Date: Fri, 23 Feb 2007 20:23:43 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 114902 for review Message-ID: <200702232023.l1NKNhd2086192@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=114902 Change 114902 by millert@millert_macbook on 2007/02/23 20:23:37 Update policy Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 (text+ko) ==== @@ -138,3 +138,10 @@ # Read files in /tmp files_read_generic_tmp_files(WindowServer_t) + +# Search /var/vm +files_search_vm(WindowServer_t) + +# Read/write caches +darwin_allow_cache_manage(WindowServer_t) +allow WindowServer_t darwin_cache_t:dir { rw_dir_perms }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 (text+ko) ==== @@ -155,7 +155,6 @@ # Read prefs, etc darwin_allow_global_pref_manage(configd_t) -darwin_allow_global_pref_rw(configd_t) darwin_allow_host_pref_read(configd_t) darwin_allow_system_read(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 (text+ko) ==== @@ -48,6 +48,10 @@ # Talk to Coreaudiod allow coreservicesd_t coreaudiod_t:process taskforpid; +# Talk to automount +automount_allow_ipc(coreservicesd_t) +allow coreservicesd_t automount_t:process taskforpid; + # Talk to configd configd_allow_ipc(coreservicesd_t) allow coreservicesd_t configd_t:process taskforpid; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 (text+ko) ==== @@ -111,4 +111,4 @@ allow kextd_t console_device_t:chr_file { read write }; # Access cache files -allow kextd_t darwin_cache_t:dir { search getattr add_name }; +allow kextd_t darwin_cache_t:dir { search getattr add_name remove_name }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 (text+ko) ==== @@ -95,7 +95,7 @@ allow loginwindow_t coreservicesd_t:shm { read write }; # Read prefs -darwin_allow_global_pref_rw(loginwindow_t) +darwin_allow_global_pref_manage(loginwindow_t) darwin_allow_host_pref_read(loginwindow_t) # Read /private @@ -173,3 +173,7 @@ # Read default_t files_list_default(loginwindow_t) files_read_default_files(loginwindow_t) + +# Read /System/Library/StartupItems +allow configd_t darwin_startup_t:dir { read search getattr }; +allow configd_t darwin_startup_t:file { execute execute_no_trans read ioctl getattr }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 (text+ko) ==== @@ -60,4 +60,4 @@ # /var operations files_read_var_symlinks(notifyd_t) -allow notifyd_t var_t:file write; +allow notifyd_t var_t:file { read write }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 (text+ko) ==== @@ -27,25 +27,6 @@ ######################################## ## <summary> -## Execute automount in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`automount_exec_config',` - gen_require(` - type automount_etc_t; - ') - - corecmd_search_sbin($1) - can_exec($1,automount_etc_t) -') - -######################################## -## <summary> ## Allow the domain to read state files in /proc. ## </summary> ## <param name="domain"> @@ -65,19 +46,19 @@ ######################################## ## <summary> -## Do not audit attempts to get the attributes -## of automount temporary directories. +## Allow Mach IP with configd ## </summary> ## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> +## <summary> +## Type to be used as a domain. +## </summary> ## </param> # -interface(`automount_dontaudit_getattr_tmp_dirs',` - gen_require(` - type automount_tmp_t; - ') +interface(`automount_allow_ipc',` + #gen_require(` + #class mach_port all_mach_port_perms; + #)' - dontaudit $1 automount_tmp_t:dir getattr; + # Allow bidirection communication with automount + mach_allow_ipc(automount_t, $1) ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 (text+ko) ==== @@ -8,21 +8,11 @@ type automount_t; type automount_exec_t; -init_daemon_domain(automount_t,automount_exec_t) +init_domain(automount_t,automount_exec_t) type automount_var_run_t; files_pid_file(automount_var_run_t) -type automount_etc_t; -files_config_file(automount_etc_t) - -type automount_lock_t; -files_lock_file(automount_lock_t) - -type automount_tmp_t; -files_tmp_file(automount_tmp_t) -files_mountpoint(automount_tmp_t) - ######################################## # # Local policy @@ -37,24 +27,10 @@ allow automount_t self:tcp_socket create_stream_socket_perms; allow automount_t self:udp_socket create_socket_perms; allow automount_t self:netlink_route_socket r_netlink_socket_perms; +allow automount_t self:socket rw_socket_perms; -allow automount_t automount_etc_t:file { getattr read }; -# because config files can be shell scripts -can_exec(automount_t, automount_etc_t) can_exec(automount_t, automount_exec_t) -allow automount_t automount_lock_t:file create_file_perms; -files_lock_filetrans(automount_t,automount_lock_t,file) - -allow automount_t automount_tmp_t:dir create_dir_perms; -allow automount_t automount_tmp_t:file create_file_perms; -files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) - -# Allow automount to create and delete directories in / and /home -allow automount_t automount_tmp_t:dir create_dir_perms; -files_home_filetrans(automount_t,automount_tmp_t,dir) -files_root_filetrans(automount_t,automount_tmp_t,dir) - allow automount_t automount_var_run_t:file create_file_perms; allow automount_t automount_var_run_t:dir rw_dir_perms; files_pid_filetrans(automount_t,automount_var_run_t,file) @@ -190,6 +166,51 @@ seutil_sigchld_newrole(automount_t) ') -optional_policy(` - udev_read_db(automount_t) -') +# Allow automount to talk to itself +mach_allow_message(automount_t, automount_t) + +# Allow automount to talk to the kernel +kernel_allow_ipc(automount_t) + +# Allow Mach IPC w/ init_t (launchd) +init_allow_ipc(automount_t) + +# Talk to configd +configd_allow_ipc(automount_t) + +# Talk to lookupd +lookupd_allow_ipc(automount_t) + +# Talk to securityd +securityd_allow_ipc(automount_t) + +# Talk to diskarbitrationd +diskarbitrationd_allow_ipc(automount_t) + +# Talk to notifyd +notifyd_allow_ipc(automount_t) +notifyd_allow_shm(automount_t) + +darwin_allow_system_read(automount_t) +frameworks_read(automount_t) +darwin_allow_private_read(automount_t) + +# Allow read access to /var +allow automount_t var_t:{file lnk_file} read; + +# Allow read access to resolv.conf +# XXX - should not be configd_var_run_t +allow automount_t configd_var_run_t:file read; + +# Talk to bootstrap server +init_allow_bootstrap(automount_t) + +# Use CoreServices +darwin_allow_CoreServices_read(automount_t) +allow automount_t coreservicesd_t:shm { read write }; + +# Mounting filesystems +allow automount_t fs_t:dir { search read mounton }; +allow automount_t nfs_t:dir { search read }; +allow automount_t volfs_t:dir { search read }; +allow automount_t fs_t:file { getattr read }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 (text+ko) ==== @@ -11,7 +11,9 @@ type ntpd_t; type ntpd_exec_t; -init_daemon_domain(ntpd_t,ntpd_exec_t) +init_domain(ntpd_t,ntpd_exec_t) + +# XXX - configd appears to run ntpd as well configd_domain(ntpd_t,ntpd_exec_t) type ntpd_log_t; @@ -24,7 +26,7 @@ files_pid_file(ntpd_var_run_t) type ntpdate_exec_t; -init_system_domain(ntpd_t,ntpdate_exec_t) +init_domain(ntpd_t,ntpdate_exec_t) ######################################## # ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 (text+ko) ==== @@ -35,8 +35,8 @@ ') allow $1 darwin_global_pref_t:file rw_file_perms; + allow $1 darwin_global_pref_t:file link_file_perms; allow $1 darwin_global_pref_t:dir rw_dir_perms; - allow $1 darwin_global_pref_t:file link_file_perms; ') @@ -56,6 +56,7 @@ ') allow $1 darwin_global_pref_t:file manage_file_perms; + allow $1 darwin_global_pref_t:dir rw_dir_perms; ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 (text+ko) ==== @@ -408,10 +408,6 @@ ') optional_policy(` - automount_exec_config(initrc_t) -') - -optional_policy(` bind_read_config(initrc_t) # for chmod in start script
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702232023.l1NKNhd2086192>