From owner-p4-projects@FreeBSD.ORG  Tue Jun 28 19:00:10 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id A4DB916A420; Tue, 28 Jun 2005 19:00:09 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 60E2316A41C
	for <perforce@freebsd.org>; Tue, 28 Jun 2005 19:00:09 +0000 (GMT)
	(envelope-from areisse@nailabs.com)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3F3C943D1D
	for <perforce@freebsd.org>; Tue, 28 Jun 2005 19:00:09 +0000 (GMT)
	(envelope-from areisse@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j5SJ09px096288
	for <perforce@freebsd.org>; Tue, 28 Jun 2005 19:00:09 GMT
	(envelope-from areisse@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j5SJ08nC096285
	for perforce@freebsd.org; Tue, 28 Jun 2005 19:00:08 GMT
	(envelope-from areisse@nailabs.com)
Date: Tue, 28 Jun 2005 19:00:08 GMT
Message-Id: <200506281900.j5SJ08nC096285@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	areisse@nailabs.com using -f
From: Andrew Reisse <areisse@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 79091 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2005 19:00:10 -0000

http://perforce.freebsd.org/chv.cgi?CH=79091

Change 79091 by areisse@areisse_ibook on 2005/06/28 18:59:55

	Make the flask configuration used by the TE policy match that
	used by the policy module.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/initial_sids#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkaccess_vector.sh#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkflask.sh#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/Makefile#2 (text+ko) ====


==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#3 (text+ko) ====

@@ -160,13 +160,20 @@
 	connectto
 	newconn
 	acceptfrom
+	node_bind
 }
 
 class udp_socket
 inherits socket
+{
+	node_bind
+}
 
 class rawip_socket
 inherits socket
+{
+	node_bind
+}
 
 class node 
 {
@@ -220,10 +227,11 @@
 {
 	fork
 	transition
-	sigchld
-	sigkill
-	sigstop
-	signal
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
 	ptrace
 	getsched
 	setsched
@@ -233,7 +241,13 @@
 	getcap
 	setcap
 	share
+	getattr
+	setexec
+	setfscreate
 	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
 }
 
 
@@ -257,6 +271,7 @@
 {
 	send
 	receive
+	destroy
 }
 
 class shm
@@ -265,7 +280,6 @@
 	lock
 }
 
-
 #
 # Define the access vector interpretation for the security server. 
 #
@@ -273,16 +287,14 @@
 class security
 {
 	compute_av
-	notify_perm
-	transition_sid
-	member_sid
-	sid_to_context
-	context_to_sid
+	compute_create
+	compute_member
+	check_context
 	load_policy
-	get_sids
-	register_avc
-	change_sid
-	get_user_sids
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
 }
 
 
@@ -292,15 +304,8 @@
 
 class system
 {
-	net_io_control
-	route_control
-	arp_control
-	rarp_control
 	ipc_info
-	avc_toggle
-	nfsd_control
-	bdflush
-	syslog_read
+	syslog_read  
 	syslog_mod
 	syslog_console
 }
@@ -322,23 +327,11 @@
 	fowner          
 	fsetid          
 	kill
-	link_dir
 	setfcap            
 	setgid           
 	setuid 
-	mac_downgrade
-	mac_read
-	mac_relabel_subj
-	mac_upgrade
-	mac_write
-	inf_nofloat_obj
-	inf_nofloat_subj
-	inf_relabel_obj
-	inf_relabel_subj
 	audit_control
 	audit_write        
-	setpcap
-	xxx_invalid1          
 	linux_immutable  
 	net_bind_service 
 	net_broadcast    
@@ -358,7 +351,6 @@
 	sys_time         
 	sys_tty_config  
 	mknod
-	lease
 }
 
 class mach_port
@@ -377,4 +369,3 @@
 	terminate
 	set_special_port
 }
-

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/initial_sids#2 (text+ko) ====

@@ -32,6 +32,8 @@
 sid devpts
 sid nfs
 sid policy
+sid scmp_packet
+sid devnull
 sid tmpfs
 
 # FLASK

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkaccess_vector.sh#2 (text+ko) ====

@@ -36,22 +36,22 @@
 		printf("/* %s */\n\n", subproject) > cpermfile;
 
 		printf("/* %s */\n\n", subproject) > inheritfile;
-		printf("struct av_inherit\n") > inheritfile;
+		printf("typedef struct\n") > inheritfile;
 		printf("{\n") > inheritfile;
-		printf("    u16 tclass;\n") > inheritfile;
+		printf("    security_class_t tclass;\n") > inheritfile;
 		printf("    char **common_pts;\n") > inheritfile; 
-		printf("    u32 common_base;\n") > inheritfile; 
-		printf("};\n\n") > inheritfile;
-		printf("static struct av_inherit av_inherit[] = {\n") > inheritfile;
+		printf("    access_vector_t common_base;\n") > inheritfile; 
+		printf("} av_inherit_t;\n\n") > inheritfile;
+		printf("static av_inherit_t av_inherit[] = {\n") > inheritfile;
 	
 		printf("/* %s */\n\n", subproject) > avpermfile;
-		printf("struct av_perm_to_string\n") > avpermfile;
+		printf("typedef struct\n") > avpermfile;
 		printf("{\n") > avpermfile;
-		printf("    u16 tclass;\n") > avpermfile;
-		printf("    u32 value;\n") > avpermfile; 
+		printf("    security_class_t tclass;\n") > avpermfile;
+		printf("    access_vector_t value;\n") > avpermfile; 
 		printf("    char *name;\n") > avpermfile; 
-		printf("};\n\n") > avpermfile;
-		printf("static struct av_perm_to_string av_perm_to_string[] = {\n") > avpermfile;
+		printf("} av_perm_to_string_t;\n\n") > avpermfile;
+		printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile;
 	}
 /^[ \t]*#/	{ 
 			next;
@@ -129,12 +129,15 @@
 					      spaces = 1;
 					for (i = 0; i < spaces; i++) 
 						printf(" ") > outfile; 
-					printf("0x%08xUL\n", common_perms[combined]) > outfile; 
+					pt = common_perms[combined];
+					printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile;
+					#printf("0x%08xUL\n", common_perms[combined]) > outfile; 
 				}
 			}
 			printf("\n") > outfile;
 	
-			printf("   { SECCLASS_%s, common_%s_perm_to_string, 0x%08xUL },\n", toupper(tclass), inherits, permission) > inheritfile; 
+			printf("   { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits,
+				permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile; 
 
 			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
 			next;
@@ -209,8 +212,8 @@
 
 			for (i = 0; i < spaces; i++) 
 				printf(" ") > outfile; 
-			printf("0x%08xUL\n", permission) > outfile; 
-			permission = permission * 2;
+			printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile; 
+			permission = permission + 1;
 		}
 $1 == "}"	{
 			if (nextstate != "CLASS-CLOSEBRACKET" && 
@@ -239,9 +242,11 @@
 		printf("\n/* %s */\n", subproject) > cpermfile;
 	
 		printf("};\n\n") > inheritfile;
+		printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile;
 		printf("\n/* %s */\n", subproject) > inheritfile;
 
 		printf("};\n\n") > avpermfile;
+		printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile;
 		printf("\n/* %s */\n", subproject) > avpermfile;
 	}'
 

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkflask.sh#2 (text+ko) ====

@@ -23,8 +23,10 @@
 
 		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
 
-		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
-		printf("#define _SELINUX_FLASK_H_\n") > outfile;
+		printf("#ifndef _LINUX_FLASK_H_\n") > outfile;
+		printf("#define _LINUX_FLASK_H_\n") > outfile;
+		printf("\n#include <sedarwin/flask_types.h>\n") > outfile;
+
 		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
 		printf("/*\n * Security object class definitions\n */\n") > debugfile;

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#3 (text+ko) ====

@@ -45,6 +45,5 @@
 #classes only used by name
 
 class mach_task
-class mach_names
 
 # FLASK