diff options
author | Jason Zaman <jason@perfinion.com> | 2017-09-15 10:45:27 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-09-15 13:33:37 +0800 |
commit | e544807b2603f481a895a630a28e25fe4f350b38 (patch) | |
tree | 5274637f2d31f474dae0d6bbfd5e84f55b480fd7 | |
parent | Merge upstream (diff) | |
download | hardened-refpolicy-e544807b2603f481a895a630a28e25fe4f350b38.tar.gz hardened-refpolicy-e544807b2603f481a895a630a28e25fe4f350b38.tar.bz2 hardened-refpolicy-e544807b2603f481a895a630a28e25fe4f350b38.zip |
chromium: allow mapping own types
-rw-r--r-- | policy/modules/contrib/chromium.if | 4 | ||||
-rw-r--r-- | policy/modules/contrib/chromium.te | 3 |
2 files changed, 7 insertions, 0 deletions
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if index 3f9301b79..26eb02591 100644 --- a/policy/modules/contrib/chromium.if +++ b/policy/modules/contrib/chromium.if @@ -45,6 +45,7 @@ interface(`chromium_role',` allow chromium_sandbox_t $2:fd use; allow chromium_naclhelper_t $2:fd use; ') + ####################################### ## <summary> ## Read-write access to Chromiums' temporary fifo files @@ -62,6 +63,7 @@ interface(`chromium_rw_tmp_pipes',` rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) ') + ############################################## ## <summary> ## Automatically use the specified type for resources created in chromium's @@ -91,6 +93,7 @@ interface(`chromium_tmp_filetrans',` search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) ') + ####################################### ## <summary> ## Execute a domain transition to the chromium domain (chromium_t) @@ -110,6 +113,7 @@ interface(`chromium_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, chromium_exec_t, chromium_t) ') + ####################################### ## <summary> ## Execute chromium in the chromium domain and allow the specified role to access the chromium domain diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te index a4fba97c0..76f2583af 100644 --- a/policy/modules/contrib/chromium.te +++ b/policy/modules/contrib/chromium.te @@ -113,6 +113,7 @@ allow chromium_t chromium_naclhelper_t:process { share }; # tmp has a wide class access (used for plugins) manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) +allow chromium_t chromium_tmp_t:file map; manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) @@ -120,10 +121,12 @@ manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t) files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file }) manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t) +allow chromium_t chromium_tmpfs_t:file map; fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file) fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file) manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) +allow chromium_t chromium_xdg_config_t:file map; manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t) xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium") |