summaryrefslogtreecommitdiffstats
path: root/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'sandbox')
-rw-r--r--sandbox/linux/selinux/README12
-rw-r--r--sandbox/linux/selinux/chromium-browser.if1
-rw-r--r--sandbox/linux/selinux/chromium-browser.te40
3 files changed, 53 insertions, 0 deletions
diff --git a/sandbox/linux/selinux/README b/sandbox/linux/selinux/README
new file mode 100644
index 0000000..f5428a3
--- /dev/null
+++ b/sandbox/linux/selinux/README
@@ -0,0 +1,12 @@
+This contains a basic and seemingly functional policy for Chromium. This policy
+was written on FC12 and might not function on other distributions depending on
+the version of the refpolicy installed.
+
+When building Chromium with the GYP define selinux=1, the seccomp sandbox is
+disabled and the zygote will perform a dynamic transition to chromium_renderer_t
+after forking a renderer. The policy in this directory defines access vectors
+for chromium_renderer_t.
+
+To install:
+ % make -f /usr/share/selinux/devel/Makefile
+ % sudo /usr/sbin/semodule -i chromium-browser.pp
diff --git a/sandbox/linux/selinux/chromium-browser.if b/sandbox/linux/selinux/chromium-browser.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/sandbox/linux/selinux/chromium-browser.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/sandbox/linux/selinux/chromium-browser.te b/sandbox/linux/selinux/chromium-browser.te
new file mode 100644
index 0000000..ae2f8b7
--- /dev/null
+++ b/sandbox/linux/selinux/chromium-browser.te
@@ -0,0 +1,40 @@
+policy_module(chromium-browser,1.0.0)
+
+gen_require(`
+ type gnome_home_t;
+ type proc_t;
+ type tmpfs_t;
+ type unconfined_t;
+ type urandom_device_t;
+ type user_devpts_t;
+ type user_tmpfs_t;
+')
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t)
+role unconfined_r types chromium_renderer_t;
+
+allow unconfined_t chromium_renderer_t:process { dyntransition };
+
+allow chromium_renderer_t unconfined_t:unix_stream_socket { read write send_msg recv_msg };
+allow unconfined_t chromium_renderer_t:unix_stream_socket { read write send_msg recv_msg };
+
+allow chromium_renderer_t urandom_device_t:chr_file { read };
+allow chromium_renderer_t user_devpts_t:chr_file { write };
+allow chromium_renderer_t self:process { execmem };
+allow chromium_renderer_t self:fifo_file { read write };
+allow chromium_renderer_t self:unix_dgram_socket { read write create send_msg recv_msg sendto };
+allow chromium_renderer_t unconfined_t:unix_dgram_socket { read write send_msg recv_msg };
+allow unconfined_t chromium_renderer_t:unix_dgram_socket { read write send_msg recv_msg };
+allow chromium_renderer_t user_tmpfs_t:file { read write append open getattr };
+allow chromium_renderer_t tmpfs_t:file { read write };
+allow chromium_renderer_t self:shm { create destroy getattr setattr read write associate unix_read unix_write };
+
+# For reading dictionaries out of the user-data-dir
+allow chromium_renderer_t gnome_home_t:file { read getattr };
+
+miscfiles_read_localization(chromium_renderer_t);
+miscfiles_read_fonts(chromium_renderer_t);
+
+# The renderer will attempt to read meminfo
+dontaudit chromium_renderer_t proc_t:file { read };
generated by cgit v1.1 at 2025-02-08 13:15:32 +0000