| type cros_cryptohomed, chromeos_domain, domain; |
| |
| permissive cros_cryptohomed; |
| |
| domain_auto_trans(cros_init_scripts, cros_cryptohomed_exec, cros_cryptohomed); |
| domain_auto_trans(cros_cryptohomed, cros_unconfined_exec, chromeos); |
| |
| allow domain cros_cryptohomed:key search; |
| |
| allow cros_cryptohomed cros_coreutils_exec:file x_file_perms; |
| allow cros_cryptohomed cros_cryptohome_namespace_mounter:process signal; |
| |
| # Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/ |
| # TODO(betuls): Reevaluate after OOP flags are removed from the cryptohome code. |
| allow cros_cryptohomed cros_cryptohomed:fifo_file w_file_perms; |
| |
| allow cros_cryptohomed { |
| cros_downloads_file |
| cros_home_chronos |
| cros_home_root |
| cros_home_user |
| cros_home_shadow_uid_user |
| }:dir mounton; |
| |
| allow cros_cryptohomed cros_home_shadow_uid_root:dir relabelfrom; |
| create_dir_file(cros_cryptohomed, { |
| cros_downloads_file |
| cros_home |
| cros_home_chronos |
| cros_home_root |
| cros_home_shadow |
| cros_home_shadow_low_entropy_creds |
| cros_home_shadow_uid |
| cros_home_shadow_uid_root |
| cros_home_shadow_uid_user |
| cros_home_user |
| cros_run |
| cros_run_daemon_store |
| cros_run_dbus |
| cros_run_arcvm |
| testharness_file |
| system_data_root_file |
| }); |
| create_relabelto_dir_file(cros_cryptohomed, cros_home_shadow_uid); |
| |
| allow cros_cryptohomed { |
| cros_stateful_partition |
| cros_run_daemon_store |
| cros_var_db |
| unlabeled |
| }:dir r_dir_perms; |
| |
| # ioctl is restricted for Chrome OS domains, see chrome_os.te. Give required |
| # permissions to cros_cryptohomed. |
| allowxperm cros_cryptohomed { |
| cros_home_shadow |
| cros_home_shadow_uid |
| cros_home_shadow_uid_user |
| cros_stateful_partition |
| unlabeled |
| }:dir ioctl cryptohome_fscrypt_ioctls; |
| |
| # cryptohomed creates and relabelto dirs/files in |
| # daemon-store directories. |
| cros_daemon_store_create(cros_cryptohomed, authpolicyd); |
| cros_daemon_store_perms(cros_cryptohomed, authpolicyd, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, cdm-oemcrypto); |
| cros_daemon_store_perms(cros_cryptohomed, cdm-oemcrypto, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, chaps); |
| cros_daemon_store_perms(cros_cryptohomed, chaps, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, crash); |
| cros_daemon_store_perms(cros_cryptohomed, crash, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, crosvm); |
| cros_daemon_store_perms(cros_cryptohomed, crosvm, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, debugd); |
| cros_daemon_store_perms(cros_cryptohomed, debugd, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, kerberosd); |
| cros_daemon_store_perms(cros_cryptohomed, kerberosd, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, pvm); |
| cros_daemon_store_perms(cros_cryptohomed, pvm, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, pvm-dispatcher); |
| cros_daemon_store_perms(cros_cryptohomed, pvm-dispatcher, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, session_manager); |
| cros_daemon_store_perms(cros_cryptohomed, session_manager, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, shill); |
| cros_daemon_store_perms(cros_cryptohomed, shill, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, smbfs); |
| cros_daemon_store_perms(cros_cryptohomed, smbfs, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, smbproviderd); |
| cros_daemon_store_perms(cros_cryptohomed, smbproviderd, relabelto); |
| cros_daemon_store_create(cros_cryptohomed, usb_bouncer); |
| cros_daemon_store_perms(cros_cryptohomed, usb_bouncer, relabelto); |
| |
| |
| allow cros_cryptohomed chromeos_startup_tmp_file:file mounton; |
| allow cros_cryptohomed cros_init_scripts:fd use; |
| allow cros_cryptohomed cros_init:key { |
| link |
| write |
| }; |
| allow cros_cryptohomed kernel:key { |
| link |
| search |
| write |
| }; |
| allow cros_cryptohomed kernel:system module_request; |
| allow cros_cryptohomed cros_passwd_file:file r_file_perms; |
| |
| allow cros_cryptohomed { |
| cros_init |
| cros_dbus_daemon |
| }:unix_stream_socket connectto; |
| |
| allow cros_cryptohomed { |
| cros_run |
| cros_run_cryptohome |
| proc_drop_caches |
| }:file create_file_perms; |
| allow cros_cryptohomed cros_system_bus_socket:sock_file write; |
| |
| create_dir_file( cros_cryptohomed cros_var_lib_whitelist ); |
| |
| has_arc(` |
| create_dir_file(cros_cryptohomed media_rw_data_file); |
| allowxperm cros_cryptohomed media_rw_data_file:{ file dir } ioctl { |
| FS_IOC_FSGETXATTR |
| FS_IOC_FSSETXATTR |
| }; |
| ') |
| |
| r_dir_file(cros_cryptohomed { |
| sysfs_dm |
| sysfs_loop |
| sysfs_zram |
| rootfs |
| }); |
| allow cros_cryptohomed tmpfs:file create_file_perms; |
| r_dir_file( cros_cryptohomed sysfs ); |
| |
| # cryptohomed capabilities |
| allow cros_cryptohomed self:capability { |
| chown |
| fowner |
| ipc_lock |
| sys_admin |
| }; |
| allow cros_cryptohomed self:key { |
| setattr |
| write |
| }; |
| |
| allow cros_cryptohomed { |
| cros_stateful_partition |
| cgroup |
| }:dir r_dir_perms; |
| |
| # TODO(b/178237710) Label the directories and files with specific contexts. |
| allow cros_cryptohomed cros_run_namespaces:dir search; |
| allow cros_cryptohomed labeledfs:filesystem { |
| quotaget |
| unmount |
| }; |
| |
| # TODO(b/178237004) Label the processes with specific contexts. |
| allow cros_cryptohomed cros_unconfined_exec:file x_file_perms; |
| |
| # Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the |
| # arc_cts_fails_release macro for ARCVM devices so that cros_cryptohomed is not |
| # converted into a permissive domain after being flipped to enforcing. |
| is_arc_vm(` |
| allow cros_cryptohomed self:capability { |
| dac_override |
| dac_read_search |
| }; |
| allow cros_cryptohomed unlabeled:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| ',` |
| arc_cts_fails_release(` |
| allow cros_cryptohomed self:capability { |
| dac_override |
| dac_read_search |
| }; |
| allow cros_cryptohomed unlabeled:filesystem { |
| mount |
| remount |
| unmount |
| }; |
| ', (`cros_cryptohomed')); |
| ') |
| |
| log_writer(cros_cryptohomed); |
| uma_writer(cros_cryptohomed); |
| allow cros_cryptohomed debugfs:dir r_dir_perms; |
| |
| filetrans_pattern(cros_cryptohomed, cros_home, cros_home_shadow, dir, ".shadow"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_uid, dir); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd"); |
| filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer"); |
| |
| # Ephemeral mount should have the same treatment as normal mount. |
| filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run, cros_run_cryptohome, dir, "cryptohome"); |
| filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run_cryptohome, cros_ephemeral_mount, dir, "ephemeral_mount"); |
| |
| # Note that this transition is currently ineffective as the ephemeral mount is a new filesystem. |
| # Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment. |
| filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_ephemeral_mount, cros_home_shadow_uid, dir); |
| |
| dev_only( |
| auditallow domain cros_home_shadow_uid_root:dir create; |
| auditallow domain cros_home_shadow_uid_user:dir create; |
| ) |