From owner-trustedbsd-cvs@FreeBSD.ORG Mon Dec 4 19:09:22 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3E5A16A416 for ; Mon, 4 Dec 2006 19:09:21 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E29243CB0 for ; Mon, 4 Dec 2006 19:08:44 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by cyrus.watson.org (Postfix) with ESMTP id 5690746EF6 for ; Mon, 4 Dec 2006 14:09:12 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [69.147.83.54]) by mx2.freebsd.org (Postfix) with ESMTP id 0A6EED06BA; Mon, 4 Dec 2006 19:03:14 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 5EC8A16A492; Mon, 4 Dec 2006 19:03:19 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 33DDB16A47C for ; Mon, 4 Dec 2006 19:03:19 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43D2943CA7 for ; Mon, 4 Dec 2006 19:02:44 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kB4J3IMu096880 for ; Mon, 4 Dec 2006 19:03:18 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kB4J3Hbq096876 for perforce@freebsd.org; Mon, 4 Dec 2006 19:03:17 GMT (envelope-from millert@freebsd.org) Date: Mon, 4 Dec 2006 19:03:17 GMT Message-Id: <200612041903.kB4J3Hbq096876@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 111069 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 19:09:22 -0000 http://perforce.freebsd.org/chv.cgi?CH=111069 Change 111069 by millert@millert_macbook on 2006/12/04 19:02:48 Update policy Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#7 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.fc#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/update.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/kernel.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.if#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.fc#4 (text+ko) ==== @@ -9,9 +9,6 @@ /Library/Preferences/DirectoryService -d gen_context(system_u:object_r:DirectoryService_resource_t,s0) /Library/Preferences/DirectoryService/.* -- gen_context(system_u:object_r:DirectoryService_resource_t,s0) -/System/Library/Frameworks/DirectoryService.framework -d gen_context(system_u:object_r:DirectoryService_resource_t,s0) -/System/Library/Frameworks/DirectoryService.framework/.* gen_context(system_u:object_r:DirectoryService_resource_t,s0) -/System/Library/PrivateFrameworks/DirectoryServiceCore.framework.* gen_context(system_u:object_r:DirectoryService_resource_t,s0) /private/var/run/.DSRunningSP1 -- gen_context(system_u:object_r:DirectoryService_var_run_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#4 (text+ko) ==== @@ -5,4 +5,4 @@ /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer -- gen_context(system_u:object_r:WindowServer_exec_t,s0) -/System/Library/Displays/.* -- gen_context(system_u:object_r:WindowServer_resource_t) +/System/Library/Displays.* gen_context(system_u:object_r:WindowServer_resource_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#5 (text+ko) ==== @@ -97,7 +97,7 @@ # interface(`WindowServer_allow_resource_read',` - allow $1 WindowServer_resource_t:file {read getattr}; - allow $1 WindowServer_resource_t:dir {search}; + allow $1 WindowServer_resource_t:file read_file_perms; + allow $1 WindowServer_resource_t:dir r_dir_perms; ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#7 (text+ko) ==== @@ -116,3 +116,11 @@ # Read general resource files darwin_allow_resource_read(WindowServer_t) + +# Perform filesystem operations +fs_getattr_xattr_fs(WindowServer_t) + +# Read user home dirs +userdom_search_all_users_home_content(WindowServer_t) +userdom_read_all_users_home_content_files(WindowServer_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#8 (text+ko) ==== @@ -145,6 +145,7 @@ WindowServer_allow_shm(configd_t) # Read prefs, etc +darwin_allow_global_pref_manage(configd_t) darwin_allow_global_pref_rw(configd_t) darwin_allow_host_pref_read(configd_t) darwin_allow_system_read(configd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#6 (text+ko) ==== @@ -63,3 +63,7 @@ # Allow reading of /private darwin_allow_private_read(coreaudiod_t) + +# Allow reading of /var +files_read_var_symlinks(coreaudiod_t) +files_read_var_files(coreaudiod_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#7 (text+ko) ==== @@ -47,8 +47,23 @@ allow diskarbitrationd_t self:udp_socket create; allow diskarbitrationd_t self:unix_dgram_socket create; allow diskarbitrationd_t sbin_t:dir search; +allow diskarbitrationd_t self:mach_task set_special_port; + +# Allow disk/device/fs operations +allow diskarbitrationd_t device_t:chr_file { ioctl read }; +allow diskarbitrationd_t fs_t:dir getattr; +allow diskarbitrationd_t fsadm_t:file execute_no_trans; +# Allow mount operations +allow diskarbitrationd_t fs_t:filesystem mount; +allow diskarbitrationd_t mnt_t:dir { getattr read remove_name rmdir search }; +allow diskarbitrationd_t mnt_t:file { getattr unlink }; +allow diskarbitrationd_t mnt_t:lnk_file unlink; + + + + # Allow various file operations allow diskarbitrationd_t nfs_t:dir getattr; allow diskarbitrationd_t nfs_t:filesystem mount; @@ -61,9 +76,10 @@ allow diskarbitrationd_t mount_exec_t:file { execute_no_trans read }; # Allow access to raw disk devices +storage_raw_read_fixed_disk(diskarbitrationd_t) # Note: This causes the following error...we need to figure it out: # -# libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read }; +## libsepol.check_assertion_helper: assertion on line 337564 violated by allow diskarbitrationd_t fixed_disk_device_t:blk_file { read }; # libsepol.check_assertions: 1 assertion violations occured # Error while expanding policy #allow diskarbitrationd_t fixed_disk_device_t:blk_file { ioctl read }; @@ -79,6 +95,7 @@ # Allow Mach IPC with launchd init_allow_ipc(diskarbitrationd_t) +init_allow_bootstrap(diskarbitrationd_t) # Allow Mach IPC with configd configd_allow_ipc(diskarbitrationd_t) @@ -105,7 +122,7 @@ frameworks_read(diskarbitrationd_t) # Read /private/var -files_read_var_files(diskarbitrationd_t) +files_rw_var_files(diskarbitrationd_t) # Allow reading of /private darwin_allow_private_read(diskarbitrationd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#4 (text+ko) ==== @@ -77,6 +77,16 @@ # Use tmp files files_tmp_file(kextd_t) - # Read /private/var files_read_var_files(kextd_t) + +# Read/write/create in /private +darwin_allow_private_rw(kextd_t) +darwin_allow_private_create(kextd_t) + +# Read the kernel +kernel_read_kernel(kextd_t) + + + # Use CoreServices +darwin_allow_CoreServices_read(kextd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#2 (text+ko) ==== @@ -4,3 +4,4 @@ # MCS categories: /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -- gen_context(system_u:object_r:loginwindow_exec_t,s0) +/System/Library/LoginPlugins gen_context(system_u:object_r:loginwindow_resource_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#4 (text+ko) ==== @@ -54,3 +54,24 @@ allow $1 loginwindow_t:shm { create destroy getattr setattr read write associate unix_read unix_write lock }; ') + + +######################################## +## +## Allow reading of loginwindow resource files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`loginwindow_allow_resource_read',` + gen_require(` + type loginwindow_resource_t; + ') + + allow $1 loginwindow_resource_t:file read_file_perms; + allow $1 loginwindow_resource_t:dir r_dir_perms; + +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#5 (text+ko) ==== @@ -10,6 +10,8 @@ domain_type(loginwindow_t) init_domain(loginwindow_t, loginwindow_exec_t) +type loginwindow_resource_t; + ######################################## # # loginwindow local policy @@ -77,16 +79,55 @@ # Use CoreServices darwin_allow_CoreServices_read(loginwindow_t) +darwin_allow_CoreServices_execute(loginwindow_t) # Read prefs darwin_allow_global_pref_read(loginwindow_t) darwin_allow_host_pref_read(loginwindow_t) # Read /private -darwin_allow_private_read(loginwindow_t) +darwin_allow_private_rw(loginwindow_t) +darwin_allow_private_create(loginwindow_t) # Read /System darwin_allow_system_read(loginwindow_t) # Use frameworks frameworks_read(loginwindow_t) +frameworks_execute(loginwindow_t) + +# Read general resources +darwin_allow_resource_read(loginwindow_t) + +# Read our own resources +loginwindow_allow_resource_read(loginwindow_t) + +# Read user home dirs +userdom_search_all_users_home_content(loginwindow_t) +userdom_read_all_users_home_content_files(loginwindow_t) + +# Read/Write lastlog +auth_rw_lastlog(loginwindow_t) + +# Perform filesystem operations +fs_getattr_xattr_fs(loginwindow_t) +# Note: Not sure of the best way to do this "for real" +allow loginwindow_t fs_t:dir { getattr read search }; +allow loginwindow_t fs_t:file { getattr read }; + +# Read/Write utmp +init_rw_utmp(loginwindow_t) + +# Use login plugins +darwin_allow_loginplugin_read(loginwindow_t) +darwin_allow_loginplugin_execute(loginwindow_t) + +# Read WindowServer resources +WindowServer_allow_resource_read(loginwindow_t) + +# Read/write caches +darwin_allow_cache_rw(loginwindow_t) + +# Read services files +darwin_allow_services_read(loginwindow_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#4 (text+ko) ==== @@ -99,4 +99,7 @@ # Use frameworks frameworks_read(lookupd_t) +frameworks_execute(lookupd_t) +# Allow Mach IPC w/ syslogd +logging_allow_ipc(lookupd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#4 (text+ko) ==== @@ -77,3 +77,5 @@ # Read /private darwin_allow_private_read(mDNSResponder_t) +# Talk to notifyd +notifyd_allow_ipc(mDNSResponder_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.if#4 (text+ko) ==== @@ -34,10 +34,10 @@ interface(`notifyd_allow_ipc',` # Allow communication with notification server - allow $1 notifyd_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal}; + allow $1 notifyd_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal notify_server_set_state notify_server_get_state}; # Note. this may be temporary. We are still investigating the reasons # for launchd started services being labeled init_t. - allow $1 init_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal}; + allow $1 init_t:mi_notify_ipc { notify_server_cancel notify_server_get_state notify_server_monitor_file notify_server_register_check notify_server_register_plain notify_server_post notify_server_register_mach_port notify_server_register_signal notify_server_set_state notify_server_get_state}; mach_allow_ipc($1, notifyd_t) ') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#4 (text+ko) ==== @@ -41,3 +41,6 @@ # Allow signalling of other processes allow notifyd_t init_t:process signal; allow notifyd_t lookupd_t:process signal; + +# Read /private +darwin_allow_private_read(notifyd_t) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.fc#2 (text+ko) ==== @@ -4,3 +4,5 @@ # MCS categories: /usr/sbin/securityd -- gen_context(system_u:object_r:securityd_exec_t,s0) + +/private/var/tmp/mds.* gen_context(system_u:object_r:securityd_tmp_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#3 (text+ko) ==== @@ -36,3 +36,20 @@ # Allow bidirectional comminication with securityd mach_allow_ipc(securityd_t, $1) ') + +######################################## +## +## Allow read of securityd tmp files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`securityd_tmp_read',` + + allow $1 securityd_tmp_t:file read_file_perms; + allow $1 securityd_tmp_t:dir search_dir_perms; +') + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#4 (text+ko) ==== @@ -10,6 +10,9 @@ domain_type(securityd_t) init_domain(securityd_t, securityd_exec_t) +type securityd_tmp_t; +files_tmp_file(securityd_tmp_t) + ######################################## # # securityd local policy @@ -38,7 +41,14 @@ allow securityd_t nfs_t:filesystem getattr; allow securityd_t nfs_t:lnk_file read; allow securityd_t usr_t:file { getattr read }; +allow securityd_t random_device_t:chr_file read; +allow securityd_t sbin_t:dir { getattr read search }; +# /var file operations +files_manage_var_files(securityd_t) +files_manage_var_dirs(securityd_t) +files_manage_var_symlinks(securityd_t) + # Talk to launchd init_allow_ipc(securityd_t) @@ -52,3 +62,43 @@ # something is probably mislabeled. allow securityd_t lib_t:file execute_no_trans; +# Talk to bootstrap server +init_allow_bootstrap(securityd_t) + +# Talk to kernel +kernel_allow_ipc(securityd_t) + +# Use CoreServices +darwin_allow_CoreServices_read(securityd_t) +darwin_allow_CoreServices_execute(securityd_t) + +# Read prefs +darwin_allow_global_pref_read(securityd_t) +darwin_allow_host_pref_read(securityd_t) + +# Read /private +darwin_allow_private_rw(securityd_t) + +# Use general resources +darwin_allow_resource_read(securityd_t) + +# read /System +darwin_allow_system_read(securityd_t) + +# Use frameworks +frameworks_read(securityd_t) + +# Share memory w/ WindowServer +WindowServer_allow_shm(securityd_t) + +# Read configd executable +allow securityd_t configd_exec_t:file read; + +# Read/Write temp files, etc +files_read_generic_tmp_files(securityd_t) +securityd_tmp_read(securityd_t) + +# Read user home dirs +userdom_search_all_users_home_content(securityd_t) +userdom_read_all_users_home_content_files(securityd_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/update.te#3 (text+ko) ==== @@ -25,5 +25,12 @@ allow update_t self:fifo_file { read write }; allow update_t self:unix_stream_socket create_stream_socket_perms; +# talk to self +mach_allow_message(update_t, update_t) + +# talk to kernel +kernel_allow_ipc(update_t) + # talk to launchd init_allow_ipc(update_t) + ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#6 (text+ko) ==== @@ -45,6 +45,11 @@ /Volumes/[^/]*/.* <> # +# /tmp +# +/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + +# # /private/tmp # /private/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/kernel.if#4 (text+ko) ==== @@ -2386,3 +2386,17 @@ interface(`kernel_allow_ipc',` mach_allow_ipc(kernel_t, $1) ') + +######################################## +## +## Allow reading of the kernel. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_kernel',` + allow $1 kernel_t:file read_file_perms; +') ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#3 (text+ko) ==== @@ -1,12 +1,35 @@ -/Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0) -/Library/Preferences -d gen_context(system_u:object_r:darwin_global_pref_t,s0) + +# +# /private +# +/private -d gen_context(system_u:object_r:darwin_private_t,s0) /private/var/db/.AppleSetupDone -- gen_context(system_u:object_r:darwin_global_pref_t,s0) -/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0) /private/var/root/Library/Preferences/ByHost.* gen_context(system_u:object_r:darwin_host_pref_t,s0) + + +# +# /System +# +/System/Library/LoginPlugins.* gen_context(system_u:object_r:darwin_loginplugin_t,s0) +/System/library/Caches.* gen_context(system_u:object_r:darwin_loginplugin_t,s0) +/System/library/Services.* gen_context(system_u:object_r:darwin_services_t,s0) +/System/Library/Security.* gen_context(system_u:object_r:darwin_security_t,s0) /System/Library/CoreServices.* gen_context(system_u:object_r:darwin_CoreServices_t,s0) +/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) -/private -d gen_context(system_u:object_r:darwin_private_t,s0) +# +# Applications +# +/Applications.* gen_context(system_u:object_r:bin_t,s0) +# +# /Library +# /Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) -/System/Library/ColorSync.* gen_context(system_u:object_r:darwin_resource_t,s0) +/Library/Preferences/.GlobalPreferences.plist -- gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences.* gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Preferences/SystemConfiguration.* gen_context(system_u:object_r:darwin_global_pref_t,s0) +/Library/Keychains.* gen_context(system_u:object_r:darwin_keychain_t,s0) +# Kernel +/mach_kernel -- gen_context(system_u:object_r:kernel_t,s0) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#3 (text+ko) ==== @@ -42,6 +42,25 @@ ######################################## ## +## Allow creation of global preference files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_global_pref_manage',` + gen_require(` + type darwin_global_pref_t; + ') + + allow $1 darwin_global_pref_t:file manage_file_perms; + +') + +######################################## +## ## Allow reading of host preference files ## ## @@ -60,7 +79,6 @@ allow $1 darwin_host_pref_t:dir r_dir_perms; ') - ######################################## ## ## Allow reading of CoreServices files @@ -72,13 +90,33 @@ ## # interface(`darwin_allow_CoreServices_read',` + gen_require(` + type darwin_CoreServices_t; + ') + + allow $1 darwin_CoreServices_t:file read_file_perms; + allow $1 darwin_CoreServices_t:dir r_dir_perms; + allow $1 darwin_CoreServices_t:lnk_file { getattr read }; + +') + + +######################################## +## +## Allow execution of CoreServices files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_CoreServices_execute',` gen_require(` type darwin_CoreServices_t; ') - allow $1 darwin_CoreServices_t:file read_file_perms; - allow $1 darwin_CoreServices_t:dir r_dir_perms; - allow $1 darwin_CoreServices_t:lnk_file { getattr read }; + allow $1 darwin_CoreServices_t:file { execute execute_no_trans }; ') @@ -117,6 +155,7 @@ ') allow $1 darwin_private_t:dir r_dir_perms; + allow $1 darwin_private_t:file read_file_perms; ') @@ -136,11 +175,51 @@ ') allow $1 darwin_private_t:dir rw_dir_perms; + allow $1 darwin_private_t:file rw_file_perms; ') ######################################## ## +## Allow creation of files in /private +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_private_create',` + gen_require(` + type darwin_private_t; + ') + + allow $1 darwin_private_t:file create_file_perms; + allow $1 darwin_private_t:dir create_dir_perms; + +') + +######################################## +## +## Allow complete managament of /private +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_private_manage',` + gen_require(` + type darwin_private_t; + ') + + allow $1 darwin_private_t:dir manage_dir_perms; + +') + +######################################## +## ## Allow reading of general resource files ## ## @@ -158,3 +237,360 @@ allow $1 darwin_resource_t:dir r_dir_perms; ') + +######################################## +## +## Allow reading of loginplugin files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_loginplugin_read',` + gen_require(` + type darwin_loginplugin_t; + ') + + allow $1 darwin_loginplugin_t:file read_file_perms; + allow $1 darwin_loginplugin_t:dir r_dir_perms; + +') + +######################################## +## +## Allow reading/writing of loginplugin files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_loginplugin_rw',` + gen_require(` + type darwin_loginplugin_t; + ') + + allow $1 darwin_loginplugin_t:file rw_file_perms; + allow $1 darwin_loginplugin_t:dir rw_dir_perms; + +') + +######################################## +## +## Allow managing of loginplugin files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_loginplugin_manage',` + gen_require(` + type darwin_loginplugin_t; + ') + + allow $1 darwin_loginplugin_t:file manage_file_perms; + +') + +######################################## +## +## Allow execution of loginplugin files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_loginplugin_execute',` + gen_require(` + type darwin_loginplugin_t; + ') + + allow $1 darwin_loginplugin_t:file { execute execute_no_trans }; + +') + +######################################## +## +## Allow reading of cache files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_cache_read',` + gen_require(` + type darwin_cache_t; + ') + + allow $1 darwin_cache_t:file read_file_perms; + +') + +######################################## +## +## Allow reading/writing of cache files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_cache_rw',` + gen_require(` + type darwin_cache_t; + ') + + allow $1 darwin_cache_t:file rw_file_perms; + +') + +######################################## +## +## Allow managing of cache files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_cache_manage',` + gen_require(` + type darwin_cache_t; + ') + + allow $1 darwin_cache_t:file manage_file_perms; + +') + +######################################## +## +## Allow reading of services files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_services_read',` + gen_require(` + type darwin_services_t; + ') + + allow $1 darwin_services_t:file read_file_perms; + +') + +######################################## +## +## Allow reading/writing of services files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_services_rw',` + gen_require(` + type darwin_services_t; + ') + + allow $1 darwin_services_t:file rw_file_perms; + +') + +######################################## +## +## Allow managing of services files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_services_manage',` + gen_require(` + type darwin_services_t; + ') + + allow $1 darwin_services_t:file manage_file_perms; +') + +######################################## +## +## Allow reading of trash files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_trash_read',` + gen_require(` + type darwin_trash_t; + ') + + allow $1 darwin_trash_t:file read_file_perms; + allow $1 darwin_trash_t:dir read_dir_perms; +') + +######################################## +## +## Allow reading/writing of trash files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_trash_rw',` + gen_require(` + type darwin_trash_t; + ') + + allow $1 darwin_trash_t:file rw_file_perms; + allow $1 darwin_trash_t:dir rw_dir_perms; +') +######################################## +## +## Allow managing of trash files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_trash_manage',` + gen_require(` + type darwin_trash_t; + ') + + allow $1 darwin_trash_t:file manage_file_perms; +') + +######################################## +## +## Allow reading of security files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_security_read',` + gen_require(` + type darwin_security_t; + ') + + allow $1 darwin_security_t:file read_file_perms; + allow $1 darwin_security_t:file r_dir_perms; +') + +######################################## +## +## Allow reading/writing of security files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_security_rw',` + gen_require(` + type darwin_security_t; + ') + + allow $1 darwin_security_t:file rw_file_perms; +') + +######################################## +## +## Allow reading/writing of security files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_security_manage',` + gen_require(` + type darwin_security_t; + ') + + allow $1 darwin_security_t:file manage_file_perms; +') + + +######################################## +## +## Allow reading of keychain files +## +## +## +## Type to be used as a domain. +## +## +# +interface(`darwin_allow_keychain_read',` + gen_require(` + type darwin_keychain_t; + ') + + allow $1 darwin_keychain_t:file read_file_perms; + allow $1 darwin_keychain_t:file r_dir_perms; +') + +######################################## +## +## Allow reading/writing of keychain files >>> TRUNCATED FOR MAIL (1000 lines) <<<