Date: Mon, 11 Dec 2006 21:54:48 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 111497 for review Message-ID: <200612112154.kBBLsmq9099532@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=111497 Change 111497 by millert@millert_macbook on 2006/12/11 21:54:33 Update policy. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.fc#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.if#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.te#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/authlogin.fc#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#5 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#6 (text+ko) ==== @@ -1631,6 +1631,7 @@ KernelEventAgent = module kextd = module lookupd = module +mds = module ATconfig = module ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#5 (text+ko) ==== @@ -3,6 +3,8 @@ # MLS sensitivity: s0 # MCS categories: <none> +/private/var/log/windowserver.log -- gen_context(system_u:object_r:WindowServer_var_log_t,s0) + /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0) /System/Library/Displays.* gen_context(system_u:object_r:WindowServer_resource_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#8 (text+ko) ==== @@ -11,6 +11,9 @@ domain_type(WindowServer_t) init_domain(WindowServer_t, WindowServer_exec_t) +type WindowServer_var_log_t; +logging_log_file(WindowServer_var_log_t) + ######################################## # # WindowServer local policy @@ -26,6 +29,12 @@ allow WindowServer_t self:fifo_file { read write }; allow WindowServer_t self:unix_stream_socket create_stream_socket_perms; +# log files +allow WindowServer_t WindowServer_var_log_t:file create_file_perms; +allow WindowServer_t WindowServer_var_log_t:sock_file create_file_perms; +allow WindowServer_t WindowServer_var_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(WindowServer_t,WindowServer_var_log_t,{ sock_file file dir }) + # Allow WindowServer to re-exec itself allow WindowServer_t WindowServer_exec_t:file execute_no_trans; @@ -124,3 +133,5 @@ userdom_search_all_users_home_content(WindowServer_t) userdom_read_all_users_home_content_files(WindowServer_t) +# Read files in /tmp +files_read_generic_tmp_files(WindowServer_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#9 (text+ko) ==== @@ -157,8 +157,15 @@ # Read CoreServices libs, etc darwin_allow_CoreServices_read(configd_t) -# Read /private/var +# Read/write /private/var +files_rw_var_files(configd_t) +# Add files_read_var_files() since it allows reading of symlinks where +# files_rw_var_files does not. files_read_var_files(configd_t) +files_search_var(configd_t) +# Not sure why it wants to search this dir, it should know what it wants +allow configd_t var_log_t:dir search; + # Read /private darwin_allow_private_read(configd_t) @@ -169,3 +176,28 @@ # I'm certain there's a "proper" way to do this... allow configd_t port_t:tcp_socket name_connect; +# Read securityd temp files +securityd_tmp_rw(configd_t) + +# Read darwin_security_t files +darwin_allow_security_read(configd_t) + +# Read/write/manage keychain files +darwin_allow_keychain_rw(configd_t) +darwin_allow_keychain_manage(configd_t) + +# Read files in /tmp +files_getattr_tmp_dirs(configd_t) +files_search_tmp(configd_t) +files_read_generic_tmp_files(configd_t) +files_manage_generic_tmp_files(configd_t) + +# Read keychain files +darwin_allow_keychain_search(configd_t) +darwin_allow_keychain_read(configd_t) + +# Read user home dirs +userdom_search_all_users_home_content(configd_t) +userdom_read_all_users_home_content_files(configd_t) +userdom_manage_all_users_home_content_files(configd_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.fc#2 (text+ko) ==== @@ -3,4 +3,4 @@ # MLS sensitivity: s0 # MCS categories: <none> -/System/Library/CoreServices/coreservicesd -- gen_context(system_u:object_r:coreservicesd_exec_t,s0) +/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd -- gen_context(system_u:object_r:coreservicesd_exec_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#2 (text+ko) ==== @@ -24,3 +24,59 @@ ## internal communication is often done using fifo and unix sockets. allow coreservicesd_t self:fifo_file { read write }; allow coreservicesd_t self:unix_stream_socket create_stream_socket_perms; + +# Talk to self +mach_allow_message(coreservicesd_t, coreservicesd_t) +allow coreservicesd_t self:mach_task set_special_port; +allow coreservicesd_t self:process signal; +allow coreservicesd_t self:shm { create read setattr write }; +allow coreservicesd_t self:udp_socket create; + +# Talk to launchd +init_allow_ipc(coreservicesd_t) + +# Talk to kernel +kernel_allow_ipc(coreservicesd_t) + +# Talk to WindowServer +WindowServer_allow_ipc(coreservicesd_t) + +# Talk to configd +configd_allow_ipc(coreservicesd_t) + +# Use CoreServices +darwin_allow_CoreServices_read(coreservicesd_t) +darwin_allow_CoreServices_execute(coreservicesd_t) + +# Use caches +darwin_allow_cache_read(coreservicesd_t) + +# Read prefs +darwin_allow_global_pref_read(coreservicesd_t) +darwin_allow_host_pref_read(coreservicesd_t) + +# Read /private +darwin_allow_private_read(coreservicesd_t) + +# Talk to diskarbitrationd +diskarbitrationd_allow_ipc(coreservicesd_t) + +# Use frameworks +frameworks_read(coreservicesd_t) + +# Talk to loginwindow +loginwindow_allow_ipc(coreservicesd_t) +# An interface should be defined for this. +allow coreservicesd_t loginwindow_t:process taskforpid; + +# Read user home dirs +userdom_search_all_users_home_content(coreservicesd_t) +userdom_read_all_users_home_content_files(coreservicesd_t) + +# Read var files +files_read_var_files(coreservicesd_t) +files_read_var_symlinks(coreservicesd_t) + + + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#5 (text+ko) ==== @@ -27,6 +27,7 @@ # Misc allow kextd_t self:fd use; +allow kextd_t fs_t:filesystem getattr; allow kextd_t self:mach_port { copy_send make_send_once send }; allow kextd_t random_device_t:chr_file read; allow kextd_t nfs_t:filesystem getattr; @@ -76,6 +77,8 @@ # Use tmp files files_tmp_file(kextd_t) +files_manage_generic_tmp_files(kextd_t) +files_manage_generic_tmp_files(kextd_t) # Read /private/var files_read_var_files(kextd_t) @@ -87,6 +90,8 @@ # Read the kernel kernel_read_kernel(kextd_t) - # Use CoreServices darwin_allow_CoreServices_read(kextd_t) + +# Read modules +modutils_read_module_deps(kextd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#6 (text+ko) ==== @@ -82,7 +82,7 @@ darwin_allow_CoreServices_execute(loginwindow_t) # Read prefs -darwin_allow_global_pref_read(loginwindow_t) +darwin_allow_global_pref_rw(loginwindow_t) darwin_allow_host_pref_read(loginwindow_t) # Read /private @@ -117,6 +117,7 @@ # Read/Write utmp init_rw_utmp(loginwindow_t) +init_manage_utmp(loginwindow_t) # Use login plugins darwin_allow_loginplugin_read(loginwindow_t) @@ -131,3 +132,16 @@ # Read services files darwin_allow_services_read(loginwindow_t) +# Access tmp files +files_read_generic_tmp_files(loginwindow_t) +files_manage_generic_tmp_files(loginwindow_t) + +# /var file operations +files_rw_var_files(loginwindow_t) +files_read_var_symlinks(loginwindow_t) +files_search_var(loginwindow_t) +files_read_var_symlinks(loginwindow_t) + +# Write to WTMP +auth_write_login_records(loginwindow_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#4 (text+ko) ==== @@ -53,3 +53,34 @@ allow $1 securityd_tmp_t:dir search_dir_perms; ') +######################################## +## <summary> +## Allow read/write of securityd tmp files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`securityd_tmp_rw',` + + allow $1 securityd_tmp_t:file rw_file_perms; + allow $1 securityd_tmp_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow managing of securityd tmp files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`securityd_tmp_manage',` + + allow $1 securityd_tmp_t:file manage_file_perms; + allow $1 securityd_tmp_t:dir manage_dir_perms; +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#5 (text+ko) ==== @@ -96,9 +96,17 @@ # Read/Write temp files, etc files_read_generic_tmp_files(securityd_t) -securityd_tmp_read(securityd_t) +files_read_generic_tmp_symlinks(securityd_t) +files_manage_generic_tmp_files(securityd_t) +# Aind since there's not interface to write tmp files... +allow securityd_t tmp_t:file { create unlink write }; + +securityd_tmp_rw(securityd_t) +securityd_tmp_manage(securityd_t) # Read user home dirs userdom_search_all_users_home_content(securityd_t) userdom_read_all_users_home_content_files(securityd_t) +# Allow reading of security_t files +darwin_allow_security_read(securityd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/authlogin.fc#4 (text+ko) ==== @@ -12,7 +12,6 @@ /private/var/log/asl.log -- gen_context(system_u:object_r:var_log_t,s0) /private/var/log/netinfo.log -- gen_context(system_u:object_r:var_log_t,s0) /private/var/log/install.log -- gen_context(system_u:object_r:var_log_t,s0) -/private/var/log/windowserver.log -- gen_context(system_u:object_r:var_log_t,s0) /private/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /private/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#4 (text+ko) ==== @@ -255,6 +255,7 @@ allow $1 darwin_loginplugin_t:file read_file_perms; allow $1 darwin_loginplugin_t:dir r_dir_perms; + allow $1 darwin_loginplugin_t:lnk_file r_file_perms; ') @@ -500,7 +501,7 @@ ') allow $1 darwin_security_t:file read_file_perms; - allow $1 darwin_security_t:file r_dir_perms; + allow $1 darwin_security_t:dir r_dir_perms; ') ######################################## @@ -556,7 +557,25 @@ ') allow $1 darwin_keychain_t:file read_file_perms; - allow $1 darwin_keychain_t:file r_dir_perms; + allow $1 darwin_keychain_t:dir r_dir_perms; +') + +######################################## +## <summary> +## Allow searching of keychain files +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +# +interface(`darwin_allow_keychain_search',` + gen_require(` + type darwin_keychain_t; + ') + + allow $1 darwin_keychain_t:dir search_dir_perms; ') ######################################## ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#7 (text+ko) ==== @@ -672,3 +672,8 @@ darwin_allow_private_manage(init_t) darwin_allow_private_rw(init_t) +# Allow keychain access +darwin_allow_keychain_read(init_t) + +# Allow access to security files +darwin_allow_security_read(init_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#5 (text+ko) ==== @@ -134,6 +134,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_sysadm_home_dirs(syslogd_t) +# Talk to launchd +init_allow_ipc(syslogd_t) +init_allow_bootstrap(syslogd_t) + +# Talk to kernel +kernel_allow_ipc(syslogd_t) + # Talk to self allow syslogd_t self:socket read;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612112154.kBBLsmq9099532>