From owner-trustedbsd-cvs@FreeBSD.ORG Thu Nov 16 19:21:39 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65C7B16A407 for ; Thu, 16 Nov 2006 19:21:39 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6849C43D8B for ; Thu, 16 Nov 2006 19:21:21 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 1A2FA46C05 for ; Thu, 16 Nov 2006 14:21:20 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 1D8B1D0015; Thu, 16 Nov 2006 19:17:41 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 145DF16A4AB; Thu, 16 Nov 2006 19:17:41 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDF0816A4A0 for ; Thu, 16 Nov 2006 19:17:40 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8878043D4C for ; Thu, 16 Nov 2006 19:17:40 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAGJHeBK066798 for ; Thu, 16 Nov 2006 19:17:40 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAGJHeo0066795 for perforce@freebsd.org; Thu, 16 Nov 2006 19:17:40 GMT (envelope-from millert@freebsd.org) Date: Thu, 16 Nov 2006 19:17:40 GMT Message-Id: <200611161917.kAGJHeo0066795@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 110124 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 19:21:39 -0000 http://perforce.freebsd.org/chv.cgi?CH=110124 Change 110124 by millert@millert_macbook on 2006/11/16 19:17:24 Update policy Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 (text+ko) ==== @@ -51,6 +51,7 @@ # support files allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write }; allow DirectoryService_t DirectoryService_resource_t:dir { getattr read search }; +allow DirectoryService_t DirectoryService_resource_t:lnk_file { getattr read }; # file descriptors and sockets allow DirectoryService_t self:fd use; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 (text+ko) ==== @@ -33,3 +33,10 @@ # Talk to launchd init_allow_ipc(KernelEventAgent_t) +init_allow_bootstrap(KernelEventAgent_t) + +# Talk to kernel +kernel_allow_ipc(KernelEventAgent_t) + +# Talk to securityd +securityd_allow_ipc(KernelEventAgent_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 (text+ko) ==== @@ -5,4 +5,4 @@ /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0) -/System/Library/Displays/Overrides -- gen_context(system_u:object_r:WindowServer_resource_t) +/System/Library/Displays/.* -- gen_context(system_u:object_r:WindowServer_resource_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 (text+ko) ==== @@ -114,3 +114,5 @@ # Read modules allow WindowServer_t modules_dep_t:dir search; +# Read general resource files +darwin_allow_resource_read(WindowServer_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 (text+ko) ==== @@ -145,7 +145,7 @@ WindowServer_allow_shm(configd_t) # Read prefs, etc -darwin_allow_global_pref_read(configd_t) +darwin_allow_global_pref_rw(configd_t) darwin_allow_host_pref_read(configd_t) darwin_allow_system_read(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 (text+ko) ==== @@ -35,12 +35,20 @@ allow diskarbitrationd_t diskarbitrationd_var_run_t:dir rw_dir_perms; files_pid_filetrans(diskarbitrationd_t,diskarbitrationd_var_run_t, { file sock_file }) +# Apparently diskarbitrationd transitions to fsadm_t at some point... +init_allow_ipc(fsadm_t) +kernel_allow_ipc(fsadm_t) +mach_allow_message(fsadm_t, fsadm_t) +allow fsadm_t device_t:chr_file { getattr ioctl read write }; + # Misc allow diskarbitrationd_t self:process signal; allow diskarbitrationd_t self:socket { connect write }; allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; +allow diskarbitrationd_t sbin_t:dir search; + # Allow various file operations allow diskarbitrationd_t nfs_t:dir getattr; allow diskarbitrationd_t nfs_t:filesystem mount; @@ -96,6 +104,13 @@ # Allow access to frameworks frameworks_read(diskarbitrationd_t) - # Read /private/var files_read_var_files(diskarbitrationd_t) + +# Allow reading of /private +darwin_allow_private_read(diskarbitrationd_t) + +# Read fstools files +fstools_read_files(diskarbitrationd_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 (text+ko) ==== @@ -16,7 +16,7 @@ allow $1 framework_t:file read_file_perms; allow $1 framework_t:dir r_dir_perms; allow $1 framework_t:dir search_dir_perms; - allow configd_t framework_t:lnk_file { getattr read }; + allow $1 framework_t:lnk_file { getattr read }; ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 (text+ko) ==== @@ -74,3 +74,19 @@ # Talk to configd configd_allow_ipc(loginwindow_t) configd_allow_shm(loginwindow_t) + +# Use CoreServices +darwin_allow_CoreServices_read(loginwindow_t) + +# Read prefs +darwin_allow_global_pref_read(loginwindow_t) +darwin_allow_host_pref_read(loginwindow_t) + +# Read /private +darwin_allow_private_read(loginwindow_t) + +# Read /System +darwin_allow_system_read(loginwindow_t) + +# Use frameworks +frameworks_read(loginwindow_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 (text+ko) ==== @@ -88,4 +88,15 @@ # Talk to loginwindow loginwindow_allow_ipc(lookupd_t) +# Use CoreServices +darwin_allow_CoreServices_read(lookupd_t) + +# Read /private +darwin_allow_private_read(lookupd_t) + +# Read /System +darwin_allow_system_read(lookupd_t) + +# Use frameworks +frameworks_read(lookupd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 (text+ko) ==== @@ -44,6 +44,8 @@ allow mDNSResponder_t self:fd use; allow mDNSResponder_t self:socket { accept bind create read write }; allow mDNSResponder_t self:udp_socket create; +allow mDNSResponder_t self:tcp_socket create; +allow mDNSResponder_t self:unix_dgram_socket create; # Misc allow mDNSResponder_t mnt_t:dir search; @@ -61,3 +63,17 @@ # Allow mDNSResponder to talk to configd configd_allow_ipc(mDNSResponder_t) + +# Aloow mDNSResponder to talk to lookupd +lookupd_allow_ipc(mDNSResponder_t) + +# Use CoreServices +darwin_allow_CoreServices_read(mDNSResponder_t) + +# Read prefs +darwin_allow_global_pref_read(mDNSResponder_t) +darwin_allow_host_pref_read(mDNSResponder_t) + +# Read /private +darwin_allow_private_read(mDNSResponder_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 (text+ko) ==== @@ -38,7 +38,14 @@ # Talk to launchd init_allow_ipc(memberd_t) init_allow_shm(memberd_t) +init_allow_bootstrap(memberd_t) +# Talk tro self +allow memberd_t self:mach_port make_send_once; + +# Talk to kernel +kernel_allow_ipc(memberd_t) + # Talk to loginwindow loginwindow_allow_ipc(memberd_t) @@ -47,3 +54,5 @@ # Talk to WindowServer WindowServer_allow_ipc(memberd_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 (text+ko) ==== @@ -13,6 +13,7 @@ # # /etc # +/etc gen_context(system_u:object_r:etc_t,s0) /private/etc -d gen_context(system_u:object_r:etc_t,s0) /private/etc/.* gen_context(system_u:object_r:etc_t,s0) /private/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) @@ -74,7 +75,8 @@ # # /private/var -# +#h +/var gen_context(system_u:object_r:var_t,s0) /private/var -d gen_context(system_u:object_r:var_t,s0) /private/var/.* gen_context(system_u:object_r:var_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 (text+ko) ==== @@ -3614,6 +3614,7 @@ allow $1 var_t:dir search_dir_perms; allow $1 var_t:file r_file_perms; + allow $1 var_t:lnk_file { read }; ') ######################################## ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 (text+ko) ==== @@ -1,8 +1,12 @@ /Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences -d gen_context(system_u:object_r:darwin_global_pref_t,s0) /private/var/db/.AppleSetupDone -- gen_context(system_u:object_r:darwin_global_pref_t,s0) -/Library/Preferences/SystemConfiguration.* -- gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0) /private/var/root/Library/Preferences/ByHost.* gen_context(system_u:object_r:darwin_host_pref_t,s0) /System/Library/CoreServices.* gen_context(system_u:object_r:darwin_CoreServices_t,s0) /private -d gen_context(system_u:object_r:darwin_private_t,s0) +/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) +/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 (text+ko) ==== @@ -21,6 +21,27 @@ ######################################## ## +## Allow reading/writing of global preference files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_global_pref_rw',` + gen_require(` + type darwin_global_pref_t; + ') + + allow $1 darwin_global_pref_t:file rw_file_perms; + allow $1 darwin_global_pref_t:dir rw_dir_perms; + allow $1 darwin_global_pref_t:file link_file_perms; + +') + +######################################## +## ## Allow reading of host preference files ## ## @@ -57,6 +78,7 @@ allow $1 darwin_CoreServices_t:file read_file_perms; allow $1 darwin_CoreServices_t:dir r_dir_perms; + allow $1 darwin_CoreServices_t:lnk_file { getattr read }; ') @@ -117,3 +139,22 @@ ') +######################################## +## +## Allow reading of general resource files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_resource_read',` + gen_require(` + type darwin_resource_t; + ') + + allow $1 darwin_resource_t:file read_file_perms; + allow $1 darwin_resource_t:dir r_dir_perms; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 (text+ko) ==== @@ -9,6 +9,7 @@ type darwin_host_pref_t; type darwin_CoreServices_t; type darwin_system_t; +type darwin_resource_t; type darwin_private_t; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 (text+ko) ==== @@ -642,6 +642,9 @@ # Talk to yourself for bootstrap namespace init_allow_bootstrap(init_t) + +# Talk to self +init_allow_ipc(init_t) # Talk to the kernel kernel_allow_ipc(init_t) @@ -656,3 +659,10 @@ # Use Frameworks frameworks_read(init_t) + +# Use CoreServices +darwin_allow_CoreServices_read(init_t) + +darwin_allow_private_read(init_t) + + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 (text+ko) ==== @@ -8,6 +8,11 @@ #/System/Library/Frameworks gen_context(system_u:object_r:lib_t,s0) #/System/Library/Frameworks/.* gen_context(system_u:object_r:lib_t,s0) +# +# /Library +# +/Library -d gen_context(system_u:object_r:lib_t,s0) + # # /usr