Date: Mon, 22 Jan 2007 20:12:31 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113420 for review Message-ID: <200701222012.l0MKCVCh091321@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113420 Change 113420 by millert@millert_macbook on 2007/01/22 20:11:54 Allow actions by various processes that occur after the user has logged in via the GUI. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#12 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#14 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#15 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#13 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#8 (text+ko) ==== @@ -28,7 +28,7 @@ # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Some common macros (you might be able to remove some) -files_read_etc_files(DirectoryService_t) +files_manage_etc_files(DirectoryService_t) libs_use_ld_so(DirectoryService_t) libs_use_shared_libs(DirectoryService_t) miscfiles_read_localization(DirectoryService_t) @@ -70,6 +70,7 @@ allow DirectoryService_t self:process signal; allow DirectoryService_t self:socket create; allow DirectoryService_t bin_t:dir search; +allow DirectoryService_t bin_t:file { execute_no_trans read getattr }; allow DirectoryService_t nfs_t:dir { getattr read }; @@ -129,3 +130,8 @@ # Use CoreServices darwin_allow_CoreServices_read(DirectoryService_t) + +# Search /var/vm +files_search_vm(DirectoryService_t) + +corenet_tcp_connect_smbd_port(DirectoryService_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#6 (text+ko) ==== @@ -46,3 +46,6 @@ # read /System darwin_allow_system_read(KernelEventAgent_t) + +# Read Core Services files +darwin_allow_CoreServices_read(KernelEventAgent_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#12 (text+ko) ==== @@ -82,7 +82,7 @@ # Find the proper interface for this later allow WindowServer_t var_log_t:dir search; -allow WindowServer_t var_log_t:file { getattr setattr write }; +allow WindowServer_t var_log_t:file { getattr setattr write unlink }; # Misc allow WindowServer_t nfs_t:filesystem getattr; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#10 (text+ko) ==== @@ -32,7 +32,7 @@ allow coreaudiod_t sbin_t:dir { getattr read search }; allow coreaudiod_t mnt_t:dir search; allow coreaudiod_t random_device_t:chr_file read; - +allow coreaudiod_t fs_t:filesystem getattr; # Talking to itself mach_allow_message(coreaudiod_t, coreaudiod_t) @@ -61,10 +61,16 @@ # Allow reading of prefs darwin_allow_global_pref_read(coreaudiod_t) darwin_allow_host_pref_read(coreaudiod_t) +allow coreaudiod_t darwin_host_pref_t:dir { add_name remove_name }; +allow coreaudiod_t darwin_host_pref_t:file { create write setattr rename unlink }; # Allow reading of CoreServices files darwin_allow_CoreServices_read(coreaudiod_t) +# Talk to coreservicesd +mach_allow_ipc(coreaudiod_t, coreservicesd_t) +allow coreaudiod_t coreservicesd_t:shm { read write }; + # Allow reading of /private darwin_allow_private_read(coreaudiod_t) @@ -74,3 +80,6 @@ # read /System darwin_allow_system_read(coreaudiod_t) + +# Search /.vol +allow coreaudiod_t volfs_t:dir search; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#10 (text+ko) ==== @@ -42,6 +42,9 @@ WindowServer_allow_ipc(coreservicesd_t) allow coreservicesd_t WindowServer_t:process taskforpid; +# Talk to Coreaudiod +allow coreservicesd_t coreaudiod_t:process taskforpid; + # Talk to configd configd_allow_ipc(coreservicesd_t) allow coreservicesd_t configd_t:process taskforpid; @@ -53,7 +56,7 @@ # Talk to init process allow coreservicesd_t init_t:process taskforpid; allow coreservicesd_t init_t:mi_bootstrap { bootstrap_look_up bootstrap_check_in }; -allow coreservicesd_t init_t:mi_notify_ipc notify_server_register_plain; +allow coreservicesd_t init_t:mi_notify_ipc { notify_server_register_plain notify_server_post }; # Use CoreServices darwin_allow_CoreServices_read(coreservicesd_t) @@ -85,9 +88,11 @@ allow coreservicesd_t kextd_t:process taskforpid; allow coreservicesd_t kextd_t:mach_port { hold_send_once hold_send move_send_once send recv }; -# Read user home dirs +# user home dirs userdom_search_all_users_home_content(coreservicesd_t) userdom_read_all_users_home_content_files(coreservicesd_t) +allow coreservicesd_t user_home_t:dir { add_name remove_name }; +allow coreservicesd_t user_home_t:file { create write setattr rename unlink }; # Read var files files_read_var_files(coreservicesd_t) @@ -97,7 +102,8 @@ files_search_vm(coreservicesd_t) # Access cache files -allow coreservicesd_t darwin_cache_t:dir { getattr search }; +allow coreservicesd_t darwin_cache_t:dir { getattr search add_name remove_name }; +allow coreservicesd_t darwin_cache_t:file { create write rename unlink read }; # Search dirs allow coreservicesd_t { darwin_system_t mnt_t fs_t }:dir { getattr search }; @@ -108,3 +114,6 @@ # Stat filesystems allow coreservicesd_t fs_t:filesystem getattr; + +# /dev/random +allow coreservicesd_t random_device_t:chr_file read; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#14 (text+ko) ==== @@ -48,11 +48,11 @@ # There has to be a "proper" interface for this. Fix this when we find it allow loginwindow_t bin_t:dir { search read getattr }; allow loginwindow_t bin_t:file { getattr execute execute_no_trans read }; +allow loginwindow_t automount_t:dir search; allow loginwindow_t darwin_services_t:dir { read search getattr }; allow loginwindow_t init_t:process taskforpid; -allow loginwindow_t unconfined_t:process getsched; # Talk to self mach_allow_message(loginwindow_t, loginwindow_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#15 (text+ko) ==== @@ -42,7 +42,12 @@ allow securityd_t nfs_t:lnk_file read; allow securityd_t usr_t:file { getattr read }; allow securityd_t random_device_t:chr_file { read write }; +allow securityd_t bin_t:dir { search read }; +allow securityd_t bin_t:file { read getattr }; allow securityd_t sbin_t:dir { getattr read search }; +allow securityd_t automount_t:dir search; +allow securityd_t darwin_network_t:dir { getattr search }; +allow securityd_t darwin_network_t:lnk_file { getattr read }; # /var file operations files_manage_var_files(securityd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#5 (text+ko) ==== @@ -54,6 +54,7 @@ # for some reason it creates a file in /tmp allow ntpd_t ntpd_tmp_t:dir create_dir_perms; allow ntpd_t ntpd_tmp_t:file create_file_perms; +allow ntpd_t tmp_t:lnk_file read; files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) allow ntpd_t ntpd_var_run_t:file create_file_perms; @@ -141,6 +142,8 @@ # Read /private darwin_allow_private_read(ntpd_t) +allow ntpd_t random_device_t:chr_file read; + ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(ntpd_t) term_dontaudit_use_generic_ptys(ntpd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#13 (text+ko) ==== @@ -659,6 +659,7 @@ darwin_allow_host_pref_read(init_t) darwin_allow_system_read(init_t) allow init_t darwin_system_t:file execute; +allow init_t automount_t:dir search; # Read /System/Library/StartupItems allow init_t darwin_startup_t:dir { read search getattr };
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701222012.l0MKCVCh091321>