commit: e272f69ec718dcd0f6e0df8ade02e722df918440
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 5 16:19:08 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 6 09:48:19 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e272f69e
Create chromium_bind_tcp_unreserved_ports boolean
Some extensions for chromium need to be able to listen on tcp ports.
This adds a boolean (default off) to allow binding to unreserved tcp
ports.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/contrib/chromium.te | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/policy/modules/contrib/chromium.te
b/policy/modules/contrib/chromium.te
index b460904..878d8c9 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -30,6 +30,17 @@ gen_tunable(chromium_use_java, false)
## </desc>
gen_tunable(chromium_read_system_info, false)
+## <desc>
+## <p>
+## Allow chromium to bind to tcp ports
+## </p>
+## <p>
+## Although not needed for regular browsing, some chrome extensions need to
+## bind to tcp ports and accept connections.
+## </p>
+## </desc>
+gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -163,6 +174,12 @@ xdg_read_data_home_files(chromium_t)
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+tunable_policy(`chromium_bind_tcp_unreserved_ports',`
+ corenet_tcp_bind_generic_node(chromium_t)
+ corenet_tcp_bind_all_unreserved_ports(chromium_t)
+ allow chromium_t self:tcp_socket { listen accept };
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
