From owner-p4-projects@FreeBSD.ORG Fri Apr 21 18:30:47 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id DC94E16A435; Fri, 21 Apr 2006 18:30:46 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98F7316A43C for ; Fri, 21 Apr 2006 18:30:46 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55B8343D53 for ; Fri, 21 Apr 2006 18:30:46 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k3LIUkIP094798 for ; Fri, 21 Apr 2006 18:30:46 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k3LIUjbt094790 for perforce@freebsd.org; Fri, 21 Apr 2006 18:30:45 GMT (envelope-from millert@freebsd.org) Date: Fri, 21 Apr 2006 18:30:45 GMT Message-Id: <200604211830.k3LIUjbt094790@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 95810 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Apr 2006 18:30:47 -0000 http://perforce.freebsd.org/chv.cgi?CH=95810 Change 95810 by millert@millert_g5tower on 2006/04/21 18:30:32 Remove a horrible policy hack and have mach_init use mac_execve() instead. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#9 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#9 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#6 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#9 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#9 (text+ko) ==== @@ -49,6 +49,7 @@ #import #import #import +#import #import #import #import @@ -825,8 +826,9 @@ static void exec_server(server_t *serverp) { - char **argv; + char **argv, *cp, textlabel[512]; sigset_t mask; + mac_t label; /* * Setup environment for server, someday this should be Mach stuff @@ -881,12 +883,19 @@ sigemptyset(&mask); (void) sigprocmask(SIG_SETMASK, &mask, (sigset_t *)NULL); + if (mach_get_task_label_text(mach_task_self(), "sebsd", textlabel) == 0 + && (cp = rindex(textlabel, ':')) != NULL) { + *(cp + 1) = '\0'; + strlcat(textlabel, "mach_servers_d"); + if (mac_from_text(&label, textlabel) == 0) + mac_set_proc(label); + } execv(argv[0], argv); unix_fatal("Disabled server %x bootstrap %x: \"%s\": exec()", serverp->port, serverp->bootstrap->bootstrap_port, serverp->cmd); -} +} static char ** argvize(const char *string) ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#9 (text+ko) ==== @@ -37,7 +37,7 @@ install: $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 ${POLICY} ${DESTDIR} $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 sebsd_migscs ${DESTDIR} - $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 failsafe_context ${DESTDIR}/private/etc/sedarwin + $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 failsafe_context ${DESTDIR}/private/etc/sedarwin/contexts $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 700 ${SCRIPTS} ${DESTDIR}/private/etc/sedarwin (cd $(CURDIR)/.. && tar -X policy/excludes -cf - policy) | (cd $(DESTDIR)/private/etc/sedarwin/ && tar -xf -) (cd $(FLASK)/.. && tar -cf - flask) | (cd $(DESTDIR)/private/etc/sedarwin/policy && tar -xf -) ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#6 (text+ko) ==== @@ -310,63 +310,6 @@ ################################# # -# domain_exec_trans(parent_domain, child_domain) -# -# Permissions for transitioning to a new domain. -# - -define(`domain_exec_trans',` - -# -# Allow the process to transition to the new domain. -# -allow $1 $2:process transition; - -# -# Do not audit when glibc secure mode is enabled upon the transition. -# -dontaudit $1 $2:process noatsecure; - -# -# Allow the process to execute the program. -# -allow $1 *:file { read x_file_perms }; - -# -# Allow the process to reap the new domain. -# -allow $2 $1:process sigchld; - -# -# Allow the new domain to inherit and use file -# descriptions from the creating process and vice versa. -# -allow $2 $1:fd use; -allow $1 $2:fd use; - -# -# Allow the new domain to write back to the old domain via a pipe. -# -allow $2 $1:fifo_file rw_file_perms; - -# -# Allow the new domain to read and execute the program. -# -allow $2 *:file rx_file_perms; - -# -# Allow the new domain to be entered via the program. -# -allow $2 *:file entrypoint; - -# -# Make the transition -# -type_transition $1 *:process $2; -') - -################################# -# # domain_auto_trans(parent_domain, program_type, child_domain) # # Define a default domain transition and allow it. ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#9 (text+ko) ==== @@ -131,15 +131,14 @@ #allow init_d { bin_t shell_exec_t file_t }:dir_file_class_set rw_file_perms; #allow init_d bin_t:file execute_no_trans; -# Things executed by mach_init transition to mach_servers_d -# XXX - awful hack -domain_exec_trans(mach_init_d,mach_servers_d); - # Transition from init_d -> mach_init_d when mach_init starts # and then back to init_d when BSD init is exec'd domain_auto_trans(init_d,mach_init_exec_t,mach_init_d); domain_auto_trans(mach_init_d,init_exec_t,init_d); +# mach_init_d does its own transition to mach_servers_d +allow mach_init_d mach_servers_d:process transition; + # User transitions for login and sshd domain_auto_trans(init_d,login_exec_t,login_d); domain_auto_trans(user_d,login_exec_t,login_d); @@ -194,11 +193,17 @@ allow user_d security_t:security *; # Transitions for mach servers started by mach_init -domain_auto_trans(mach_init_d,windowserver_exec_t,windowserver_d); -domain_auto_trans(mach_init_d,lookupd_exec_t,lookupd_d); -domain_auto_trans(mach_init_d,notifyd_exec_t,notifyd_d); -domain_auto_trans(mach_init_d,diskarbitrationd_exec_t,diskarbitrationd_d); -domain_auto_trans(mach_init_d,configd_exec_t,configd_d); +allow mach_servers_d file_t:file entrypoint; +domain_auto_trans(mach_servers_d,windowserver_exec_t,windowserver_d); +allow mach_servers_d windowserver_exec_t:file entrypoint; +domain_auto_trans(mach_servers_d,lookupd_exec_t,lookupd_d); +allow mach_servers_d lookupd_exec_t:file entrypoint; +domain_auto_trans(mach_servers_d,notifyd_exec_t,notifyd_d); +allow mach_servers_d notifyd_exec_t:file entrypoint; +domain_auto_trans(mach_servers_d,diskarbitrationd_exec_t,diskarbitrationd_d); +allow mach_servers_d diskarbitrationd_exec_t:file entrypoint; +domain_auto_trans(mach_servers_d,configd_exec_t,configd_d); +allow mach_servers_d configd_exec_t:file entrypoint; # Transitions for things started by BSD init domain_auto_trans(init_d,systemstarter_exec_t,systemstarter_d);