commit: e2d6b5b1a6c86a1f55eccb417d99ac34324ae740
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 15:53:44 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Mar 24 15:53:44 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2d6b5b1
introduce chromium_rw_usb_dev
allows chromium to use USB devices for android debugging or to use
a FIDO U2F token.
policy/modules/contrib/chromium.te | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/policy/modules/contrib/chromium.te
b/policy/modules/contrib/chromium.te
index e5aa5aa..b2c9ccc 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -41,6 +41,17 @@ gen_tunable(chromium_read_system_info, false)
## </desc>
gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -181,6 +192,10 @@ tunable_policy(`chromium_bind_tcp_unreserved_ports',`
allow chromium_t self:tcp_socket { listen accept };
')
+tunable_policy(`chromium_rw_usb_dev',`
+ dev_rw_generic_usb_dev(chromium_t)
+')
+
tunable_policy(`chromium_read_system_info',`
kernel_read_kernel_sysctls(chromium_t)
# Memory optimizations & optimizations based on OS/version
