Date: Wed, 5 May 2004 07:50:21 -0700 (PDT) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 52298 for review Message-ID: <200405051450.i45EoLNq045758@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=52298 Change 52298 by areisse@areisse_ibook on 2004/05/05 07:49:42 test some more hooks Affected files ... .. //depot/projects/trustedbsd/sedarwin73/policy/rules#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin73/policy/rules#2 (text+ko) ==== @@ -1,6 +1,7 @@ attribute domain; attribute domain2; attribute file; +attribute xfile; attribute fs; attribute names; @@ -15,6 +16,7 @@ type login_d, domain, domain2; type user_d, domain, domain2; type user_secret_d, domain, domain2; +type protected_d, domain2; type sysadm_d, domain, domain2; type kernel_d, domain, domain2; type security_t; @@ -29,7 +31,8 @@ type zero_device_t; type console_device_t; type random_device_t; -type secret_t; +type secret_t, xfile; +type readonly_t, xfile; type user_port_t; type time_port_t; @@ -88,6 +91,7 @@ role object_r types secret_t; role user_r types user_d; role user_r types user_port_t; +role user_r types protected_d; role user_secret_r types user_secret_d; role sysadm_r types sysadm_d; @@ -96,6 +100,7 @@ allow system_r sysadm_r; allow file fs:filesystem associate; +allow xfile fs:filesystem associate; #allow init_d { bin_t shell_exec_t file_t }:dir_file_class_set rw_file_perms; #allow init_d bin_t:file execute_no_trans; @@ -111,12 +116,12 @@ type_change user_d devpts_t:chr_file user_devpts_t; -allow domain self:mach_port { send make_send copy_send move_recv }; -allow domain kernel_d:mach_port { send make_send copy_send }; -allow domain self:mach_task set_special_port; -allow domain self:mach_names { look_up }; -allow domain root_t:dir { search getattr read }; -allow kernel_d domain:mach_port { send make_send copy_send }; +allow domain2 self:mach_port { send make_send copy_send move_recv }; +allow domain2 kernel_d:mach_port { send make_send copy_send }; +allow domain2 self:mach_task set_special_port; +allow domain2 self:mach_names { look_up }; +allow domain2 root_t:dir { search getattr read }; +allow kernel_d domain2:mach_port { send make_send copy_send }; allow domain2 file:{file lnk_file sock_file} {create_file_perms execute }; allow domain2 file:file execute_no_trans; @@ -126,6 +131,12 @@ allow domain2 {devpts_t user_devpts_t sysadm_devpts_t}:chr_file create_file_perms; allow domain2 domain:process { signal sigkill setsched getsession }; allow domain2 file:{dir file lnk_file sock_file} { relabelfrom relabelto }; +allow domain2 readonly_t:{dir file lnk_file sock_file} { relabelfrom relabelto r_file_perms }; +allow domain2 readonly_t:dir r_dir_perms; +allow protected_d self:process { signal sigkill setsched getsession }; + +domain_trans(user_d,shell_exec_t,protected_d); +allow user_d security_t:security *; domain_auto_trans(init_d,windowserver_exec_t,windowserver_d); domain_auto_trans(systemstarter_d,windowserver_exec_t,windowserver_d); @@ -189,6 +200,7 @@ allow_mach_ipc(windowserver_d,init_d); # for wsloginui allow_mach_ipc(windowserver_d,coreservices_d); # for wsloginui mach_bootstrap_register(windowserver_d,boot_names_t); +allow windowserver_d init_d:mach_names register; allow_mach_ipc(loginwindow_d,coreservices_d); allow_mach_ipc(loginwindow_d,init_d); @@ -233,6 +245,7 @@ allow_mach_ipc(pbs_d,unlabeled_t); allow_mach_ipc(user_d,unlabeled_t); allow_mach_ipc(user_secret_d,unlabeled_t); +allow_mach_ipc(protected_d,unlabeled_t); allow_mach_ipc(lookupd_d,unlabeled_t); allow_mach_ipc(coreservices_d,unlabeled_t); allow_mach_ipc(windowserver_d,unlabeled_t); @@ -291,4 +304,5 @@ ') user_sys_access(user_d,user_names_t); +user_sys_access(protected_d,user_names_t); user_sys_access(user_secret_d,user_names_t); # can't use other names types yet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405051450.i45EoLNq045758>