From owner-p4-projects@FreeBSD.ORG Tue Dec 14 15:19:29 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 3F12816A4D0; Tue, 14 Dec 2004 15:19:29 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04FC516A4CE for ; Tue, 14 Dec 2004 15:19:29 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id C586843D48 for ; Tue, 14 Dec 2004 15:19:28 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBEFJSkt052592 for ; Tue, 14 Dec 2004 15:19:28 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBEFJSIA052589 for perforce@freebsd.org; Tue, 14 Dec 2004 15:19:28 GMT (envelope-from areisse@nailabs.com) Date: Tue, 14 Dec 2004 15:19:28 GMT Message-Id: <200412141519.iBEFJSIA052589@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 67063 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 15:19:29 -0000 http://perforce.freebsd.org/chv.cgi?CH=67063 Change 67063 by areisse@areisse_tislabs on 2004/12/14 15:19:13 Rebuild flask include files. Change AVC_TOGGLE to SETENFORCE. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 (text+ko) ==== @@ -54,6 +54,7 @@ { SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" }, { SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" }, { SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" }, + { SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" }, { SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" }, { SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" }, { SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" }, @@ -64,6 +65,13 @@ { SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" }, { SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" }, { SECCLASS_PROCESS, PROCESS__SHARE, "share" }, + { SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" }, + { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" }, + { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" }, + { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" }, + { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" }, + { SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit" }, + { SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh" }, { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" }, { SECCLASS_MSG, MSG__SEND, "send" }, { SECCLASS_MSG, MSG__RECEIVE, "receive" }, @@ -74,24 +82,15 @@ { SECCLASS_POSIX_SEM, POSIX_SEM__WRITE, "write" }, { SECCLASS_POSIX_SEM, POSIX_SEM__READ, "read" }, { SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" }, - { SECCLASS_SECURITY, SECURITY__NOTIFY_PERM, "notify_perm" }, - { SECCLASS_SECURITY, SECURITY__TRANSITION_SID, "transition_sid" }, - { SECCLASS_SECURITY, SECURITY__MEMBER_SID, "member_sid" }, - { SECCLASS_SECURITY, SECURITY__SID_TO_CONTEXT, "sid_to_context" }, - { SECCLASS_SECURITY, SECURITY__CONTEXT_TO_SID, "context_to_sid" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" }, + { SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" }, { SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" }, - { SECCLASS_SECURITY, SECURITY__GET_SIDS, "get_sids" }, - { SECCLASS_SECURITY, SECURITY__REGISTER_AVC, "register_avc" }, - { SECCLASS_SECURITY, SECURITY__CHANGE_SID, "change_sid" }, - { SECCLASS_SECURITY, SECURITY__GET_USER_SIDS, "get_user_sids" }, - { SECCLASS_SYSTEM, SYSTEM__NET_IO_CONTROL, "net_io_control" }, - { SECCLASS_SYSTEM, SYSTEM__ROUTE_CONTROL, "route_control" }, - { SECCLASS_SYSTEM, SYSTEM__ARP_CONTROL, "arp_control" }, - { SECCLASS_SYSTEM, SYSTEM__RARP_CONTROL, "rarp_control" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" }, + { SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" }, + { SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" }, + { SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool" }, { SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" }, - { SECCLASS_SYSTEM, SYSTEM__AVC_TOGGLE, "avc_toggle" }, - { SECCLASS_SYSTEM, SYSTEM__NFSD_CONTROL, "nfsd_control" }, - { SECCLASS_SYSTEM, SYSTEM__BDFLUSH, "bdflush" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" }, { SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" }, @@ -139,6 +138,9 @@ { SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config" }, { SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod" }, { SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease" }, + { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" }, + { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" }, + { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" }, }; #define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t)) ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 (text+ko) ==== @@ -482,16 +482,24 @@ #define PROCESS__SIGCHLD 0x0000000000000004UL #define PROCESS__SIGKILL 0x0000000000000008UL #define PROCESS__SIGSTOP 0x0000000000000010UL -#define PROCESS__SIGNAL 0x0000000000000020UL -#define PROCESS__PTRACE 0x0000000000000040UL -#define PROCESS__GETSCHED 0x0000000000000080UL -#define PROCESS__SETSCHED 0x0000000000000100UL -#define PROCESS__GETSESSION 0x0000000000000200UL -#define PROCESS__GETPGID 0x0000000000000400UL -#define PROCESS__SETPGID 0x0000000000000800UL -#define PROCESS__GETCAP 0x0000000000001000UL -#define PROCESS__SETCAP 0x0000000000002000UL -#define PROCESS__SHARE 0x0000000000004000UL +#define PROCESS__SIGNULL 0x0000000000000020UL +#define PROCESS__SIGNAL 0x0000000000000040UL +#define PROCESS__PTRACE 0x0000000000000080UL +#define PROCESS__GETSCHED 0x0000000000000100UL +#define PROCESS__SETSCHED 0x0000000000000200UL +#define PROCESS__GETSESSION 0x0000000000000400UL +#define PROCESS__GETPGID 0x0000000000000800UL +#define PROCESS__SETPGID 0x0000000000001000UL +#define PROCESS__GETCAP 0x0000000000002000UL +#define PROCESS__SETCAP 0x0000000000004000UL +#define PROCESS__SHARE 0x0000000000008000UL +#define PROCESS__GETATTR 0x0000000000010000UL +#define PROCESS__SETEXEC 0x0000000000020000UL +#define PROCESS__SETFSCREATE 0x0000000000040000UL +#define PROCESS__NOATSECURE 0x0000000000080000UL +#define PROCESS__SIGINH 0x0000000000100000UL +#define PROCESS__SETRLIMIT 0x0000000000200000UL +#define PROCESS__RLIMITINH 0x0000000000400000UL #define IPC__WRITE 0x0000000000000020UL #define IPC__UNIX_WRITE 0x0000000000000100UL @@ -546,28 +554,19 @@ #define POSIX_SEM__READ 0x0000000000000010UL #define SECURITY__COMPUTE_AV 0x0000000000000001UL -#define SECURITY__NOTIFY_PERM 0x0000000000000002UL -#define SECURITY__TRANSITION_SID 0x0000000000000004UL -#define SECURITY__MEMBER_SID 0x0000000000000008UL -#define SECURITY__SID_TO_CONTEXT 0x0000000000000010UL -#define SECURITY__CONTEXT_TO_SID 0x0000000000000020UL -#define SECURITY__LOAD_POLICY 0x0000000000000040UL -#define SECURITY__GET_SIDS 0x0000000000000080UL -#define SECURITY__REGISTER_AVC 0x0000000000000100UL -#define SECURITY__CHANGE_SID 0x0000000000000200UL -#define SECURITY__GET_USER_SIDS 0x0000000000000400UL +#define SECURITY__COMPUTE_CREATE 0x0000000000000002UL +#define SECURITY__COMPUTE_MEMBER 0x0000000000000004UL +#define SECURITY__CHECK_CONTEXT 0x0000000000000008UL +#define SECURITY__LOAD_POLICY 0x0000000000000010UL +#define SECURITY__COMPUTE_RELABEL 0x0000000000000020UL +#define SECURITY__COMPUTE_USER 0x0000000000000040UL +#define SECURITY__SETENFORCE 0x0000000000000080UL +#define SECURITY__SETBOOL 0x0000000000000100UL -#define SYSTEM__NET_IO_CONTROL 0x0000000000000001UL -#define SYSTEM__ROUTE_CONTROL 0x0000000000000002UL -#define SYSTEM__ARP_CONTROL 0x0000000000000004UL -#define SYSTEM__RARP_CONTROL 0x0000000000000008UL -#define SYSTEM__IPC_INFO 0x0000000000000010UL -#define SYSTEM__AVC_TOGGLE 0x0000000000000020UL -#define SYSTEM__NFSD_CONTROL 0x0000000000000040UL -#define SYSTEM__BDFLUSH 0x0000000000000080UL -#define SYSTEM__SYSLOG_READ 0x0000000000000100UL -#define SYSTEM__SYSLOG_MOD 0x0000000000000200UL -#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000400UL +#define SYSTEM__IPC_INFO 0x0000000000000001UL +#define SYSTEM__SYSLOG_READ 0x0000000000000002UL +#define SYSTEM__SYSLOG_MOD 0x0000000000000004UL +#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000008UL #define CAPABILITY__CHOWN 0x0000000000000001UL #define CAPABILITY__DAC_EXECUTE 0x0000000000000002UL @@ -614,5 +613,9 @@ #define CAPABILITY__MKNOD 0x0000040000000000UL #define CAPABILITY__LEASE 0x0000080000000000UL +#define PASSWD__PASSWD 0x0000000000000001UL +#define PASSWD__CHFN 0x0000000000000002UL +#define PASSWD__CHSH 0x0000000000000004UL + /* FLASK */ ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 (text+ko) ==== @@ -35,5 +35,6 @@ "shm", "ipc", "posix_sem", + "passwd", }; ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 (text+ko) ==== @@ -37,6 +37,7 @@ #define SECCLASS_SHM 28 #define SECCLASS_IPC 29 #define SECCLASS_POSIX_SEM 30 +#define SECCLASS_PASSWD 31 /* * Security identifier indices for initial entities ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ==== @@ -116,7 +116,7 @@ if (error) return (error); - error = thread_has_system (curthread, SYSTEM__AVC_TOGGLE); + error = thread_has_system (curthread, SECURITY__SETENFORCE); if (error) return error;