Date: Fri, 6 Oct 2006 13:21:10 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107355 for review Message-ID: <200610061321.k96DLAso003846@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107355 Change 107355 by millert@millert_g5tower on 2006/10/06 13:20:12 Load the migscs file into Info.plist on install and modify update_plist.pl to take an install directory option. Add interface for allowing bootstrap lookups and an example for coreaudiod. It should be noted that right now this is just unconstrained allowing of mach messaging. We should trim this down to just the operations required for performing lookups. Add WindowServer and loginwindow modules. Add basic Mach policy interface. Allow diskarbitrationd and configd to converse via Mach IPC. Add default context for loginwindow_t. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mcs/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mls/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mcs/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mls/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted/default_contexts#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#3 (text+ko) ==== @@ -55,7 +55,7 @@ ifeq ($(SEDARWIN_BUILD),1) install: install-src $(loadpath) $(fcpath) $(ncpath) $(appfiles) - ./update_plist --policy=$(loadpath) --policy-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install + ./update_plist --policy=$(loadpath) --migscs=sebsd_migscs --install-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install else install: $(loadpath) $(fcpath) $(ncpath) $(appfiles) ./update_plist --policy=$(loadpath) /System/Library/Extensions/mac_sedarwin.kext/Contents/Info.plist ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mcs/default_contexts#2 (text+ko) ==== @@ -10,3 +10,4 @@ sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:loginwindow_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mls/default_contexts#2 (text+ko) ==== @@ -10,3 +10,4 @@ sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:loginwindow_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict/default_contexts#2 (text+ko) ==== @@ -10,3 +10,4 @@ sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t +system_r:loginwindow_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mcs/default_contexts#2 (text+ko) ==== @@ -7,3 +7,4 @@ system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 system_r:unconfined_t:s0 system_r:unconfined_t:s0 system_r:xdm_t:s0 system_r:unconfined_t:s0 +system_r:loginwindow_t:s0 system_r:unconfined_t:s0 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mls/default_contexts#2 (text+ko) ==== @@ -7,3 +7,4 @@ system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 system_r:unconfined_t:s0 system_r:unconfined_t:s0 system_r:xdm_t:s0 system_r:unconfined_t:s0 +system_r:loginwindow_t:s0 system_r:unconfined_t:s0 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted/default_contexts#2 (text+ko) ==== @@ -7,3 +7,4 @@ system_r:sysadm_su_t system_r:unconfined_t system_r:unconfined_t system_r:unconfined_t system_r:xdm_t system_r:unconfined_t +system_r:loginwindow_t system_r:unconfined_t ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#3 (text+ko) ==== @@ -1611,6 +1611,7 @@ # # Darwin System Configuration Daemon # +mach = module configd = module DirectoryService = module coreaudiod = module @@ -1621,3 +1622,5 @@ notifyd = module securityd = module update = module +WindowServer = module +loginwindow = module ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#2 (text+ko) ==== @@ -54,3 +54,22 @@ allow $1 configd_t:fifo_file rw_file_perms; allow $1 configd_t:process sigchld; ') + +######################################## +## <summary> +## Allow Mach IP with configd +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`configd_mach_ipc',` + #gen_require(` + #class mach_port all_mach_port_perms; + #)' + + # Allow bidirection comminication with configd + mach_allow_ipc(configd_t, $1) +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#2 (text+ko) ==== @@ -20,6 +20,11 @@ # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. +# Allow config d to talk to itself via mach ipc +# Note: We just use mach_allow_message here since configd_t -> configd_t +# is effectively bidirectional. +mach_allow_message(configd_t, configd_t) + # Some common macros (you might be able to remove some) files_read_etc_files(configd_t) libs_use_ld_so(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#2 (text+ko) ==== @@ -9,6 +9,7 @@ type coreaudiod_exec_t; domain_type(coreaudiod_t) init_domain(coreaudiod_t, coreaudiod_exec_t) +init_mach_ipc(coreaudiod_t) ######################################## # ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#2 (text+ko) ==== @@ -34,3 +34,7 @@ allow diskarbitrationd_t diskarbitrationd_var_run_t:sock_file manage_file_perms; allow diskarbitrationd_t diskarbitrationd_var_run_t:dir rw_dir_perms; files_pid_filetrans(diskarbitrationd_t,diskarbitrationd_var_run_t, { file sock_file }) + +# Allow Mach IPC with configd +configd_mach_ipc(diskarbitrationd_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#3 (text+ko) ==== @@ -1094,3 +1094,19 @@ files_search_pids($1) allow $1 initrc_var_run_t:file create_file_perms; ') + +######################################## +## <summary> +## Allow Mach IPC with init +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`init_mach_ipc',` + + # Allow bidirectional comminication with configd + mach_allow_ipc(init_t, $1) +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#3 (xtext) ==== @@ -13,17 +13,19 @@ use File::Temp qw/ :mktemp /; use Getopt::Long; use PropertyList qw( :all ); +use File::Basename; my $plist_file; my $policy_file; my $migscs_file; my $enforcing_mode; -my $policy_dir = "/etc/sedarwin/policy"; +my $install_dir; +my $install_dir_default = "/etc/sedarwin/refpolicy/policy"; $status = GetOptions("policy=s" => \$policy_file, "migscs=s" => \$migscs_file, - "enforce!" => \$enforcing_mode, "policy-dir=s" => \$policy_dir); + "enforce!" => \$enforcing_mode, "install-dir=s" => \$install_dir); &usage() unless $status && $#ARGV == 0; -die "$0: policy dir must be fully-qualified\n" unless $policy_dir =~ /^\//; +die "$0: install dir must be fully-qualified\n" unless $install_dir =~ /^\//; $plist_file = $ARGV[0]; my $data = Mac::PropertyList::parse_plist_file($plist_file) || @@ -66,8 +68,14 @@ close(FH); $module_data{'policy_data'} = Mac::PropertyList::data->new($policy_data); $policy_data = undef; - $policy_file = "$policy_dir/$policy_file" unless $policy_file =~ /^\//; - $module_data{'policy_path'} = Mac::PropertyList::string->new($policy_file); + + my ($basename, $dirname) = fileparse($policy_file); + if (defined($install_dir) || !defined($dirname)) { + $dirname = $install_dir || $install_dir_default; + } + $dirname =~ s/\/*$//; + $module_data{'policy_path'} = + Mac::PropertyList::string->new("$dirname/$basename"); } # Store migscs @@ -84,8 +92,14 @@ close(FH); $module_data{'migscs_data'} = Mac::PropertyList::data->new($migscs_data); $migscs_data = undef; - $migscs_file = "$policy_dir/$migscs_file" unless $migscs_file =~ /^\//; - $module_data{'migscs_path'} = Mac::PropertyList::string->new($migscs_file); + + my ($basename, $dirname) = fileparse($migscs_file); + if (defined($install_dir) || !defined($dirname)) { + $dirname = $install_dir || $install_dir_default; + } + $dirname =~ s/\/*$//; + $module_data{'migscs_path'} = + Mac::PropertyList::string->new("$dirname/$basename"); } # Convert %module_data into a plist dict and store in $data @@ -113,5 +127,5 @@ exit 0; sub usage() { - die "usage: $0 [--policy-dir=directory] [--policy=polify_file] [--migscs=migscs_file] [--enforce|--noenforce] plist_file\n"; + die "usage: $0 [--install-dir=directory] [--policy=polify_file] [--migscs=migscs_file] [--enforce|--noenforce] plist_file\n"; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610061321.k96DLAso003846>