chromium_t)
-
- storage_getattr_fixed_disk_dev(chromium_t)
-
- files_read_etc_runtime_files(chromium_t)
-
- dev_dontaudit_getattr_all_chr_files(chromium_t)
- init_dontaudit_getattr_initctl(chromium_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_t)
- kernel_dontaudit_read_system_state(chromium_t)
-
- dev_dontaudit_read_sysfs(chromium_t)
-
- files_dontaudit_read_etc_runtime(chromium_t)
-')
-
-optional_policy(`
- cups_read_config(chromium_t)
- cups_stream_connect(chromium_t)
-')
-
-optional_policy(`
- dbus_all_session_bus_client(chromium_t)
- dbus_system_bus_client(chromium_t)
-
- optional_policy(`
- unconfined_dbus_chat(chromium_t)
- ')
- optional_policy(`
- gnome_dbus_chat_all_gkeyringd(chromium_t)
- ')
- optional_policy(`
- devicekit_dbus_chat_power(chromium_t)
- ')
-')
-
-optional_policy(`
- flash_manage_home(chromium_t)
-')
-
-optional_policy(`
- # Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory
- # and fifo files within. These are then used by the renderer and a
- # freshly forked java process to communicate between each other.
- tunable_policy(`chromium_use_java',`
- java_noatsecure_domtrans(chromium_t)
- ')
-')
-
-optional_policy(`
- # Chromium reads in .mozilla for user plugins
- mozilla_read_user_home(chromium_t)
-')
-
-ifdef(`use_alsa',`
- optional_policy(`
- alsa_domain(chromium_t, chromium_tmpfs_t)
- ')
-
- optional_policy(`
- pulseaudio_domtrans(chromium_t)
- ')
-')
-
-########################################
-#
-# chromium_renderer local policy
-#
-
-allow chromium_renderer_t self:process execmem;
-
-allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
-allow chromium_renderer_t self:shm create_shm_perms;
-allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
-allow chromium_renderer_t self:unix_stream_socket { create getattr read write
};
-
-allow chromium_renderer_t chromium_t:fd use;
-allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
-allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
-
-dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
-dontaudit chromium_renderer_t self:process getsched;
-
-read_files_pattern(chromium_renderer_t, chromium_xdg_config_t,
chromium_xdg_config_t)
-
-rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
-
-dev_read_urand(chromium_renderer_t)
-
-files_dontaudit_list_tmp(chromium_renderer_t)
-files_dontaudit_read_etc_files(chromium_renderer_t)
-files_search_var(chromium_renderer_t)
-
-init_sigchld(chromium_renderer_t)
-
-miscfiles_read_localization(chromium_renderer_t)
-
-userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
-userdom_use_user_terminals(chromium_renderer_t)
-
-xdg_read_config_home_files(chromium_renderer_t)
-
-xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t,
chromium_tmpfs_t)
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_renderer_t)
- kernel_read_system_state(chromium_renderer_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t)
- kernel_dontaudit_read_system_state(chromium_renderer_t)
-')
-
-#########################################
-#
-# Chromium sandbox local policy
-#
-
-allow chromium_sandbox_t self:capability { dac_read_search setgid setuid
sys_admin sys_chroot sys_ptrace };
-allow chromium_sandbox_t self:process { setrlimit };
-allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-
-allow chromium_sandbox_t chromium_t:process { share };
-# /proc access
-allow chromium_sandbox_t chromium_t:dir list_dir_perms;
-allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
-allow chromium_sandbox_t chromium_t:file rw_file_perms;
-
-allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
-allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
-
-kernel_list_proc(chromium_sandbox_t)
-
-domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
-
-userdom_use_user_ptys(chromium_sandbox_t)
-
-chromium_domtrans(chromium_sandbox_t)
-
-##########################################
-#
-# Chromium nacl helper local policy
-#
-
-allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
-
-domain_mmap_low_uncond(chromium_naclhelper_t)
-
-userdom_use_user_ptys(chromium_naclhelper_t)
-
-tunable_policy(`chromium_read_system_info',`
- kernel_read_kernel_sysctls(chromium_naclhelper_t)
- kernel_read_system_state(chromium_naclhelper_t)
-',`
- kernel_dontaudit_read_kernel_sysctls(chromium_naclhelper_t)
- kernel_dontaudit_read_system_state(chromium_naclhelper_t)
-')
-
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 7379868a..fbe1829b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -228,10 +228,6 @@ ifdef(`distro_gentoo',`
at_role(staff_r, staff_t)
')
- optional_policy(`
- chromium_role(staff_r, staff_t)
- ')
-
optional_policy(`
# bug 531784
devicekit_dbus_chat_disk(staff_t)
diff --git a/policy/modules/roles/unprivuser.te
b/policy/modules/roles/unprivuser.te
index aa0c518f..e71c17e9 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -216,10 +216,6 @@ ifdef(`distro_gentoo',`
at_role(user_r, user_t)
')
- optional_policy(`
- chromium_role(user_r, user_t)
- ')
-
optional_policy(`
devicekit_dbus_chat_disk(user_t)
devicekit_dbus_chat_power(user_t)
