From owner-p4-projects@FreeBSD.ORG Fri May 6 14:33:16 2005 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 8685A16A4D5; Fri, 6 May 2005 14:33:15 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3045516A4D3 for ; Fri, 6 May 2005 14:33:15 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0377C43D7E for ; Fri, 6 May 2005 14:33:15 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j46EXECp070049 for ; Fri, 6 May 2005 14:33:14 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j46EXEVr070046 for perforce@freebsd.org; Fri, 6 May 2005 14:33:14 GMT (envelope-from areisse@nailabs.com) Date: Fri, 6 May 2005 14:33:14 GMT Message-Id: <200505061433.j46EXEVr070046@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 76615 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2005 14:33:16 -0000 http://perforce.freebsd.org/chv.cgi?CH=76615 Change 76615 by areisse@areisse_ibook on 2005/05/06 14:32:21 Bring over flask configuration changes from selinux version 2004081908 (networking changes, booleans). Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/class_to_string.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/initial_sid_to_string.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask.h#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/initial_sids#2 integrate Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_perm_to_string.h#2 (text+ko) ==== @@ -31,6 +31,9 @@ { SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto" }, { SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn" }, { SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom" }, + { SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind" }, + { SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind" }, + { SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind" }, { SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv" }, { SECCLASS_NODE, NODE__TCP_SEND, "tcp_send" }, { SECCLASS_NODE, NODE__UDP_RECV, "udp_recv" }, @@ -54,6 +57,7 @@ { SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" }, { SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" }, { SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" }, + { SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" }, { SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" }, { SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" }, { SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" }, @@ -64,30 +68,28 @@ { SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" }, { SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" }, { SECCLASS_PROCESS, PROCESS__SHARE, "share" }, + { SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" }, + { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" }, + { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" }, { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" }, + { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" }, + { SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit" }, + { SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh" }, { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" }, { SECCLASS_MSG, MSG__SEND, "send" }, { SECCLASS_MSG, MSG__RECEIVE, "receive" }, + { SECCLASS_MSG, MSG__DESTROY, "destroy" }, { SECCLASS_SHM, SHM__LOCK, "lock" }, { SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" }, - { SECCLASS_SECURITY, SECURITY__NOTIFY_PERM, "notify_perm" }, - { SECCLASS_SECURITY, SECURITY__TRANSITION_SID, "transition_sid" }, - { SECCLASS_SECURITY, SECURITY__MEMBER_SID, "member_sid" }, - { SECCLASS_SECURITY, SECURITY__SID_TO_CONTEXT, "sid_to_context" }, - { SECCLASS_SECURITY, SECURITY__CONTEXT_TO_SID, "context_to_sid" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" }, + { SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" }, { SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" }, - { SECCLASS_SECURITY, SECURITY__GET_SIDS, "get_sids" }, - { SECCLASS_SECURITY, SECURITY__REGISTER_AVC, "register_avc" }, - { SECCLASS_SECURITY, SECURITY__CHANGE_SID, "change_sid" }, - { SECCLASS_SECURITY, SECURITY__GET_USER_SIDS, "get_user_sids" }, - { SECCLASS_SYSTEM, SYSTEM__NET_IO_CONTROL, "net_io_control" }, - { SECCLASS_SYSTEM, SYSTEM__ROUTE_CONTROL, "route_control" }, - { SECCLASS_SYSTEM, SYSTEM__ARP_CONTROL, "arp_control" }, - { SECCLASS_SYSTEM, SYSTEM__RARP_CONTROL, "rarp_control" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" }, + { SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" }, + { SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool" }, { SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" }, - { SECCLASS_SYSTEM, SYSTEM__AVC_TOGGLE, "avc_toggle" }, - { SECCLASS_SYSTEM, SYSTEM__NFSD_CONTROL, "nfsd_control" }, - { SECCLASS_SYSTEM, SYSTEM__BDFLUSH, "bdflush" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" }, @@ -98,23 +100,11 @@ { SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner" }, { SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid" }, { SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill" }, - { SECCLASS_CAPABILITY, CAPABILITY__LINK_DIR, "link_dir" }, { SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap" }, { SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid" }, { SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid" }, - { SECCLASS_CAPABILITY, CAPABILITY__MAC_DOWNGRADE, "mac_downgrade" }, - { SECCLASS_CAPABILITY, CAPABILITY__MAC_READ, "mac_read" }, - { SECCLASS_CAPABILITY, CAPABILITY__MAC_RELABEL_SUBJ, "mac_relabel_subj" }, - { SECCLASS_CAPABILITY, CAPABILITY__MAC_UPGRADE, "mac_upgrade" }, - { SECCLASS_CAPABILITY, CAPABILITY__MAC_WRITE, "mac_write" }, - { SECCLASS_CAPABILITY, CAPABILITY__INF_NOFLOAT_OBJ, "inf_nofloat_obj" }, - { SECCLASS_CAPABILITY, CAPABILITY__INF_NOFLOAT_SUBJ, "inf_nofloat_subj" }, - { SECCLASS_CAPABILITY, CAPABILITY__INF_RELABEL_OBJ, "inf_relabel_obj" }, - { SECCLASS_CAPABILITY, CAPABILITY__INF_RELABEL_SUBJ, "inf_relabel_subj" }, { SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control" }, { SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write" }, - { SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap" }, - { SECCLASS_CAPABILITY, CAPABILITY__XXX_INVALID1, "xxx_invalid1" }, { SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable" }, { SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service" }, { SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast" }, ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/av_permissions.h#2 (text+ko) ==== @@ -280,6 +280,7 @@ #define TCP_SOCKET__CONNECTTO 0x0000000001000000UL #define TCP_SOCKET__NEWCONN 0x0000000002000000UL #define TCP_SOCKET__ACCEPTFROM 0x0000000004000000UL +#define TCP_SOCKET__NODE_BIND 0x0000000008000000UL #define UDP_SOCKET__TRANSITION 0x0000000000000400UL #define UDP_SOCKET__SHUTDOWN 0x0000000000040000UL @@ -306,6 +307,8 @@ #define UDP_SOCKET__IOCTL 0x0000000000000002UL #define UDP_SOCKET__RELABELTO 0x0000000000000200UL +#define UDP_SOCKET__NODE_BIND 0x0000000001000000UL + #define RAWIP_SOCKET__TRANSITION 0x0000000000000400UL #define RAWIP_SOCKET__SHUTDOWN 0x0000000000040000UL #define RAWIP_SOCKET__POLL 0x0000000000000001UL @@ -331,6 +334,8 @@ #define RAWIP_SOCKET__IOCTL 0x0000000000000002UL #define RAWIP_SOCKET__RELABELTO 0x0000000000000200UL +#define RAWIP_SOCKET__NODE_BIND 0x0000000001000000UL + #define NODE__TCP_RECV 0x0000000000000001UL #define NODE__TCP_SEND 0x0000000000000002UL #define NODE__UDP_RECV 0x0000000000000004UL @@ -482,17 +487,24 @@ #define PROCESS__SIGCHLD 0x0000000000000004UL #define PROCESS__SIGKILL 0x0000000000000008UL #define PROCESS__SIGSTOP 0x0000000000000010UL -#define PROCESS__SIGNAL 0x0000000000000020UL -#define PROCESS__PTRACE 0x0000000000000040UL -#define PROCESS__GETSCHED 0x0000000000000080UL -#define PROCESS__SETSCHED 0x0000000000000100UL -#define PROCESS__GETSESSION 0x0000000000000200UL -#define PROCESS__GETPGID 0x0000000000000400UL -#define PROCESS__SETPGID 0x0000000000000800UL -#define PROCESS__GETCAP 0x0000000000001000UL -#define PROCESS__SETCAP 0x0000000000002000UL -#define PROCESS__SHARE 0x0000000000004000UL -#define PROCESS__NOATSECURE 0x0000000000008000UL +#define PROCESS__SIGNULL 0x0000000000000020UL +#define PROCESS__SIGNAL 0x0000000000000040UL +#define PROCESS__PTRACE 0x0000000000000080UL +#define PROCESS__GETSCHED 0x0000000000000100UL +#define PROCESS__SETSCHED 0x0000000000000200UL +#define PROCESS__GETSESSION 0x0000000000000400UL +#define PROCESS__GETPGID 0x0000000000000800UL +#define PROCESS__SETPGID 0x0000000000001000UL +#define PROCESS__GETCAP 0x0000000000002000UL +#define PROCESS__SETCAP 0x0000000000004000UL +#define PROCESS__SHARE 0x0000000000008000UL +#define PROCESS__GETATTR 0x0000000000010000UL +#define PROCESS__SETEXEC 0x0000000000020000UL +#define PROCESS__SETFSCREATE 0x0000000000040000UL +#define PROCESS__NOATSECURE 0x0000000000080000UL +#define PROCESS__SIGINH 0x0000000000100000UL +#define PROCESS__SETRLIMIT 0x0000000000200000UL +#define PROCESS__RLIMITINH 0x0000000000400000UL #define IPC__WRITE 0x0000000000000020UL #define IPC__UNIX_WRITE 0x0000000000000100UL @@ -528,6 +540,7 @@ #define MSG__SEND 0x0000000000000001UL #define MSG__RECEIVE 0x0000000000000002UL +#define MSG__DESTROY 0x0000000000000004UL #define SHM__WRITE 0x0000000000000020UL #define SHM__UNIX_WRITE 0x0000000000000100UL @@ -542,28 +555,19 @@ #define SHM__LOCK 0x0000000000000200UL #define SECURITY__COMPUTE_AV 0x0000000000000001UL -#define SECURITY__NOTIFY_PERM 0x0000000000000002UL -#define SECURITY__TRANSITION_SID 0x0000000000000004UL -#define SECURITY__MEMBER_SID 0x0000000000000008UL -#define SECURITY__SID_TO_CONTEXT 0x0000000000000010UL -#define SECURITY__CONTEXT_TO_SID 0x0000000000000020UL -#define SECURITY__LOAD_POLICY 0x0000000000000040UL -#define SECURITY__GET_SIDS 0x0000000000000080UL -#define SECURITY__REGISTER_AVC 0x0000000000000100UL -#define SECURITY__CHANGE_SID 0x0000000000000200UL -#define SECURITY__GET_USER_SIDS 0x0000000000000400UL +#define SECURITY__COMPUTE_CREATE 0x0000000000000002UL +#define SECURITY__COMPUTE_MEMBER 0x0000000000000004UL +#define SECURITY__CHECK_CONTEXT 0x0000000000000008UL +#define SECURITY__LOAD_POLICY 0x0000000000000010UL +#define SECURITY__COMPUTE_RELABEL 0x0000000000000020UL +#define SECURITY__COMPUTE_USER 0x0000000000000040UL +#define SECURITY__SETENFORCE 0x0000000000000080UL +#define SECURITY__SETBOOL 0x0000000000000100UL -#define SYSTEM__NET_IO_CONTROL 0x0000000000000001UL -#define SYSTEM__ROUTE_CONTROL 0x0000000000000002UL -#define SYSTEM__ARP_CONTROL 0x0000000000000004UL -#define SYSTEM__RARP_CONTROL 0x0000000000000008UL -#define SYSTEM__IPC_INFO 0x0000000000000010UL -#define SYSTEM__AVC_TOGGLE 0x0000000000000020UL -#define SYSTEM__NFSD_CONTROL 0x0000000000000040UL -#define SYSTEM__BDFLUSH 0x0000000000000080UL -#define SYSTEM__SYSLOG_READ 0x0000000000000100UL -#define SYSTEM__SYSLOG_MOD 0x0000000000000200UL -#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000400UL +#define SYSTEM__IPC_INFO 0x0000000000000001UL +#define SYSTEM__SYSLOG_READ 0x0000000000000002UL +#define SYSTEM__SYSLOG_MOD 0x0000000000000004UL +#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000008UL #define CAPABILITY__CHOWN 0x0000000000000001UL #define CAPABILITY__DAC_EXECUTE 0x0000000000000002UL @@ -572,43 +576,31 @@ #define CAPABILITY__FOWNER 0x0000000000000010UL #define CAPABILITY__FSETID 0x0000000000000020UL #define CAPABILITY__KILL 0x0000000000000040UL -#define CAPABILITY__LINK_DIR 0x0000000000000080UL -#define CAPABILITY__SETFCAP 0x0000000000000100UL -#define CAPABILITY__SETGID 0x0000000000000200UL -#define CAPABILITY__SETUID 0x0000000000000400UL -#define CAPABILITY__MAC_DOWNGRADE 0x0000000000000800UL -#define CAPABILITY__MAC_READ 0x0000000000001000UL -#define CAPABILITY__MAC_RELABEL_SUBJ 0x0000000000002000UL -#define CAPABILITY__MAC_UPGRADE 0x0000000000004000UL -#define CAPABILITY__MAC_WRITE 0x0000000000008000UL -#define CAPABILITY__INF_NOFLOAT_OBJ 0x0000000000010000UL -#define CAPABILITY__INF_NOFLOAT_SUBJ 0x0000000000020000UL -#define CAPABILITY__INF_RELABEL_OBJ 0x0000000000040000UL -#define CAPABILITY__INF_RELABEL_SUBJ 0x0000000000080000UL -#define CAPABILITY__AUDIT_CONTROL 0x0000000000100000UL -#define CAPABILITY__AUDIT_WRITE 0x0000000000200000UL -#define CAPABILITY__SETPCAP 0x0000000000400000UL -#define CAPABILITY__XXX_INVALID1 0x0000000000800000UL -#define CAPABILITY__LINUX_IMMUTABLE 0x0000000001000000UL -#define CAPABILITY__NET_BIND_SERVICE 0x0000000002000000UL -#define CAPABILITY__NET_BROADCAST 0x0000000004000000UL -#define CAPABILITY__NET_ADMIN 0x0000000008000000UL -#define CAPABILITY__NET_RAW 0x0000000010000000UL -#define CAPABILITY__IPC_LOCK 0x0000000020000000UL -#define CAPABILITY__IPC_OWNER 0x0000000040000000UL -#define CAPABILITY__SYS_MODULE 0x000000007fffffffUL -#define CAPABILITY__SYS_RAWIO 0x0000000100000000UL -#define CAPABILITY__SYS_CHROOT 0x0000000200000000UL -#define CAPABILITY__SYS_PTRACE 0x0000000400000000UL -#define CAPABILITY__SYS_PACCT 0x0000000800000000UL -#define CAPABILITY__SYS_ADMIN 0x0000001000000000UL -#define CAPABILITY__SYS_BOOT 0x0000002000000000UL -#define CAPABILITY__SYS_NICE 0x0000004000000000UL -#define CAPABILITY__SYS_RESOURCE 0x0000008000000000UL -#define CAPABILITY__SYS_TIME 0x0000010000000000UL -#define CAPABILITY__SYS_TTY_CONFIG 0x0000020000000000UL -#define CAPABILITY__MKNOD 0x0000040000000000UL -#define CAPABILITY__LEASE 0x0000080000000000UL +#define CAPABILITY__SETFCAP 0x0000000000000080UL +#define CAPABILITY__SETGID 0x0000000000000100UL +#define CAPABILITY__SETUID 0x0000000000000200UL +#define CAPABILITY__AUDIT_CONTROL 0x0000000000000400UL +#define CAPABILITY__AUDIT_WRITE 0x0000000000000800UL +#define CAPABILITY__LINUX_IMMUTABLE 0x0000000000001000UL +#define CAPABILITY__NET_BIND_SERVICE 0x0000000000002000UL +#define CAPABILITY__NET_BROADCAST 0x0000000000004000UL +#define CAPABILITY__NET_ADMIN 0x0000000000008000UL +#define CAPABILITY__NET_RAW 0x0000000000010000UL +#define CAPABILITY__IPC_LOCK 0x0000000000020000UL +#define CAPABILITY__IPC_OWNER 0x0000000000040000UL +#define CAPABILITY__SYS_MODULE 0x0000000000080000UL +#define CAPABILITY__SYS_RAWIO 0x0000000000100000UL +#define CAPABILITY__SYS_CHROOT 0x0000000000200000UL +#define CAPABILITY__SYS_PTRACE 0x0000000000400000UL +#define CAPABILITY__SYS_PACCT 0x0000000000800000UL +#define CAPABILITY__SYS_ADMIN 0x0000000001000000UL +#define CAPABILITY__SYS_BOOT 0x0000000002000000UL +#define CAPABILITY__SYS_NICE 0x0000000004000000UL +#define CAPABILITY__SYS_RESOURCE 0x0000000008000000UL +#define CAPABILITY__SYS_TIME 0x0000000010000000UL +#define CAPABILITY__SYS_TTY_CONFIG 0x0000000020000000UL +#define CAPABILITY__MKNOD 0x0000000040000000UL +#define CAPABILITY__LEASE 0x000000007fffffffUL #define MACH_PORT__RELABELFROM 0x0000000000000001UL #define MACH_PORT__RELABELTO 0x0000000000000002UL ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/class_to_string.h#2 (text+ko) ==== @@ -35,6 +35,10 @@ "shm", "ipc", "mach_port", + "port_methods1", + "port_methods2", + "port_methods3", + "port_methods4", "mach_task", }; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/avc/initial_sid_to_string.h#2 (text+ko) ==== @@ -30,6 +30,8 @@ "devpts", "nfs", "policy", + "scmp_packet", + "devnull", "tmpfs", }; ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask.h#3 (text+ko) ==== @@ -74,8 +74,10 @@ #define SECINITSID_DEVPTS 26 #define SECINITSID_NFS 27 #define SECINITSID_POLICY 28 -#define SECINITSID_TMPFS 29 +#define SECINITSID_SCMP_PACKET 29 +#define SECINITSID_DEVNULL 30 +#define SECINITSID_TMPFS 31 -#define SECINITSID_NUM 29 +#define SECINITSID_NUM 31 #endif ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/access_vectors#2 (text+ko) ==== @@ -160,13 +160,20 @@ connectto newconn acceptfrom + node_bind } class udp_socket inherits socket +{ + node_bind +} class rawip_socket inherits socket +{ + node_bind +} class node { @@ -220,10 +227,11 @@ { fork transition - sigchld - sigkill - sigstop - signal + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals ptrace getsched setsched @@ -233,7 +241,13 @@ getcap setcap share + getattr + setexec + setfscreate noatsecure + siginh + setrlimit + rlimitinh } @@ -257,6 +271,7 @@ { send receive + destroy } class shm @@ -265,7 +280,6 @@ lock } - # # Define the access vector interpretation for the security server. # @@ -273,16 +287,14 @@ class security { compute_av - notify_perm - transition_sid - member_sid - sid_to_context - context_to_sid + compute_create + compute_member + check_context load_policy - get_sids - register_avc - change_sid - get_user_sids + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool } @@ -292,15 +304,8 @@ class system { - net_io_control - route_control - arp_control - rarp_control ipc_info - avc_toggle - nfsd_control - bdflush - syslog_read + syslog_read syslog_mod syslog_console } @@ -322,23 +327,11 @@ fowner fsetid kill - link_dir setfcap setgid setuid - mac_downgrade - mac_read - mac_relabel_subj - mac_upgrade - mac_write - inf_nofloat_obj - inf_nofloat_subj - inf_relabel_obj - inf_relabel_subj audit_control audit_write - setpcap - xxx_invalid1 linux_immutable net_bind_service net_broadcast ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/sedarwin/flask/initial_sids#2 (text+ko) ==== @@ -32,6 +32,8 @@ sid devpts sid nfs sid policy +sid scmp_packet +sid devnull sid tmpfs # FLASK