| type cros_cryptohome_namespace_mounter, chromeos_domain, domain; |
| |
| permissive cros_cryptohome_namespace_mounter; |
| |
| domain_auto_trans(cros_cryptohomed, cros_cryptohome_namespace_mounter_exec, cros_cryptohome_namespace_mounter); |
| domain_auto_trans(cros_cryptohome_namespace_mounter, cros_unconfined_exec, chromeos); |
| |
| allow domain cros_cryptohome_namespace_mounter:key search; |
| allow cros_cryptohome_namespace_mounter cros_cryptohomed:fd use; |
| |
| # Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/ |
| # TODO(betuls): Define a cryptohome domain and add these rules to there. |
| allow cros_cryptohome_namespace_mounter cros_cryptohomed:fifo_file rw_file_perms; |
| create_dir_file(cros_cryptohome_namespace_mounter, { |
| cros_downloads_file |
| cros_home |
| cros_home_chronos |
| cros_home_root |
| cros_home_shadow |
| cros_home_shadow_low_entropy_creds |
| cros_home_shadow_uid |
| cros_home_shadow_uid_root |
| cros_home_shadow_uid_user |
| cros_home_user |
| cros_run |
| cros_run_daemon_store |
| cros_run_dbus |
| }); |
| allow cros_cryptohome_namespace_mounter { |
| cros_downloads_file |
| cros_home_user |
| cros_home_chronos |
| cros_home_root |
| cros_home_shadow_uid |
| cros_home_shadow_uid_user |
| cros_run |
| cros_run_daemon_store }:dir mounton; |
| allow cros_cryptohome_namespace_mounter cros_home_shadow_uid:dir relabelto; |
| allow cros_cryptohome_namespace_mounter cros_home_shadow_uid_root:dir relabelfrom; |
| |
| # cryptohome_namespace_mounter creates and relabelto dirs/files in |
| # daemon-store directories. |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, authpolicyd); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, authpolicyd, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, cdm-oemcrypto); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, cdm-oemcrypto, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, chaps); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, chaps, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, crash); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crash, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, crosvm); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crosvm, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, debugd); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, debugd, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, kerberosd); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, kerberosd, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm-dispatcher); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm-dispatcher, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, session_manager); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, session_manager, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, shill); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, shill, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbfs); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbfs, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbproviderd); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbproviderd, relabelto); |
| cros_daemon_store_create(cros_cryptohome_namespace_mounter, usb_bouncer); |
| cros_daemon_store_perms(cros_cryptohome_namespace_mounter, usb_bouncer, relabelto); |
| |
| # Kernel and key related pemrissions. |
| allow cros_cryptohome_namespace_mounter cros_init:key link; |
| allow cros_cryptohome_namespace_mounter kernel:key { |
| link |
| search |
| }; |
| allow cros_cryptohome_namespace_mounter kernel:system module_request; |
| |
| # Permissions to create and bind-mount ephemeral cryptohome directory. |
| create_mounton_dir_file(cros_cryptohome_namespace_mounter, cros_run_cryptohome); |
| |
| allow cros_cryptohome_namespace_mounter device:blk_file rw_file_perms; |
| allowxperm cros_cryptohome_namespace_mounter device:blk_file ioctl { |
| LOOP_SET_FD |
| LOOP_CLR_FD |
| }; |
| allow cros_cryptohome_namespace_mounter tpm_device:chr_file r_file_perms; |
| |
| has_arc(` |
| allow cros_cryptohome_namespace_mounter media_rw_data_file:dir { |
| create_dir_perms |
| mounton |
| }; |
| ') |
| |
| allow cros_cryptohome_namespace_mounter proc_swaps:file r_file_perms; |
| allow cros_cryptohome_namespace_mounter { |
| rootfs |
| cgroup |
| }:dir r_dir_perms; |
| |
| r_dir_file(cros_cryptohome_namespace_mounter, sysfs_fs_ext4_features); |
| |
| # TODO(b/178237710) Label the directories and files with specific contexts. |
| r_dir_file(cros_cryptohome_namespace_mounter, unlabeled); |
| allow cros_cryptohome_namespace_mounter unlabeled:dir { |
| mounton |
| relabelfrom |
| }; |
| |
| # TODO(b/178237004) Label the processes with specific contexts. |
| allow cros_cryptohome_namespace_mounter cros_unconfined_exec:file x_file_perms; |
| |
| # Cryptohome_namespace_mounter needs to enter user session mount namespace at /run/namespaces/mnt_chrome |
| allow cros_cryptohome_namespace_mounter cros_run_namespaces:dir search; |
| allow cros_cryptohome_namespace_mounter cros_run_namespaces_mnt_chrome:file { |
| r_file_perms |
| mounton |
| }; |
| |
| # cryptohome_namespace_mounter capabilities |
| allow cros_cryptohome_namespace_mounter self:capability { |
| chown |
| fowner |
| fsetid |
| sys_admin |
| sys_chroot |
| }; |
| allow cros_cryptohome_namespace_mounter self:key { |
| search |
| write |
| }; |
| |
| # Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the |
| # arc_cts_fails_release macro for ARCVM devices so that |
| # cros_cryptohome_namespace_mounter is not converted into a permissive domain |
| # after being flipped to enforcing. |
| is_arc_vm(` |
| allow cros_cryptohome_namespace_mounter self:capability { |
| dac_override |
| dac_read_search |
| }; |
| # TODO(b/178237710) Label with specific contexts. |
| allow cros_cryptohome_namespace_mounter unlabeled:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| allow cros_cryptohome_namespace_mounter labeledfs:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms; |
| create_dir_file(cros_cryptohome_namespace_mounter, unlabeled); |
| ',` |
| arc_cts_fails_release(` |
| allow cros_cryptohome_namespace_mounter self:capability { |
| dac_override |
| dac_read_search |
| }; |
| allow cros_cryptohome_namespace_mounter unlabeled:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| allow cros_cryptohome_namespace_mounter labeledfs:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms; |
| create_dir_file(cros_cryptohome_namespace_mounter, unlabeled); |
| ', (cros_cryptohome_namespace_mounter)); |
| ') |
| |
| allow kernel cros_cryptohome_namespace_mounter:fd use; |
| |
| allow cros_cryptohomed cros_var_lib:file create_file_perms; |
| |
| log_writer(cros_cryptohome_namespace_mounter); |
| uma_writer(cros_cryptohome_namespace_mounter); |
| |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home, cros_home_shadow, dir, ".shadow"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_uid, dir); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd"); |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer"); |
| |
| # Ephemeral mount should be considered home directory as well. |
| # Note that this transition is currently ineffective as the ephemeral mount is a new filesystem. |
| # Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment. |
| filetrans_pattern(cros_cryptohome_namespace_mounter, cros_ephemeral_mount, cros_home_shadow_uid, dir); |