319 lines
No EOL
10 KiB
Text
319 lines
No EOL
10 KiB
Text
# This file is based on original code from secureblue, licensed under Apache 2.0
|
|
# Modified by oneflux - see LICENSE for details
|
|
|
|
policy_module(brave, 1.0.0)
|
|
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow chromium to read/write/map v4l devices
|
|
## </p>
|
|
## <p>
|
|
## Needed for camera access
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(brave_rwmap_video_dev, true)
|
|
|
|
|
|
# brave executable
|
|
attribute_role brave_roles;
|
|
roleattribute object_r brave_roles;
|
|
|
|
type brave_t;
|
|
type brave_home_t;
|
|
type brave_exec_t;
|
|
domain_type(brave_t, brave_exec_t)
|
|
application_domain(brave_t, brave_exec_t)
|
|
|
|
role brave_roles types { brave_t brave_home_t };
|
|
|
|
userdom_user_home_content(brave_home_t)
|
|
|
|
# brave script
|
|
attribute_role brave_script_roles;
|
|
roleattribute object_r brave_script_roles;
|
|
|
|
type brave_script_t;
|
|
type brave_script_exec_t;
|
|
domain_type(brave_script_t, brave_script_exec_t)
|
|
application_domain(brave_script_t, brave_script_exec_t)
|
|
|
|
role brave_script_roles types brave_script_t;
|
|
|
|
gen_require(`
|
|
class dbus acquire_svc;
|
|
type audio_home_t;
|
|
type chrome_sandbox_home_t;
|
|
type device_t;
|
|
type dosfs_t;
|
|
type fs_t;
|
|
type unconfined_t;
|
|
type http_port_t;
|
|
type http_cache_port_t;
|
|
type howl_port_t;
|
|
type ld_so_cache_t;
|
|
type null_device_t;
|
|
type root_t;
|
|
type pki_ca_port_t;
|
|
type nsfs_t;
|
|
type tmp_t;
|
|
type tmpfs_t;
|
|
type unconfined_dbusd_t;
|
|
type user_home_t;
|
|
type xserver_misc_device_t;
|
|
')
|
|
|
|
# internal
|
|
allow brave_t self:process { dyntransition transition execmem getcap getsched ptrace setcap setrlimit setsched sigkill signal signull };
|
|
allow brave_t self:dir { manage_dir_perms };
|
|
allow brave_t self:file { manage_file_perms execute map };
|
|
allow brave_t self:lnk_file { manage_lnk_file_perms };
|
|
allow brave_t self:fifo_file rw_fifo_file_perms;
|
|
allow brave_t self:sem create_sem_perms;
|
|
allow brave_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
|
|
allow brave_t self:user_namespace create;
|
|
allow brave_t self:unix_stream_socket { connectto rw_socket_perms };
|
|
allow brave_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
|
|
allow brave_t self:capability { dac_read_search sys_admin sys_chroot sys_ptrace };
|
|
allow brave_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
|
|
allow brave_t self:dir rw_dir_perms;
|
|
allow brave_t self:socket_class_set create_socket_perms;
|
|
allow brave_t self:tcp_socket { accept listen };
|
|
allow brave_t brave_exec_t:file execute_no_trans;
|
|
allow brave_t chrome_sandbox_home_t:dir { manage_dir_perms };
|
|
allow brave_t chrome_sandbox_home_t:file { manage_file_perms execute map };
|
|
allow brave_t chrome_sandbox_home_t:lnk_file { manage_lnk_file_perms };
|
|
allow brave_t brave_home_t:dir { manage_dir_perms };
|
|
allow brave_t brave_home_t:file { manage_file_perms execute map };
|
|
allow brave_t brave_home_t:lnk_file { manage_lnk_file_perms };
|
|
allow brave_t self:netlink_route_socket nlmsg_read;
|
|
|
|
# not covered by interfaces
|
|
allow brave_t pki_ca_port_t:tcp_socket name_connect;
|
|
allow brave_t howl_port_t:udp_socket name_bind;
|
|
allow brave_t http_port_t:tcp_socket { name_connect };
|
|
allow brave_t http_cache_port_t:tcp_socket { name_connect };
|
|
allow brave_t tmp_t:lnk_file { create unlink };
|
|
allow brave_t tmp_t:sock_file { create unlink };
|
|
|
|
# required for brave to be able to detect whether it's the default browser
|
|
allow brave_t brave_script_exec_t:file { execute getattr read execute_no_trans ioctl open };
|
|
|
|
# homedir access
|
|
allow brave_t user_home_t:dir { manage_dir_perms };
|
|
allow brave_t user_home_t:file { manage_file_perms };
|
|
allow brave_t user_home_t:lnk_file { manage_lnk_file_perms };
|
|
allow brave_t audio_home_t:dir { manage_dir_perms };
|
|
allow brave_t audio_home_t:file { manage_file_perms };
|
|
allow brave_t audio_home_t:lnk_file { manage_lnk_file_perms };
|
|
|
|
# screenshare access
|
|
allow brave_t unconfined_t:unix_stream_socket { connectto rw_socket_perms };
|
|
|
|
# allow brave to interface with flatpaks (necessary for keepassxc extension, for example)
|
|
allow brave_t data_home_t:file { execute execute_no_trans };
|
|
|
|
# allow brave to own its mpris daemon
|
|
allow brave_t unconfined_dbusd_t:dbus acquire_svc;
|
|
|
|
# xwayland/nvidia
|
|
xserver_exec(brave_t)
|
|
dev_rw_xserver_misc(brave_t)
|
|
dev_map_xserver_misc(brave_t)
|
|
allow brave_t xserver_misc_device_t:chr_file { getattr ioctl map open read write };
|
|
xserver_stream_connect_xdm(brave_t)
|
|
xserver_stream_connect(brave_t)
|
|
xserver_user_x_domain_template(brave, brave_t, user_tmpfs_t)
|
|
|
|
files_list_home(brave_t)
|
|
files_search_home(brave_t)
|
|
files_read_usr_files(brave_t)
|
|
files_read_etc_files(brave_t)
|
|
files_read_etc_runtime_files(brave_t)
|
|
files_watch_etc_dirs(brave_t)
|
|
files_getattr_all_dirs(brave_t)
|
|
files_watch_root_dirs(brave_t)
|
|
files_read_var_lib_files(brave_t)
|
|
files_rw_generic_tmp_dir(brave_t)
|
|
files_manage_generic_tmp_files(brave_t)
|
|
files_manage_generic_tmp_dirs(brave_t)
|
|
files_rw_generic_tmp_sockets(brave_t)
|
|
files_rw_tmp_file_leaks(brave_t)
|
|
files_map_generic_tmp_files(brave_t)
|
|
|
|
kernel_read_system_state(brave_t)
|
|
kernel_read_kernel_sysctls(brave_t)
|
|
kernel_read_fs_sysctls(brave_t)
|
|
|
|
# required to connect to wayland
|
|
unconfined_stream_connect(brave_t)
|
|
dbus_system_bus_client(brave_t)
|
|
dbus_session_bus_client(brave_t)
|
|
|
|
dbus_write_session_tmp_sock_files(brave_t)
|
|
devicekit_dbus_chat_disk(brave_t)
|
|
devicekit_dbus_chat_power(brave_t)
|
|
systemd_dbus_chat_hostnamed(brave_t)
|
|
|
|
fs_rw_inherited_tmpfs_files(brave_t)
|
|
fs_getattr_xattr_fs(brave_t)
|
|
fs_getattr_tmpfs(brave_t)
|
|
fs_manage_tmpfs_files(brave_t)
|
|
fs_map_tmpfs_files(brave_t)
|
|
fs_search_cgroup_dirs(brave_t)
|
|
fs_associate_proc(brave_t)
|
|
|
|
miscfiles_read_all_certs(brave_t)
|
|
miscfiles_map_generic_certs(brave_t)
|
|
miscfiles_read_localization(brave_t)
|
|
miscfiles_watch_localization_dirs(brave_t)
|
|
miscfiles_read_hwdata(brave_t)
|
|
|
|
alsa_read_rw_config(brave_t)
|
|
pulseaudio_tmpfs_content(brave_t)
|
|
pulseaudio_stream_connect(brave_t)
|
|
pulseaudio_read_home_files(brave_t)
|
|
cups_read_config(brave_t)
|
|
cups_stream_connect(brave_t)
|
|
|
|
dev_read_sysfs(brave_t)
|
|
dev_rw_dma_dev(brave_t)
|
|
dev_rw_dri(brave_t)
|
|
dev_rw_generic_usb_dev(brave_t)
|
|
dev_read_sound(brave_t)
|
|
dev_write_sound(brave_t)
|
|
dev_read_urand(brave_t)
|
|
dev_read_rand(brave_t)
|
|
|
|
tunable_policy(`brave_rwmap_video_dev', `
|
|
dev_read_video_dev(brave_t)
|
|
dev_write_video_dev(brave_t)
|
|
dev_map_video_dev(brave_t)
|
|
')
|
|
|
|
udev_read_pid_files(brave_t)
|
|
|
|
gnome_search_gconf_data_dir(brave_t)
|
|
gnome_manage_cache_home_dir(brave_t)
|
|
gnome_manage_generic_cache_files(brave_t)
|
|
gnome_manage_generic_cache_sockets(brave_t)
|
|
gnome_map_generic_cache_files(brave_t)
|
|
gnome_manage_home_config(brave_t)
|
|
gnome_exec_config_home_files(brave_t)
|
|
gnome_manage_home_config_dirs(brave_t)
|
|
gnome_manage_data(brave_t)
|
|
gnome_manage_generic_home_files(brave_t)
|
|
gnome_manage_generic_home_dirs(brave_t)
|
|
gnome_map_generic_data_home_files(brave_t)
|
|
gnome_manage_gstreamer_home_files(brave_t)
|
|
gnome_dbus_chat_gconfdefault(brave_t)
|
|
gnome_dbus_chat_gkeyringd(brave_t)
|
|
|
|
userdom_manage_user_tmp_sockets(brave_t)
|
|
userdom_manage_user_tmp_files(brave_t)
|
|
userdom_map_tmp_files(brave_t)
|
|
userdom_manage_tmpfs_files(brave_t)
|
|
userdom_read_inherited_user_tmp_files(brave_t)
|
|
userdom_manage_home_certs(brave_t)
|
|
userdom_use_user_terminals(brave_t)
|
|
userdom_list_user_home_dirs(brave_t)
|
|
|
|
logging_write_journal_files(brave_t)
|
|
logging_write_syslog_pid_socket(brave_t)
|
|
|
|
auth_read_passwd_file(brave_t)
|
|
|
|
# needed to be able to xdg-open, which is bin_t
|
|
corecmd_exec_bin(brave_t)
|
|
|
|
pcscd_stream_connect(brave_t)
|
|
xserver_use_user_fonts(brave_t)
|
|
xserver_map_user_fonts(brave_t)
|
|
|
|
systemd_dbus_chat_hostnamed(brave_t)
|
|
systemd_resolved_watch_pid_dirs(brave_t)
|
|
init_search_pid_dirs(brave_t)
|
|
init_read_state(brave_t)
|
|
|
|
corenet_tcp_connect_all_unreserved_ports(brave_t)
|
|
corenet_tcp_connect_generic_port(brave_t)
|
|
corenet_tcp_connect_ftp_port(brave_t)
|
|
corenet_tcp_connect_http_port(brave_t)
|
|
corenet_tcp_connect_ipp_port(brave_t)
|
|
corenet_tcp_bind_generic_node(brave_t)
|
|
corenet_udp_bind_generic_node(brave_t)
|
|
corenet_udp_bind_all_unreserved_ports(brave_t)
|
|
sysnet_read_config(brave_t)
|
|
sysnet_dns_name_resolve(brave_t)
|
|
networkmanager_dbus_chat(brave_t)
|
|
|
|
storage_getattr_fixed_disk_dev(brave_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type unconfined_t;
|
|
role unconfined_r;
|
|
')
|
|
|
|
brave_run(brave_script_t, unconfined_r)
|
|
brave_script_run(unconfined_t, unconfined_r)
|
|
brave_filetrans_home_content(unconfined_t)
|
|
')
|
|
|
|
|
|
allow brave_script_t brave_t:dir { getattr };
|
|
allow brave_script_t self:dir { add_entry_dir_perms };
|
|
allow brave_script_t self:file { create };
|
|
allow brave_script_t self:user_namespace create;
|
|
allow brave_script_t self:cap_userns { sys_ptrace sys_admin setpcap };
|
|
allow brave_script_t self:process { ptrace setcap setsched };
|
|
allow brave_script_t user_home_t:dir { search };
|
|
allow brave_script_t chrome_sandbox_home_t:dir { manage_dir_perms };
|
|
allow brave_script_t chrome_sandbox_home_t:file { manage_file_perms };
|
|
allow brave_script_t chrome_sandbox_home_t:lnk_file read;
|
|
allow brave_script_t brave_home_t:dir { manage_dir_perms };
|
|
allow brave_script_t brave_home_t:file { manage_file_perms map };
|
|
allow brave_script_t brave_home_t:lnk_file { manage_lnk_file_perms };
|
|
allow brave_script_t nsfs_t:file getattr;
|
|
allow brave_script_t ld_so_cache_t:file mounton;
|
|
allow brave_script_t root_t:dir mounton;
|
|
allow brave_script_t tmp_t:dir mounton;
|
|
allow brave_script_t tmpfs_t:dir { mounton create };
|
|
allow brave_script_t tmpfs_t:filesystem { unmount mount };
|
|
allow brave_script_t device_t:filesystem remount;
|
|
allow brave_script_t dosfs_t:filesystem remount;
|
|
allow brave_script_t fs_t:filesystem { remount unmount };
|
|
allow brave_script_t null_device_t:chr_file mounton;
|
|
allow brave_script_t tmp_t:sock_file getattr;
|
|
allow brave_script_t brave_t:process2 { nosuid_transition nnp_transition };
|
|
|
|
|
|
# xwayland/nvidia
|
|
xserver_exec(brave_script_t)
|
|
dev_rw_xserver_misc(brave_script_t)
|
|
dev_map_xserver_misc(brave_script_t)
|
|
allow brave_script_t xserver_misc_device_t:chr_file { getattr ioctl map open read write };
|
|
|
|
gnome_manage_data(brave_script_t)
|
|
gnome_manage_home_config(brave_script_t)
|
|
gnome_manage_home_config_dirs(brave_script_t)
|
|
gnome_manage_cache_home_dir(brave_script_t)
|
|
gnome_manage_generic_cache_files(brave_script_t)
|
|
gnome_manage_generic_cache_sockets(brave_script_t)
|
|
gnome_map_generic_cache_files(brave_script_t)
|
|
corecmd_exec_shell(brave_script_t)
|
|
corecmd_exec_bin(brave_script_t)
|
|
files_getattr_all_dirs(brave_script_t)
|
|
userdom_list_user_home_dirs(brave_script_t)
|
|
kernel_list_proc(brave_script_t)
|
|
kernel_read_proc_files(brave_script_t)
|
|
kernel_getattr_proc_files(brave_script_t)
|
|
kernel_getattr_proc(brave_script_t)
|
|
seutil_exec_setfiles(brave_script_t)
|
|
seutil_manage_file_contexts(brave_script_t)
|
|
userdom_use_inherited_user_terminals(brave_script_t) |