Date: Thu, 16 Nov 2006 19:17:40 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 110124 for review Message-ID: <200611161917.kAGJHeo0066795@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=110124 Change 110124 by millert@millert_macbook on 2006/11/16 19:17:24 Update policy Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 (text+ko) ==== @@ -51,6 +51,7 @@ # support files allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write }; allow DirectoryService_t DirectoryService_resource_t:dir { getattr read search }; +allow DirectoryService_t DirectoryService_resource_t:lnk_file { getattr read }; # file descriptors and sockets allow DirectoryService_t self:fd use; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 (text+ko) ==== @@ -33,3 +33,10 @@ # Talk to launchd init_allow_ipc(KernelEventAgent_t) +init_allow_bootstrap(KernelEventAgent_t) + +# Talk to kernel +kernel_allow_ipc(KernelEventAgent_t) + +# Talk to securityd +securityd_allow_ipc(KernelEventAgent_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 (text+ko) ==== @@ -5,4 +5,4 @@ /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0) -/System/Library/Displays/Overrides -- gen_context(system_u:object_r:WindowServer_resource_t) +/System/Library/Displays/.* -- gen_context(system_u:object_r:WindowServer_resource_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 (text+ko) ==== @@ -114,3 +114,5 @@ # Read modules allow WindowServer_t modules_dep_t:dir search; +# Read general resource files +darwin_allow_resource_read(WindowServer_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 (text+ko) ==== @@ -145,7 +145,7 @@ WindowServer_allow_shm(configd_t) # Read prefs, etc -darwin_allow_global_pref_read(configd_t) +darwin_allow_global_pref_rw(configd_t) darwin_allow_host_pref_read(configd_t) darwin_allow_system_read(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 (text+ko) ==== @@ -35,12 +35,20 @@ allow diskarbitrationd_t diskarbitrationd_var_run_t:dir rw_dir_perms; files_pid_filetrans(diskarbitrationd_t,diskarbitrationd_var_run_t, { file sock_file }) +# Apparently diskarbitrationd transitions to fsadm_t at some point... +init_allow_ipc(fsadm_t) +kernel_allow_ipc(fsadm_t) +mach_allow_message(fsadm_t, fsadm_t) +allow fsadm_t device_t:chr_file { getattr ioctl read write }; + # Misc allow diskarbitrationd_t self:process signal; allow diskarbitrationd_t self:socket { connect write }; allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; +allow diskarbitrationd_t sbin_t:dir search; + # Allow various file operations allow diskarbitrationd_t nfs_t:dir getattr; allow diskarbitrationd_t nfs_t:filesystem mount; @@ -96,6 +104,13 @@ # Allow access to frameworks frameworks_read(diskarbitrationd_t) - # Read /private/var files_read_var_files(diskarbitrationd_t) + +# Allow reading of /private +darwin_allow_private_read(diskarbitrationd_t) + +# Read fstools files +fstools_read_files(diskarbitrationd_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 (text+ko) ==== @@ -16,7 +16,7 @@ allow $1 framework_t:file read_file_perms; allow $1 framework_t:dir r_dir_perms; allow $1 framework_t:dir search_dir_perms; - allow configd_t framework_t:lnk_file { getattr read }; + allow $1 framework_t:lnk_file { getattr read }; ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 (text+ko) ==== @@ -74,3 +74,19 @@ # Talk to configd configd_allow_ipc(loginwindow_t) configd_allow_shm(loginwindow_t) + +# Use CoreServices +darwin_allow_CoreServices_read(loginwindow_t) + +# Read prefs +darwin_allow_global_pref_read(loginwindow_t) +darwin_allow_host_pref_read(loginwindow_t) + +# Read /private +darwin_allow_private_read(loginwindow_t) + +# Read /System +darwin_allow_system_read(loginwindow_t) + +# Use frameworks +frameworks_read(loginwindow_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 (text+ko) ==== @@ -88,4 +88,15 @@ # Talk to loginwindow loginwindow_allow_ipc(lookupd_t) +# Use CoreServices +darwin_allow_CoreServices_read(lookupd_t) + +# Read /private +darwin_allow_private_read(lookupd_t) + +# Read /System +darwin_allow_system_read(lookupd_t) + +# Use frameworks +frameworks_read(lookupd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 (text+ko) ==== @@ -44,6 +44,8 @@ allow mDNSResponder_t self:fd use; allow mDNSResponder_t self:socket { accept bind create read write }; allow mDNSResponder_t self:udp_socket create; +allow mDNSResponder_t self:tcp_socket create; +allow mDNSResponder_t self:unix_dgram_socket create; # Misc allow mDNSResponder_t mnt_t:dir search; @@ -61,3 +63,17 @@ # Allow mDNSResponder to talk to configd configd_allow_ipc(mDNSResponder_t) + +# Aloow mDNSResponder to talk to lookupd +lookupd_allow_ipc(mDNSResponder_t) + +# Use CoreServices +darwin_allow_CoreServices_read(mDNSResponder_t) + +# Read prefs +darwin_allow_global_pref_read(mDNSResponder_t) +darwin_allow_host_pref_read(mDNSResponder_t) + +# Read /private +darwin_allow_private_read(mDNSResponder_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 (text+ko) ==== @@ -38,7 +38,14 @@ # Talk to launchd init_allow_ipc(memberd_t) init_allow_shm(memberd_t) +init_allow_bootstrap(memberd_t) +# Talk tro self +allow memberd_t self:mach_port make_send_once; + +# Talk to kernel +kernel_allow_ipc(memberd_t) + # Talk to loginwindow loginwindow_allow_ipc(memberd_t) @@ -47,3 +54,5 @@ # Talk to WindowServer WindowServer_allow_ipc(memberd_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 (text+ko) ==== @@ -13,6 +13,7 @@ # # /etc # +/etc gen_context(system_u:object_r:etc_t,s0) /private/etc -d gen_context(system_u:object_r:etc_t,s0) /private/etc/.* gen_context(system_u:object_r:etc_t,s0) /private/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) @@ -74,7 +75,8 @@ # # /private/var -# +#h +/var gen_context(system_u:object_r:var_t,s0) /private/var -d gen_context(system_u:object_r:var_t,s0) /private/var/.* gen_context(system_u:object_r:var_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 (text+ko) ==== @@ -3614,6 +3614,7 @@ allow $1 var_t:dir search_dir_perms; allow $1 var_t:file r_file_perms; + allow $1 var_t:lnk_file { read }; ') ######################################## ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 (text+ko) ==== @@ -1,8 +1,12 @@ /Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences -d gen_context(system_u:object_r:darwin_global_pref_t,s0) /private/var/db/.AppleSetupDone -- gen_context(system_u:object_r:darwin_global_pref_t,s0) -/Library/Preferences/SystemConfiguration.* -- gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0) /private/var/root/Library/Preferences/ByHost.* gen_context(system_u:object_r:darwin_host_pref_t,s0) /System/Library/CoreServices.* gen_context(system_u:object_r:darwin_CoreServices_t,s0) /private -d gen_context(system_u:object_r:darwin_private_t,s0) +/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) +/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 (text+ko) ==== @@ -21,6 +21,27 @@ ######################################## ## <summary> +## Allow reading/writing of global preference files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`darwin_allow_global_pref_rw',` + gen_require(` + type darwin_global_pref_t; + ') + + allow $1 darwin_global_pref_t:file rw_file_perms; + allow $1 darwin_global_pref_t:dir rw_dir_perms; + allow $1 darwin_global_pref_t:file link_file_perms; + +') + +######################################## +## <summary> ## Allow reading of host preference files ## </summary> ## <param name="domain"> @@ -57,6 +78,7 @@ allow $1 darwin_CoreServices_t:file read_file_perms; allow $1 darwin_CoreServices_t:dir r_dir_perms; + allow $1 darwin_CoreServices_t:lnk_file { getattr read }; ') @@ -117,3 +139,22 @@ ') +######################################## +## <summary> +## Allow reading of general resource files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`darwin_allow_resource_read',` + gen_require(` + type darwin_resource_t; + ') + + allow $1 darwin_resource_t:file read_file_perms; + allow $1 darwin_resource_t:dir r_dir_perms; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 (text+ko) ==== @@ -9,6 +9,7 @@ type darwin_host_pref_t; type darwin_CoreServices_t; type darwin_system_t; +type darwin_resource_t; type darwin_private_t; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 (text+ko) ==== @@ -642,6 +642,9 @@ # Talk to yourself for bootstrap namespace init_allow_bootstrap(init_t) + +# Talk to self +init_allow_ipc(init_t) # Talk to the kernel kernel_allow_ipc(init_t) @@ -656,3 +659,10 @@ # Use Frameworks frameworks_read(init_t) + +# Use CoreServices +darwin_allow_CoreServices_read(init_t) + +darwin_allow_private_read(init_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 (text+ko) ==== @@ -8,6 +8,11 @@ #/System/Library/Frameworks gen_context(system_u:object_r:lib_t,s0) #/System/Library/Frameworks/.* gen_context(system_u:object_r:lib_t,s0) +# +# /Library +# +/Library -d gen_context(system_u:object_r:lib_t,s0) + # # /usr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611161917.kAGJHeo0066795>