Date: Fri, 29 Apr 2005 14:51:17 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 76201 for review Message-ID: <200504291451.j3TEpH8g057946@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=76201 Change 76201 by areisse@areisse_ibook on 2005/04/29 14:50:35 Support for building the msgid->security class mappings. Autogenerate security classes and permissions for mach services (just bootstrap namespace now). Convert the TE rules to use the new names. To use this policy, you must install the sebsd_migscs file in the root directory and add a OF variable load_sebsd_migscs with value sebsd_migscs. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/migscs.pl#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#3 (text+ko) ==== @@ -1,13 +1,14 @@ include ../../Makeconfig +include $(DARWIN_ROOT)/build/Mig.mk POLICY= policy.16 SCRIPTS= create-extattr.sh sebsd-relabel.sh INSTALL?= install -all: $(POLICY) +all: $(POLICY) sebsd_migscs -INPUTS = flask/security_classes initial_sids \ - flask/access_vectors rules.m4 users initial_sid_contexts fs_use \ +INPUTS = flask/security_classes mig_classes initial_sids \ + flask/access_vectors mig_access_vectors rules.m4 users initial_sid_contexts fs_use \ devfs policy.conf: $(INPUTS) @@ -27,7 +28,7 @@ clean: rm -f bininclude $(POLICY) policy.conf policy.h rules.m4 fc.out \ - genfs + genfs mig_access_vectors mig_classes sebsd_migscs mig_msgids relabel: fc @echo This is broken @@ -38,3 +39,20 @@ (cd $(CURDIR)/..; tar -cf - policy) | (cd $(DESTDIR)/private/etc/sedarwin/; tar -xf -) cp -f Makefile.install $(DESTDIR)/private/etc/sedarwin/policy/Makefile + +# Mig security classes and access vectors + +DEFS = $(DARWIN_ROOT)/system_cmds/mach_init.tproj/bootstrap.defs + +mig_msgids: $(DEFS) + for i in $(DEFS); do $(MIG) -user /dev/null -server /dev/null -header /dev/null -sheader /dev/null -flasksc `basename $$i .defs`.flask $$i; cat `basename $$i .defs`.flask >> $@; done + +mig_access_vectors: mig_msgids + cat $< | awk '{print $$1, $$2}' > $@ + echo ';' >> $@ + +mig_classes: mig_access_vectors + grep '^class' $< > $@ + +sebsd_migscs: flask/security_classes mig_msgids + cat flask/security_classes mig_msgids | perl migscs.pl ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#2 (text+ko) ==== @@ -378,11 +378,3 @@ set_special_port } -class mach_names -{ - register - look_up - getparent - makesubset - create_server -}; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#2 (text+ko) ==== @@ -1168,13 +1168,16 @@ define(`mach_bootstrap', ` allow $1 $2:mach_port { send copy_send make_send }; -allow $1 $3:mach_names look_up; +allow $1 $2:mi_bootstrap { bootstrap_look_up bootstrap_look_up_array }; allow init_d $1:mach_port { send copy_send }; ') define(`mach_bootstrap_register', ` -allow $1 $2:mach_names register; +allow $1 $2:mi_bootstrap *; allow $1 $2:mach_port { send copy_send }; allow init_d $1:mach_port { send copy_send }; ') +define(`boot_names_t', `init_d') +define(`user_names_t', `user_d') +define(`user_secret_names_t', `user_secret_d') ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#2 (text+ko) ==== @@ -36,9 +36,9 @@ type user_port_t; type time_port_t; -type boot_names_t, names; -type user_names_t, names; -type user_secret_names_t, names; +#type boot_names_t, names; +#type user_names_t, names; +#type user_secret_names_t, names; type root_t, file; type appl_t, file; @@ -119,7 +119,7 @@ allow domain2 self:mach_port { send make_send copy_send move_recv }; allow domain2 kernel_d:mach_port { send make_send copy_send }; allow domain2 self:mach_task set_special_port; -allow domain2 self:mach_names { look_up }; +allow domain2 self:mi_bootstrap { bootstrap_look_up }; allow domain2 root_t:dir { search getattr read }; allow kernel_d domain2:mach_port { send make_send copy_send }; @@ -165,16 +165,16 @@ allow_mach_ipc(loginwindow_d,windowserver_d); allow_mach_ipc(loginwindow_d,unlabeled_t); -allow init_d self:mach_names { register look_up }; +allow init_d self:mi_bootstrap { bootstrap_register bootstrap_look_up }; allow kernel_d names:mach_port send; allow_mach_ipc(init_d,coreservices_d); #??? mach_bootstrap(init_d,boot_names_t,boot_names_t); #??? -type_change loginwindow_d loginwindow_d:mach_names user_names_t; #XXX +mach_bootstrap_register(init_d,boot_names_t); +#type_change loginwindow_d loginwindow_d:mach_names user_names_t; #XXX allow init_d init_d:mach_port relabelfrom; allow init_d boot_names_t:mach_port relabelto; -allow init_d boot_names_t:mach_names { register create_server }; #??? allow init_d user_names_t:mach_port { copy_send relabelto }; allow_mach_ipc(systemstarter_d,unlabeled_t); @@ -186,8 +186,8 @@ mach_bootstrap(systemstarter_d,boot_names_t,securityserver_d); mach_bootstrap(systemstarter_d,boot_names_t,windowserver_d); mach_bootstrap(systemstarter_d,boot_names_t,boot_names_t); -allow systemstarter_d init_d:mach_names look_up; -allow systemstarter_d boot_names_t:mach_names { register create_server }; +allow systemstarter_d init_d:mi_bootstrap { bootstrap_look_up bootstrap_look_up_array }; +allow systemstarter_d boot_names_t:mi_bootstrap { bootstrap_register bootstrap_create_server }; mach_bootstrap(coreservices_d,boot_names_t,boot_names_t); mach_bootstrap(coreservices_d,boot_names_t,init_d); @@ -203,7 +203,7 @@ allow_mach_ipc(windowserver_d,init_d); # for wsloginui allow_mach_ipc(windowserver_d,coreservices_d); # for wsloginui mach_bootstrap_register(windowserver_d,boot_names_t); -allow windowserver_d init_d:mach_names register; +allow windowserver_d init_d:mi_bootstrap bootstrap_register; allow_mach_ipc(loginwindow_d,coreservices_d); allow_mach_ipc(loginwindow_d,init_d); @@ -214,7 +214,7 @@ mach_bootstrap(loginwindow_d,boot_names_t,windowserver_d); mach_bootstrap(loginwindow_d,boot_names_t,securityserver_d); mach_bootstrap_register(loginwindow_d,boot_names_t); -allow loginwindow_d boot_names_t:mach_names makesubset; +allow loginwindow_d boot_names_t:mi_bootstrap bootstrap_subset; mach_bootstrap(securityserver_d,boot_names_t,init_d); mach_bootstrap(securityserver_d,boot_names_t,boot_names_t); @@ -229,7 +229,7 @@ allow_mach_ipc(lookupd_d,init_d); #DirectoryService? allow_mach_ipc(lookupd_d,cron_d); mach_bootstrap(lookupd_d,boot_names_t,boot_names_t); -allow lookupd_d boot_names_t:mach_names create_server; +allow lookupd_d boot_names_t:mi_bootstrap bootstrap_create_server; mach_bootstrap(cron_d,boot_names_t,init_d); allow_mach_ipc(cron_d,init_d); @@ -259,7 +259,7 @@ # define(`user_sys_access',` -allow $1 { $1 init_d }:mach_names { register look_up }; +allow $1 { $1 init_d }:mi_bootstrap { bootstrap_register bootstrap_look_up bootstrap_look_up_array }; mach_bootstrap(init_d,$2,securityserver_d); #??? @@ -277,7 +277,7 @@ mach_bootstrap(loginwindow_d,$2,systemstarter_d); #??? mach_bootstrap(loginwindow_d,$2,$1); #??? mach_bootstrap_register(loginwindow_d,$2); -allow loginwindow_d $2:mach_names create_server; +allow loginwindow_d $2:mi_bootstrap bootstrap_create_server; mach_bootstrap(securityserver_d,$2,$2); mach_bootstrap(securityserver_d,$2,$1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504291451.j3TEpH8g057946>