Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Dec 2004 15:19:28 GMT
From:      Andrew Reisse <areisse@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 67063 for review
Message-ID:  <200412141519.iBEFJSIA052589@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=67063

Change 67063 by areisse@areisse_tislabs on 2004/12/14 15:19:13

	Rebuild flask include files. Change AVC_TOGGLE to SETENFORCE.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 (text+ko) ====

@@ -54,6 +54,7 @@
    { SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" },
    { SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" },
    { SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" },
+   { SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" },
    { SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" },
    { SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" },
    { SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" },
@@ -64,6 +65,13 @@
    { SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" },
    { SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" },
    { SECCLASS_PROCESS, PROCESS__SHARE, "share" },
+   { SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" },
+   { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" },
+   { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" },
+   { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" },
+   { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" },
+   { SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit" },
+   { SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh" },
    { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" },
    { SECCLASS_MSG, MSG__SEND, "send" },
    { SECCLASS_MSG, MSG__RECEIVE, "receive" },
@@ -74,24 +82,15 @@
    { SECCLASS_POSIX_SEM, POSIX_SEM__WRITE, "write" },
    { SECCLASS_POSIX_SEM, POSIX_SEM__READ, "read" },
    { SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" },
-   { SECCLASS_SECURITY, SECURITY__NOTIFY_PERM, "notify_perm" },
-   { SECCLASS_SECURITY, SECURITY__TRANSITION_SID, "transition_sid" },
-   { SECCLASS_SECURITY, SECURITY__MEMBER_SID, "member_sid" },
-   { SECCLASS_SECURITY, SECURITY__SID_TO_CONTEXT, "sid_to_context" },
-   { SECCLASS_SECURITY, SECURITY__CONTEXT_TO_SID, "context_to_sid" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" },
+   { SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" },
    { SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" },
-   { SECCLASS_SECURITY, SECURITY__GET_SIDS, "get_sids" },
-   { SECCLASS_SECURITY, SECURITY__REGISTER_AVC, "register_avc" },
-   { SECCLASS_SECURITY, SECURITY__CHANGE_SID, "change_sid" },
-   { SECCLASS_SECURITY, SECURITY__GET_USER_SIDS, "get_user_sids" },
-   { SECCLASS_SYSTEM, SYSTEM__NET_IO_CONTROL, "net_io_control" },
-   { SECCLASS_SYSTEM, SYSTEM__ROUTE_CONTROL, "route_control" },
-   { SECCLASS_SYSTEM, SYSTEM__ARP_CONTROL, "arp_control" },
-   { SECCLASS_SYSTEM, SYSTEM__RARP_CONTROL, "rarp_control" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" },
+   { SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" },
+   { SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" },
+   { SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool" },
    { SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" },
-   { SECCLASS_SYSTEM, SYSTEM__AVC_TOGGLE, "avc_toggle" },
-   { SECCLASS_SYSTEM, SYSTEM__NFSD_CONTROL, "nfsd_control" },
-   { SECCLASS_SYSTEM, SYSTEM__BDFLUSH, "bdflush" },
    { SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" },
    { SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" },
    { SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" },
@@ -139,6 +138,9 @@
    { SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config" },
    { SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod" },
    { SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease" },
+   { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" },
+   { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" },
+   { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" },
 };
 
 #define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 (text+ko) ====

@@ -482,16 +482,24 @@
 #define PROCESS__SIGCHLD                          0x0000000000000004UL
 #define PROCESS__SIGKILL                          0x0000000000000008UL
 #define PROCESS__SIGSTOP                          0x0000000000000010UL
-#define PROCESS__SIGNAL                           0x0000000000000020UL
-#define PROCESS__PTRACE                           0x0000000000000040UL
-#define PROCESS__GETSCHED                         0x0000000000000080UL
-#define PROCESS__SETSCHED                         0x0000000000000100UL
-#define PROCESS__GETSESSION                       0x0000000000000200UL
-#define PROCESS__GETPGID                          0x0000000000000400UL
-#define PROCESS__SETPGID                          0x0000000000000800UL
-#define PROCESS__GETCAP                           0x0000000000001000UL
-#define PROCESS__SETCAP                           0x0000000000002000UL
-#define PROCESS__SHARE                            0x0000000000004000UL
+#define PROCESS__SIGNULL                          0x0000000000000020UL
+#define PROCESS__SIGNAL                           0x0000000000000040UL
+#define PROCESS__PTRACE                           0x0000000000000080UL
+#define PROCESS__GETSCHED                         0x0000000000000100UL
+#define PROCESS__SETSCHED                         0x0000000000000200UL
+#define PROCESS__GETSESSION                       0x0000000000000400UL
+#define PROCESS__GETPGID                          0x0000000000000800UL
+#define PROCESS__SETPGID                          0x0000000000001000UL
+#define PROCESS__GETCAP                           0x0000000000002000UL
+#define PROCESS__SETCAP                           0x0000000000004000UL
+#define PROCESS__SHARE                            0x0000000000008000UL
+#define PROCESS__GETATTR                          0x0000000000010000UL
+#define PROCESS__SETEXEC                          0x0000000000020000UL
+#define PROCESS__SETFSCREATE                      0x0000000000040000UL
+#define PROCESS__NOATSECURE                       0x0000000000080000UL
+#define PROCESS__SIGINH                           0x0000000000100000UL
+#define PROCESS__SETRLIMIT                        0x0000000000200000UL
+#define PROCESS__RLIMITINH                        0x0000000000400000UL
 
 #define IPC__WRITE                                0x0000000000000020UL
 #define IPC__UNIX_WRITE                           0x0000000000000100UL
@@ -546,28 +554,19 @@
 #define POSIX_SEM__READ                           0x0000000000000010UL
 
 #define SECURITY__COMPUTE_AV                      0x0000000000000001UL
-#define SECURITY__NOTIFY_PERM                     0x0000000000000002UL
-#define SECURITY__TRANSITION_SID                  0x0000000000000004UL
-#define SECURITY__MEMBER_SID                      0x0000000000000008UL
-#define SECURITY__SID_TO_CONTEXT                  0x0000000000000010UL
-#define SECURITY__CONTEXT_TO_SID                  0x0000000000000020UL
-#define SECURITY__LOAD_POLICY                     0x0000000000000040UL
-#define SECURITY__GET_SIDS                        0x0000000000000080UL
-#define SECURITY__REGISTER_AVC                    0x0000000000000100UL
-#define SECURITY__CHANGE_SID                      0x0000000000000200UL
-#define SECURITY__GET_USER_SIDS                   0x0000000000000400UL
+#define SECURITY__COMPUTE_CREATE                  0x0000000000000002UL
+#define SECURITY__COMPUTE_MEMBER                  0x0000000000000004UL
+#define SECURITY__CHECK_CONTEXT                   0x0000000000000008UL
+#define SECURITY__LOAD_POLICY                     0x0000000000000010UL
+#define SECURITY__COMPUTE_RELABEL                 0x0000000000000020UL
+#define SECURITY__COMPUTE_USER                    0x0000000000000040UL
+#define SECURITY__SETENFORCE                      0x0000000000000080UL
+#define SECURITY__SETBOOL                         0x0000000000000100UL
 
-#define SYSTEM__NET_IO_CONTROL                    0x0000000000000001UL
-#define SYSTEM__ROUTE_CONTROL                     0x0000000000000002UL
-#define SYSTEM__ARP_CONTROL                       0x0000000000000004UL
-#define SYSTEM__RARP_CONTROL                      0x0000000000000008UL
-#define SYSTEM__IPC_INFO                          0x0000000000000010UL
-#define SYSTEM__AVC_TOGGLE                        0x0000000000000020UL
-#define SYSTEM__NFSD_CONTROL                      0x0000000000000040UL
-#define SYSTEM__BDFLUSH                           0x0000000000000080UL
-#define SYSTEM__SYSLOG_READ                       0x0000000000000100UL
-#define SYSTEM__SYSLOG_MOD                        0x0000000000000200UL
-#define SYSTEM__SYSLOG_CONSOLE                    0x0000000000000400UL
+#define SYSTEM__IPC_INFO                          0x0000000000000001UL
+#define SYSTEM__SYSLOG_READ                       0x0000000000000002UL
+#define SYSTEM__SYSLOG_MOD                        0x0000000000000004UL
+#define SYSTEM__SYSLOG_CONSOLE                    0x0000000000000008UL
 
 #define CAPABILITY__CHOWN                         0x0000000000000001UL
 #define CAPABILITY__DAC_EXECUTE                   0x0000000000000002UL
@@ -614,5 +613,9 @@
 #define CAPABILITY__MKNOD                         0x0000040000000000UL
 #define CAPABILITY__LEASE                         0x0000080000000000UL
 
+#define PASSWD__PASSWD                            0x0000000000000001UL
+#define PASSWD__CHFN                              0x0000000000000002UL
+#define PASSWD__CHSH                              0x0000000000000004UL
+
 
 /* FLASK */

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 (text+ko) ====

@@ -35,5 +35,6 @@
     "shm",
     "ipc",
     "posix_sem",
+    "passwd",
 };
 

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 (text+ko) ====

@@ -37,6 +37,7 @@
 #define SECCLASS_SHM                                     28
 #define SECCLASS_IPC                                     29
 #define SECCLASS_POSIX_SEM                               30
+#define SECCLASS_PASSWD                                  31
 
 /*
  * Security identifier indices for initial entities

==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ====

@@ -116,7 +116,7 @@
 		if (error)
 			return (error);
 
-		error = thread_has_system (curthread, SYSTEM__AVC_TOGGLE);
+		error = thread_has_system (curthread, SECURITY__SETENFORCE);
 		if (error)
 			return error;
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412141519.iBEFJSIA052589>