SELinux: add basic policy.

This patch removes the chromium_zygote_t type and adds a chromium_renderer_t type. Also, a basic policy for chromium_renderer_t is included. I decided not to try to have a different policy for the zygote since it just makes things more complex for little reason. BUG=none TEST=none http://codereview.chromium.org/1104002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44908 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-04-19 14:51:13 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-04-19 14:51:13 +0000
commit: a89a55dd2a5fc953a936dbbbf0e5f00db0adf550 (patch)
tree: 60beab9c2a7dde200b9fb02ccc7fdd7328d168d9
parent: 521d76f78a831a4465e25649f39b1315726b28df (diff)
download: chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.zip
chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.tar.gz
chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.tar.bz2
5 files changed, 82 insertions, 20 deletions
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc
index a7cfb76..8071f0f 100644
--- a/chrome/browser/zygote_main_linux.cc
+++ b/chrome/browser/zygote_main_linux.cc
@@ -64,6 +64,26 @@ static bool g_suid_sandbox_active = false;
 static int g_proc_fd = -1;
 #endif
 
+#if defined(CHROMIUM_SELINUX)
+static void SELinuxTransitionToTypeOrDie(const char* type) {
+  security_context_t security_context;
+  if (getcon(&security_context))
+    LOG(FATAL) << "Cannot get SELinux context";
+
+  context_t context = context_new(security_context);
+  context_type_set(context, type);
+  const int r = setcon(context_str(context));
+  context_free(context);
+  freecon(security_context);
+
+  if (r) {
+    LOG(FATAL) << "dynamic transition to type '" << type << "' failed. "
+                  "(this binary has been built with SELinux support, but maybe "
+                  "the policies haven't been loaded into the kernel?)";
+  }
+}
+#endif  // CHROMIUM_SELINUX
+
 // This is the object which implements the zygote. The ZygoteMain function,
 // which is called from ChromeMain, at the the bottom and simple constructs one
 // of these objects and runs it.
@@ -265,6 +285,10 @@ class Zygote {
         close(kZygoteIdDescriptor);  // another socket from the browser
       Singleton<base::GlobalDescriptors>()->Reset(mapping);
 
+#if defined(CHROMIUM_SELINUX)
+      SELinuxTransitionToTypeOrDie("chromium_renderer_t");
+#endif
+
       // Reset the process-wide command line to our new command line.
       CommandLine::Reset();
       CommandLine::Init(0, NULL);
@@ -585,26 +609,6 @@ static bool EnterSandbox() {
 static bool EnterSandbox() {
   PreSandboxInit();
   SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
-
-  security_context_t security_context;
-  if (getcon(&security_context)) {
-    LOG(ERROR) << "Cannot get SELinux context";
-    return false;
-  }
-
-  context_t context = context_new(security_context);
-  context_type_set(context, "chromium_zygote_t");
-  const int r = setcon(context_str(context));
-  context_free(context);
-  freecon(security_context);
-
-  if (r) {
-    LOG(ERROR) << "dynamic transition to type 'chromium_zygote_t' failed. "
-                  "(this binary has been built with SELinux support, but maybe "
-                  "the policies haven't been loaded into the kernel?)";
-    return false;
-  }
-
   return true;
 }
 
diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc
index f6b19f7..a2fdf38 100644
--- a/ipc/ipc_channel_posix.cc
+++ b/ipc/ipc_channel_posix.cc
@@ -653,6 +653,11 @@ bool Channel::ChannelImpl::ProcessIncomingMessages() {
                          << " header()->num_fds:" << m.header()->num_fds
                          << " num_fds:" << num_fds
                          << " fds_i:" << fds_i;
+#if defined(CHROMIUM_SELINUX)
+            LOG(WARNING) << "In the case of SELinux this can be caused when "
+                            "using a --user-data-dir to which the default "
+                            "policy doesn't give the renderer access to. ";
+#endif
             // close the existing file descriptors so that we don't leak them
             for (unsigned i = fds_i; i < num_fds; ++i)
               HANDLE_EINTR(close(fds[i]));
diff --git a/sandbox/linux/selinux/README b/sandbox/linux/selinux/README
new file mode 100644
index 0000000..f5428a3
--- /dev/null
+++ b/sandbox/linux/selinux/README
@@ -0,0 +1,12 @@
+This contains a basic and seemingly functional policy for Chromium. This policy
+was written on FC12 and might not function on other distributions depending on
+the version of the refpolicy installed.
+
+When building Chromium with the GYP define selinux=1, the seccomp sandbox is
+disabled and the zygote will perform a dynamic transition to chromium_renderer_t
+after forking a renderer. The policy in this directory defines access vectors
+for chromium_renderer_t.
+
+To install:
+  % make -f /usr/share/selinux/devel/Makefile
+  % sudo /usr/sbin/semodule -i chromium-browser.pp
diff --git a/sandbox/linux/selinux/chromium-browser.if b/sandbox/linux/selinux/chromium-browser.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/sandbox/linux/selinux/chromium-browser.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/sandbox/linux/selinux/chromium-browser.te b/sandbox/linux/selinux/chromium-browser.te
new file mode 100644
index 0000000..ae2f8b7
--- /dev/null
+++ b/sandbox/linux/selinux/chromium-browser.te
@@ -0,0 +1,40 @@
+policy_module(chromium-browser,1.0.0)
+
+gen_require(`
+  type gnome_home_t;
+  type proc_t;
+  type tmpfs_t;
+  type unconfined_t;
+  type urandom_device_t;
+  type user_devpts_t;
+  type user_tmpfs_t;
+')
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t)
+role unconfined_r types chromium_renderer_t;
+
+allow unconfined_t chromium_renderer_t:process { dyntransition };
+
+allow chromium_renderer_t unconfined_t:unix_stream_socket { read write send_msg recv_msg };
+allow unconfined_t chromium_renderer_t:unix_stream_socket { read write send_msg recv_msg };
+
+allow chromium_renderer_t urandom_device_t:chr_file { read };
+allow chromium_renderer_t user_devpts_t:chr_file { write };
+allow chromium_renderer_t self:process { execmem };
+allow chromium_renderer_t self:fifo_file { read write };
+allow chromium_renderer_t self:unix_dgram_socket { read write create send_msg recv_msg sendto };
+allow chromium_renderer_t unconfined_t:unix_dgram_socket { read write send_msg recv_msg };
+allow unconfined_t chromium_renderer_t:unix_dgram_socket { read write send_msg recv_msg };
+allow chromium_renderer_t user_tmpfs_t:file { read write append open getattr };
+allow chromium_renderer_t tmpfs_t:file { read write };
+allow chromium_renderer_t self:shm { create destroy getattr setattr read write associate unix_read unix_write };
+
+# For reading dictionaries out of the user-data-dir
+allow chromium_renderer_t gnome_home_t:file { read getattr };
+
+miscfiles_read_localization(chromium_renderer_t);
+miscfiles_read_fonts(chromium_renderer_t);
+
+# The renderer will attempt to read meminfo
+dontaudit chromium_renderer_t proc_t:file { read };
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-04-19 14:51:13 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-04-19 14:51:13 +0000
commit	a89a55dd2a5fc953a936dbbbf0e5f00db0adf550 (patch)
tree	60beab9c2a7dde200b9fb02ccc7fdd7328d168d9
parent	521d76f78a831a4465e25649f39b1315726b28df (diff)
download	chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.zip chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.tar.gz chromium_src-a89a55dd2a5fc953a936dbbbf0e5f00db0adf550.tar.bz2