Date: Mon, 22 Jan 2007 19:58:00 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113394 for review Message-ID: <200701221958.l0MJw0Zu085053@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113394 Change 113394 by millert@millert_macbook on 2007/01/22 19:57:15 More work on coreservicesd. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#7 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#7 (text+ko) ==== @@ -27,9 +27,10 @@ # Talk to self mach_allow_message(coreservicesd_t, coreservicesd_t) -allow coreservicesd_t self:process signal; +allow coreservicesd_t self:process { signal taskforpid }; allow coreservicesd_t self:shm { create read setattr write }; allow coreservicesd_t self:udp_socket create; +allow coreservicesd_t self:mach_port move_recv; # Talk to launchd init_allow_ipc(coreservicesd_t) @@ -39,9 +40,20 @@ # Talk to WindowServer WindowServer_allow_ipc(coreservicesd_t) +allow coreservicesd_t WindowServer_t:process taskforpid; # Talk to configd configd_allow_ipc(coreservicesd_t) +allow coreservicesd_t configd_t:process taskforpid; + +# Talk to securityd +securityd_allow_ipc(coreservicesd_t) +allow coreservicesd_t securityd_t:process taskforpid; + +# Talk to init process +allow coreservicesd_t init_t:process taskforpid; +allow coreservicesd_t init_t:mi_bootstrap { bootstrap_look_up bootstrap_check_in }; +allow coreservicesd_t init_t:mi_notify_ipc notify_server_register_plain; # Use CoreServices darwin_allow_CoreServices_read(coreservicesd_t) @@ -62,6 +74,7 @@ # Use frameworks frameworks_read(coreservicesd_t) +frameworks_execute(coreservicesd_t) # Talk to loginwindow loginwindow_allow_ipc(coreservicesd_t) @@ -82,3 +95,12 @@ # Access cache files allow coreservicesd_t darwin_cache_t:dir { getattr search }; + +# Search dirs +allow coreservicesd_t { darwin_system_t mnt_t fs_t }:dir { getattr search }; + +# Use /dev/fsevents +allow coreservicesd_t device_t:chr_file { read ioctl }; + +# Stat filesystems +allow coreservicesd_t fs_t:filesystem getattr;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221958.l0MJw0Zu085053>