commit: e2d6b5b1a6c86a1f55eccb417d99ac34324ae740 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Tue Mar 24 15:53:44 2015 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Mar 24 15:53:44 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2d6b5b1
introduce chromium_rw_usb_dev allows chromium to use USB devices for android debugging or to use a FIDO U2F token. policy/modules/contrib/chromium.te | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te index e5aa5aa..b2c9ccc 100644 --- a/policy/modules/contrib/chromium.te +++ b/policy/modules/contrib/chromium.te @@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false) ## </desc> gen_tunable(chromium_bind_tcp_unreserved_ports, false) +## <desc> +## <p> +## Allow chromium to read/write USB devices +## </p> +## <p> +## Although not needed for regular browsing, used for debugging over usb +## or using FIDO U2F tokens. +## </p> +## </desc> +gen_tunable(chromium_rw_usb_dev, false) + type chromium_t; domain_dyntrans_type(chromium_t) @@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',` allow chromium_t self:tcp_socket { listen accept }; ') +tunable_policy(`chromium_rw_usb_dev',` + dev_rw_generic_usb_dev(chromium_t) +') + tunable_policy(`chromium_read_system_info',` kernel_read_kernel_sysctls(chromium_t) # Memory optimizations & optimizations based on OS/version