Date: Fri, 21 Nov 2003 12:51:16 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42908 for review Message-ID: <200311212051.hALKpG0O014819@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42908 Change 42908 by areisse@areisse_ibook on 2003/11/21 12:50:45 sedarwin todo list enforcing mode enabled by default fixes to policy to enable enforcing mode wslogin dialog looks nicer Affected files ... .. //depot/projects/trustedbsd/sedarwin/TODO#1 add .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_lookup.c#3 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#5 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#18 edit .. //depot/projects/trustedbsd/sedarwin/policy/rules#2 edit .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/classes.nib#2 edit .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/info.nib#2 edit .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/objects.nib#2 edit .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_lookup.c#3 (text+ko) ==== @@ -460,8 +460,8 @@ if (p) { error = mac_check_vnode_lookup(p->p_ucred, dp, cnp); if (error) { - printf("MAC_check_vnode_lookup: failed with error %d!\n", error); -/* goto bad; */ + /*printf("MAC_check_vnode_lookup: failed with error %d!\n", error);*/ + goto bad; } } else { printf("MAC_check_vnode_lookup: NULL process!\n"); ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#5 (text+ko) ==== @@ -35,7 +35,7 @@ #include <security/sebsd/avc/av_inherit.h> #include <security/sebsd/avc/av_perm_to_string.h> -int selinux_enforcing = 0; +int selinux_enforcing = 1; #define AVC_CACHE_SLOTS 512 #define AVC_CACHE_MAXNODES 410 @@ -982,13 +982,13 @@ denied = requested & ~(ae->avd.allowed); - if (!requested || denied) { + if (/*!requested || */denied) { if (selinux_enforcing) { spin_unlock_irqrestore(&avc_lock,flags); rc = EACCES; goto out; } else { - ae->avd.allowed |= requested; + ae->avd.allowed |= requested; spin_unlock_irqrestore(&avc_lock,flags); goto out; } ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#18 (text+ko) ==== @@ -333,6 +333,8 @@ } } + file->sclass = vnode_type_to_security_class (vp->v_type); + return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, perm, aeref ? aeref : &file->avcr, &ad); } ==== //depot/projects/trustedbsd/sedarwin/policy/rules#2 (text+ko) ==== @@ -1,20 +1,22 @@ attribute domain; +attribute file; +attribute fs; include(global_macros.te) -type unlabeled_t; -type file_t; -#type bin_t; -type shell_exec_t; +type unlabeled_t, file, fs; +type file_t, file; +type bin_t, file; +type shell_exec_t, file; +type login_exec_t, file; type init_d, domain; -type login_exec_t; type login_d, domain; type user_d, domain; type user_secret_d, domain; type sysadm_d, domain; type kernel_d, domain; type security_t; -type fs_t; +type fs_t, fs; type devpts_t; type user_devpts_t; type sysadm_devpts_t; @@ -50,6 +52,8 @@ allow system_r user_secret_r; allow system_r sysadm_r; +allow file fs:filesystem associate; + #allow init_d { bin_t shell_exec_t file_t }:dir_file_class_set rw_file_perms; #allow init_d bin_t:file execute_no_trans; domain_auto_trans(init_d,login_exec_t,login_d); @@ -59,13 +63,16 @@ domain_trans(login_d,shell_exec_t,sysadm_d); type_change user_d devpts_t:chr_file user_devpts_t; -allow domain {shell_exec_t unlabeled_t}:{file lnk_file sock_file} {create_file_perms execute }; -allow domain unlabeled_t:dir { create_dir_perms }; +allow domain file:{file lnk_file sock_file} {create_file_perms execute }; +allow domain file:dir { create_dir_perms }; allow domain {null_device_t console_device_t memory_device_t random_device_t device_t}:{file chr_file} create_file_perms; allow domain device_t:blk_file create_file_perms; allow domain {devpts_t user_devpts_t sysadm_devpts_t}:chr_file create_file_perms; -allow domain domain:process { signal }; +allow domain domain:process { signal sigkill setsched getsession }; +allow domain file:{dir file lnk_file sock_file} { relabelfrom relabelto }; allow user_secret_d secret_t:{file lnk_file} create_file_perms; allow user_secret_d secret_t:dir { create_file_perms rw_dir_perms }; -allow user_secret_d { secret_t unlabeled_t }:{file dir} { relabelfrom relabelto };+allow user_secret_d { secret_t unlabeled_t file_t }:{file dir} { relabelfrom relabelto }; +allow secret_t fs:filesystem associate; + ==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/classes.nib#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/info.nib#2 (text+ko) ==== @@ -8,7 +8,6 @@ <string>291.0</string> <key>IBLockedObjects</key> <array> - <integer>199</integer> <integer>200</integer> </array> <key>IBOpenObjects</key> ==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/objects.nib#2 (binary) ==== ==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#4 (text+ko) ==== @@ -12,7 +12,7 @@ #define errexit(args...) \ { \ syslog (LOG_ERR, ##args); \ - return 1; \ + kill (getppid(), 15); return 1; \ } const char *username = "root"; @@ -68,7 +68,9 @@ if (mac_from_text(&execlabel, shm+1)) errexit("%s is not a valid domain", shm[1]); - return mac_set_proc (execlabel); + if (mac_set_proc (execlabel)) + kill (getppid(), 15); + return 0; } if (sebsd_enabled()) @@ -133,9 +135,8 @@ free(labeltext); } - if (execlabel) - return mac_set_proc (execlabel); - else - return 0; + if (mac_set_proc (execlabel)) + kill (getppid (), 15); + return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311212051.hALKpG0O014819>