From owner-p4-projects@FreeBSD.ORG Thu Dec 23 18:24:48 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D859F16A4D0; Thu, 23 Dec 2004 18:24:47 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC0D016A4CE for ; Thu, 23 Dec 2004 18:24:47 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AFBB43D39 for ; Thu, 23 Dec 2004 18:24:47 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBNIOlLA072188 for ; Thu, 23 Dec 2004 18:24:47 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBNIOlW3072185 for perforce@freebsd.org; Thu, 23 Dec 2004 18:24:47 GMT (envelope-from areisse@nailabs.com) Date: Thu, 23 Dec 2004 18:24:47 GMT Message-Id: <200412231824.iBNIOlW3072185@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67592 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 18:24:48 -0000 http://perforce.freebsd.org/chv.cgi?CH=67592 Change 67592 by areisse@areisse_tislabs on 2004/12/23 18:23:47 Install flask generated files from the new policy to the kernel. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#7 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#6 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#6 (text+ko) ==== @@ -31,6 +31,9 @@ { SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto" }, { SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn" }, { SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom" }, + { SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind" }, + { SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind" }, + { SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind" }, { SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv" }, { SECCLASS_NODE, NODE__TCP_SEND, "tcp_send" }, { SECCLASS_NODE, NODE__UDP_RECV, "udp_recv" }, @@ -76,6 +79,7 @@ { SECCLASS_MSG, MSG__SEND, "send" }, { SECCLASS_MSG, MSG__RECEIVE, "receive" }, { SECCLASS_MSG, MSG__DESTROY, "destroy" }, + { SECCLASS_SHM, SHM__LOCK, "lock" }, { SECCLASS_POSIX_SEM, POSIX_SEM__ASSOCIATE, "associate" }, { SECCLASS_POSIX_SEM, POSIX_SEM__DISASSOCIATE, "disassociate" }, { SECCLASS_POSIX_SEM, POSIX_SEM__DESTROY, "destroy" }, @@ -141,6 +145,8 @@ { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" }, { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" }, { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" }, + { SECCLASS_PASSWD, PASSWD__ROOTOK, "rootok" }, + { SECCLASS_PASSWD, PASSWD__CRONTAB, "crontab" }, }; #define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t)) ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#7 (text+ko) ==== @@ -280,6 +280,7 @@ #define TCP_SOCKET__CONNECTTO 0x0000000001000000UL #define TCP_SOCKET__NEWCONN 0x0000000002000000UL #define TCP_SOCKET__ACCEPTFROM 0x0000000004000000UL +#define TCP_SOCKET__NODE_BIND 0x0000000008000000UL #define UDP_SOCKET__TRANSITION 0x0000000000000400UL #define UDP_SOCKET__SHUTDOWN 0x0000000000040000UL @@ -306,6 +307,8 @@ #define UDP_SOCKET__IOCTL 0x0000000000000002UL #define UDP_SOCKET__RELABELTO 0x0000000000000200UL +#define UDP_SOCKET__NODE_BIND 0x0000000001000000UL + #define RAWIP_SOCKET__TRANSITION 0x0000000000000400UL #define RAWIP_SOCKET__SHUTDOWN 0x0000000000040000UL #define RAWIP_SOCKET__POLL 0x0000000000000001UL @@ -331,6 +334,8 @@ #define RAWIP_SOCKET__IOCTL 0x0000000000000002UL #define RAWIP_SOCKET__RELABELTO 0x0000000000000200UL +#define RAWIP_SOCKET__NODE_BIND 0x0000000001000000UL + #define NODE__TCP_RECV 0x0000000000000001UL #define NODE__TCP_SEND 0x0000000000000002UL #define NODE__UDP_RECV 0x0000000000000004UL @@ -547,6 +552,8 @@ #define SHM__DESTROY 0x0000000000000002UL #define SHM__GETATTR 0x0000000000000004UL +#define SHM__LOCK 0x0000000000000200UL + #define POSIX_SEM__ASSOCIATE 0x0000000000000001UL #define POSIX_SEM__DISASSOCIATE 0x0000000000000002UL #define POSIX_SEM__DESTROY 0x0000000000000004UL @@ -616,6 +623,8 @@ #define PASSWD__PASSWD 0x0000000000000001UL #define PASSWD__CHFN 0x0000000000000002UL #define PASSWD__CHSH 0x0000000000000004UL +#define PASSWD__ROOTOK 0x0000000000000008UL +#define PASSWD__CRONTAB 0x0000000000000010UL /* FLASK */ ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#5 (text+ko) ==== @@ -26,10 +26,8 @@ "sysctl_vm", "sysctl_dev", "kmod", - "devfs", - "devpts", - "nfs", "policy", - "tmpfs", + "scmp_packet", + "devnull", }; ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#6 (text+ko) ==== @@ -66,12 +66,10 @@ #define SECINITSID_SYSCTL_VM 22 #define SECINITSID_SYSCTL_DEV 23 #define SECINITSID_KMOD 24 -#define SECINITSID_DEVFS 25 -#define SECINITSID_DEVPTS 26 -#define SECINITSID_NFS 27 -#define SECINITSID_POLICY 28 -#define SECINITSID_TMPFS 29 +#define SECINITSID_POLICY 25 +#define SECINITSID_SCMP_PACKET 26 +#define SECINITSID_DEVNULL 27 -#define SECINITSID_NUM 29 +#define SECINITSID_NUM 27 #endif