PERFORCE change 114902 for review

Todd Miller millert at FreeBSD.org
Fri Feb 23 20:23:44 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=114902

Change 114902 by millert at millert_macbook on 2007/02/23 20:23:37

	Update policy

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 (text+ko) ====

@@ -138,3 +138,10 @@
 
 # Read files in /tmp
 files_read_generic_tmp_files(WindowServer_t)
+
+# Search /var/vm
+files_search_vm(WindowServer_t)
+
+# Read/write caches
+darwin_allow_cache_manage(WindowServer_t)
+allow WindowServer_t darwin_cache_t:dir { rw_dir_perms };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 (text+ko) ====

@@ -155,7 +155,6 @@
 
 # Read prefs, etc
 darwin_allow_global_pref_manage(configd_t)
-darwin_allow_global_pref_rw(configd_t)
 darwin_allow_host_pref_read(configd_t)
 darwin_allow_system_read(configd_t)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 (text+ko) ====

@@ -48,6 +48,10 @@
 # Talk to Coreaudiod
 allow coreservicesd_t coreaudiod_t:process taskforpid;
 
+# Talk to automount
+automount_allow_ipc(coreservicesd_t)
+allow coreservicesd_t automount_t:process taskforpid;
+
 # Talk to configd
 configd_allow_ipc(coreservicesd_t)
 allow coreservicesd_t configd_t:process taskforpid;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 (text+ko) ====

@@ -111,4 +111,4 @@
 allow kextd_t console_device_t:chr_file { read write };
 
 # Access cache files
-allow kextd_t darwin_cache_t:dir { search getattr add_name };
+allow kextd_t darwin_cache_t:dir { search getattr add_name remove_name };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 (text+ko) ====

@@ -95,7 +95,7 @@
 allow loginwindow_t coreservicesd_t:shm { read write };
 
 # Read prefs
-darwin_allow_global_pref_rw(loginwindow_t)
+darwin_allow_global_pref_manage(loginwindow_t)
 darwin_allow_host_pref_read(loginwindow_t)
 
 # Read /private
@@ -173,3 +173,7 @@
 # Read default_t
 files_list_default(loginwindow_t)
 files_read_default_files(loginwindow_t)
+
+# Read /System/Library/StartupItems
+allow configd_t darwin_startup_t:dir { read search getattr };
+allow configd_t darwin_startup_t:file { execute execute_no_trans read ioctl getattr };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 (text+ko) ====

@@ -60,4 +60,4 @@
 
 # /var operations
 files_read_var_symlinks(notifyd_t)
-allow notifyd_t var_t:file write;
+allow notifyd_t var_t:file { read write };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 (text+ko) ====

@@ -27,25 +27,6 @@
 
 ########################################
 ## <summary>
-##	Execute automount in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`automount_exec_config',`
-	gen_require(`
-		type automount_etc_t;
-	')
-
-	corecmd_search_sbin($1)
-	can_exec($1,automount_etc_t)
-')
-
-########################################
-## <summary>
 ##	Allow the domain to read state files in /proc.
 ## </summary>
 ## <param name="domain">
@@ -65,19 +46,19 @@
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of automount temporary directories.
+##     Allow Mach IP with configd
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
 ## </param>
 #
-interface(`automount_dontaudit_getattr_tmp_dirs',`
-	gen_require(`
-		type automount_tmp_t;
-	')
+interface(`automount_allow_ipc',`
+	#gen_require(`
+		#class mach_port all_mach_port_perms;
+	#)'
 
-	dontaudit $1 automount_tmp_t:dir getattr;
+	# Allow bidirection communication with automount
+	mach_allow_ipc(automount_t, $1)
 ')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 (text+ko) ====

@@ -8,21 +8,11 @@
 
 type automount_t;
 type automount_exec_t;
-init_daemon_domain(automount_t,automount_exec_t)
+init_domain(automount_t,automount_exec_t)
 
 type automount_var_run_t;
 files_pid_file(automount_var_run_t)
 
-type automount_etc_t;
-files_config_file(automount_etc_t)
-
-type automount_lock_t;
-files_lock_file(automount_lock_t)
-
-type automount_tmp_t;
-files_tmp_file(automount_tmp_t)
-files_mountpoint(automount_tmp_t)
-
 ########################################
 #
 # Local policy
@@ -37,24 +27,10 @@
 allow automount_t self:tcp_socket create_stream_socket_perms;
 allow automount_t self:udp_socket create_socket_perms;
 allow automount_t self:netlink_route_socket r_netlink_socket_perms;
+allow automount_t self:socket rw_socket_perms;
 
-allow automount_t automount_etc_t:file { getattr read };
-# because config files can be shell scripts
-can_exec(automount_t, automount_etc_t)
 can_exec(automount_t, automount_exec_t)
 
-allow automount_t automount_lock_t:file create_file_perms;
-files_lock_filetrans(automount_t,automount_lock_t,file)
-
-allow automount_t automount_tmp_t:dir create_dir_perms;
-allow automount_t automount_tmp_t:file create_file_perms;
-files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
-
-# Allow automount to create and delete directories in / and /home
-allow automount_t automount_tmp_t:dir create_dir_perms;
-files_home_filetrans(automount_t,automount_tmp_t,dir)
-files_root_filetrans(automount_t,automount_tmp_t,dir)
-
 allow automount_t automount_var_run_t:file create_file_perms;
 allow automount_t automount_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(automount_t,automount_var_run_t,file)
@@ -190,6 +166,51 @@
 	seutil_sigchld_newrole(automount_t)
 ')
 
-optional_policy(`
-	udev_read_db(automount_t)
-')
+# Allow automount to talk to itself
+mach_allow_message(automount_t, automount_t)
+
+# Allow automount to talk to the kernel
+kernel_allow_ipc(automount_t)
+
+# Allow Mach IPC w/ init_t (launchd)
+init_allow_ipc(automount_t)
+
+# Talk to configd
+configd_allow_ipc(automount_t)
+
+# Talk to lookupd
+lookupd_allow_ipc(automount_t)
+
+# Talk to securityd
+securityd_allow_ipc(automount_t)
+
+# Talk to diskarbitrationd
+diskarbitrationd_allow_ipc(automount_t)
+
+# Talk to notifyd
+notifyd_allow_ipc(automount_t)
+notifyd_allow_shm(automount_t)
+
+darwin_allow_system_read(automount_t)
+frameworks_read(automount_t)
+darwin_allow_private_read(automount_t)
+
+# Allow read access to /var
+allow automount_t var_t:{file lnk_file} read;
+
+# Allow read access to resolv.conf
+# XXX - should not be configd_var_run_t
+allow automount_t configd_var_run_t:file read;
+
+# Talk to bootstrap server
+init_allow_bootstrap(automount_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(automount_t)
+allow automount_t coreservicesd_t:shm { read write };
+
+# Mounting filesystems
+allow automount_t fs_t:dir { search read mounton };
+allow automount_t nfs_t:dir { search read };
+allow automount_t volfs_t:dir { search read };
+allow automount_t fs_t:file { getattr read };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 (text+ko) ====

@@ -11,7 +11,9 @@
 
 type ntpd_t;
 type ntpd_exec_t;
-init_daemon_domain(ntpd_t,ntpd_exec_t)
+init_domain(ntpd_t,ntpd_exec_t)
+
+# XXX - configd appears to run ntpd as well
 configd_domain(ntpd_t,ntpd_exec_t)
 
 type ntpd_log_t;
@@ -24,7 +26,7 @@
 files_pid_file(ntpd_var_run_t)
 
 type ntpdate_exec_t;
-init_system_domain(ntpd_t,ntpdate_exec_t)
+init_domain(ntpd_t,ntpdate_exec_t)
 
 ########################################
 #

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 (text+ko) ====

@@ -35,8 +35,8 @@
         ')
 
         allow $1 darwin_global_pref_t:file rw_file_perms;
+	allow $1 darwin_global_pref_t:file link_file_perms;
         allow $1 darwin_global_pref_t:dir rw_dir_perms;
-	allow $1 darwin_global_pref_t:file link_file_perms;
 
 ')
 
@@ -56,6 +56,7 @@
         ')
 
         allow $1 darwin_global_pref_t:file manage_file_perms;
+        allow $1 darwin_global_pref_t:dir rw_dir_perms;
 
 ')
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 (text+ko) ====

@@ -408,10 +408,6 @@
 ')
 
 optional_policy(`
-	automount_exec_config(initrc_t)
-')
-
-optional_policy(`
 	bind_read_config(initrc_t)
 
 	# for chmod in start script

More information about the p4-projects mailing list