Date: Tue, 14 Dec 2004 14:11:05 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 67061 for review Message-ID: <200412141411.iBEEB5Kx048598@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=67061 Change 67061 by areisse@areisse_tislabs on 2004/12/14 14:10:46 bring flask configuration changes that were made in the kernel tree over to the policy. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#6 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#5 integrate Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#2 (text+ko) ==== @@ -1,40 +1,26 @@ -# flask needs to know where to export the libselinux headers. -LIBSELINC ?= ../../libselinux/include +# +# Makefile for building the SELinux module as part of the kernel. +# -# flask needs to know where to export the kernel headers. -LINUXDIR ?= ../../../linux-2.5 - AWK = awk -CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ - else if [ -x /bin/bash ]; then echo /bin/bash; \ - else echo sh; fi ; fi) - FLASK_H_DEPEND = security_classes initial_sids AV_H_DEPEND = access_vectors -FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h -AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h -ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) +FLASK_H_FILES = av_inherit.h av_perm_to_string.h av_permissions.h class_to_string.h common_perm_to_string.h initial_sid_to_string.h -all: $(ALL_H_FILES) +all: flask.h av_permissions.h -$(FLASK_H_FILES): $(FLASK_H_DEPEND) - $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) +flask.h: $(FLASK_H_DEPEND) + /bin/sh ./mkflask.sh $(AWK) $(FLASK_H_DEPEND) -$(AV_H_FILES): $(AV_H_DEPEND) - $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) +av_permissions.h: $(AV_H_DEPEND) + /bin/sh ./mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) -tolib: all - install -m 644 $(ALL_H_FILES) $(LIBSELINC)/selinux - -tokern: all - install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include - -install: all - -relabel: +install: flask.h av_permissions.h + install -C -m0644 $(FLASK_H_FILES) ../avc + install -C -m0644 flask.h .. clean: rm -f $(FLASK_H_FILES) - rm -f $(AV_H_FILES) + rm -f $(FLASK_IH_FILES) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#6 (text+ko) ==== @@ -220,10 +220,11 @@ { fork transition - sigchld - sigkill - sigstop - signal + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals ptrace getsched setsched @@ -233,11 +234,13 @@ getcap setcap share - signull getattr setexec setfscreate noatsecure + siginh + setrlimit + rlimitinh } @@ -289,6 +292,8 @@ load_policy compute_relabel compute_user + setenforce # was avc_toggle in system class + setbool } @@ -298,15 +303,8 @@ class system { - net_io_control - route_control - arp_control - rarp_control ipc_info - avc_toggle - nfsd_control - bdflush - syslog_read + syslog_read syslog_mod syslog_console } @@ -367,6 +365,11 @@ lease } + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# class passwd { passwd ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#4 (text+ko) ==== @@ -28,7 +28,10 @@ sid sysctl_vm sid sysctl_dev sid kmod +sid devfs +sid devpts +sid nfs sid policy -sid scmp_packet +sid tmpfs # FLASK ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#2 (text+ko) ==== @@ -36,22 +36,22 @@ printf("/* %s */\n\n", subproject) > cpermfile; printf("/* %s */\n\n", subproject) > inheritfile; - printf("struct av_inherit\n") > inheritfile; + printf("typedef struct\n") > inheritfile; printf("{\n") > inheritfile; - printf(" u16 tclass;\n") > inheritfile; + printf(" security_class_t tclass;\n") > inheritfile; printf(" char **common_pts;\n") > inheritfile; - printf(" u32 common_base;\n") > inheritfile; - printf("};\n\n") > inheritfile; - printf("static struct av_inherit av_inherit[] = {\n") > inheritfile; + printf(" access_vector_t common_base;\n") > inheritfile; + printf("} av_inherit_t;\n\n") > inheritfile; + printf("static av_inherit_t av_inherit[] = {\n") > inheritfile; printf("/* %s */\n\n", subproject) > avpermfile; - printf("struct av_perm_to_string\n") > avpermfile; + printf("typedef struct\n") > avpermfile; printf("{\n") > avpermfile; - printf(" u16 tclass;\n") > avpermfile; - printf(" u32 value;\n") > avpermfile; + printf(" security_class_t tclass;\n") > avpermfile; + printf(" access_vector_t value;\n") > avpermfile; printf(" char *name;\n") > avpermfile; - printf("};\n\n") > avpermfile; - printf("static struct av_perm_to_string av_perm_to_string[] = {\n") > avpermfile; + printf("} av_perm_to_string_t;\n\n") > avpermfile; + printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile; } /^[ \t]*#/ { next; @@ -129,12 +129,15 @@ spaces = 1; for (i = 0; i < spaces; i++) printf(" ") > outfile; - printf("0x%08xUL\n", common_perms[combined]) > outfile; + pt = common_perms[combined]; + printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile; + #printf("0x%08xUL\n", common_perms[combined]) > outfile; } } printf("\n") > outfile; - printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08xUL },\n", toupper(tclass), inherits, permission) > inheritfile; + printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits, + permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile; nextstate = "CLASS_OR_CLASS-OPENBRACKET"; next; @@ -209,8 +212,8 @@ for (i = 0; i < spaces; i++) printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; + printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile; + permission = permission + 1; } $1 == "}" { if (nextstate != "CLASS-CLOSEBRACKET" && @@ -239,9 +242,11 @@ printf("\n/* %s */\n", subproject) > cpermfile; printf("};\n\n") > inheritfile; + printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile; printf("\n/* %s */\n", subproject) > inheritfile; printf("};\n\n") > avpermfile; + printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile; printf("\n/* %s */\n", subproject) > avpermfile; }' ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#2 (text+ko) ==== @@ -23,8 +23,10 @@ printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("#ifndef _LINUX_FLASK_H_\n") > outfile; + printf("#define _LINUX_FLASK_H_\n") > outfile; + printf("\n#include <security/sebsd/flask_types.h>\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; printf("/*\n * Security object class definitions\n */\n") > debugfile; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#5 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412141411.iBEEB5Kx048598>