Date: Mon, 22 Jan 2007 19:48:41 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113381 for review Message-ID: <200701221948.l0MJmfGt081540@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113381 Change 113381 by millert@millert_macbook on 2007/01/22 19:48:33 Handle set_special_port in a generic manner. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#7 (text+ko) ==== @@ -67,7 +67,6 @@ allow DirectoryService_t sbin_t:dir { getattr search read }; allow DirectoryService_t port_t:tcp_socket name_connect; allow DirectoryService_t self:fifo_file { getattr ioctl }; -allow DirectoryService_t self:mach_task set_special_port; allow DirectoryService_t self:process signal; allow DirectoryService_t self:socket create; allow DirectoryService_t bin_t:dir search; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#9 (text+ko) ==== @@ -89,7 +89,6 @@ allow WindowServer_t nfs_t:lnk_file read; allow WindowServer_t nfs_t:dir search; allow WindowServer_t mnt_t:dir search; -allow WindowServer_t self:mach_task set_special_port; allow WindowServer_t self:process { setsched signal }; allow WindowServer_t self:shm { create getattr read setattr write }; allow WindowServer_t bin_t:dir search; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#10 (text+ko) ==== @@ -63,7 +63,6 @@ allow configd_t bin_t:file { execute_no_trans getattr read }; allow configd_t self:fd use; allow configd_t self:fifo_file getattr; -allow configd_t self:mach_task set_special_port; allow configd_t self:process { setsched signal }; allow configd_t self:rawip_socket create; allow configd_t self:socket { bind create listen read write }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#3 (text+ko) ==== @@ -27,7 +27,6 @@ # Talk to self mach_allow_message(coreservicesd_t, coreservicesd_t) -allow coreservicesd_t self:mach_task set_special_port; allow coreservicesd_t self:process signal; allow coreservicesd_t self:shm { create read setattr write }; allow coreservicesd_t self:udp_socket create; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#9 (text+ko) ==== @@ -48,8 +48,6 @@ allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; allow diskarbitrationd_t sbin_t:dir search; -allow diskarbitrationd_t self:mach_task set_special_port; - # Allow disk/device/fs operations allow diskarbitrationd_t device_t:chr_file { ioctl read }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#6 (text+ko) ==== @@ -39,7 +39,6 @@ # Talk to self mach_allow_message(kextd_t, kextd_t) -allow kextd_t self:mach_task set_special_port; allow kextd_t self:process signal; allow kextd_t self:udp_socket create; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#7 (text+ko) ==== @@ -31,7 +31,6 @@ allow loginwindow_t console_device_t:chr_file { read setattr write }; allow loginwindow_t lib_t:file execute_no_trans; allow loginwindow_t self:fd use; -allow loginwindow_t self:mach_task set_special_port; allow loginwindow_t self:process { taskforpid signal }; # XXX allow loginwindow_t self:shm { create read setattr write }; allow loginwindow_t self:socket { connect write }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#5 (text+ko) ==== @@ -42,7 +42,6 @@ allow lookupd_t self:udp_socket create; allow lookupd_t self:tcp_socket create; allow lookupd_t self:unix_dgram_socket create; -allow lookupd_t self:mach_task set_special_port; # Misc ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#6 (text+ko) ==== @@ -29,7 +29,6 @@ allow securityd_t self:unix_stream_socket create_stream_socket_perms; # Talk to self -allow securityd_t self:mach_task set_special_port; allow securityd_t self:process signal; allow securityd_t self:socket { connect write }; allow securityd_t self:udp_socket create; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#2 (text+ko) ==== @@ -10,4 +10,4 @@ class mach_port app_mach_port_perms; ') - +allow domain self:mach_task set_special_port;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221948.l0MJmfGt081540>