PERFORCE change 114902 for review
Todd Miller
millert at FreeBSD.org
Fri Feb 23 20:23:44 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=114902
Change 114902 by millert at millert_macbook on 2007/02/23 20:23:37
Update policy
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#14 (text+ko) ====
@@ -138,3 +138,10 @@
# Read files in /tmp
files_read_generic_tmp_files(WindowServer_t)
+
+# Search /var/vm
+files_search_vm(WindowServer_t)
+
+# Read/write caches
+darwin_allow_cache_manage(WindowServer_t)
+allow WindowServer_t darwin_cache_t:dir { rw_dir_perms };
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#21 (text+ko) ====
@@ -155,7 +155,6 @@
# Read prefs, etc
darwin_allow_global_pref_manage(configd_t)
-darwin_allow_global_pref_rw(configd_t)
darwin_allow_host_pref_read(configd_t)
darwin_allow_system_read(configd_t)
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#12 (text+ko) ====
@@ -48,6 +48,10 @@
# Talk to Coreaudiod
allow coreservicesd_t coreaudiod_t:process taskforpid;
+# Talk to automount
+automount_allow_ipc(coreservicesd_t)
+allow coreservicesd_t automount_t:process taskforpid;
+
# Talk to configd
configd_allow_ipc(coreservicesd_t)
allow coreservicesd_t configd_t:process taskforpid;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#10 (text+ko) ====
@@ -111,4 +111,4 @@
allow kextd_t console_device_t:chr_file { read write };
# Access cache files
-allow kextd_t darwin_cache_t:dir { search getattr add_name };
+allow kextd_t darwin_cache_t:dir { search getattr add_name remove_name };
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#18 (text+ko) ====
@@ -95,7 +95,7 @@
allow loginwindow_t coreservicesd_t:shm { read write };
# Read prefs
-darwin_allow_global_pref_rw(loginwindow_t)
+darwin_allow_global_pref_manage(loginwindow_t)
darwin_allow_host_pref_read(loginwindow_t)
# Read /private
@@ -173,3 +173,7 @@
# Read default_t
files_list_default(loginwindow_t)
files_read_default_files(loginwindow_t)
+
+# Read /System/Library/StartupItems
+allow configd_t darwin_startup_t:dir { read search getattr };
+allow configd_t darwin_startup_t:file { execute execute_no_trans read ioctl getattr };
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#9 (text+ko) ====
@@ -60,4 +60,4 @@
# /var operations
files_read_var_symlinks(notifyd_t)
-allow notifyd_t var_t:file write;
+allow notifyd_t var_t:file { read write };
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.if#3 (text+ko) ====
@@ -27,25 +27,6 @@
########################################
## <summary>
-## Execute automount in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`automount_exec_config',`
- gen_require(`
- type automount_etc_t;
- ')
-
- corecmd_search_sbin($1)
- can_exec($1,automount_etc_t)
-')
-
-########################################
-## <summary>
## Allow the domain to read state files in /proc.
## </summary>
## <param name="domain">
@@ -65,19 +46,19 @@
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of automount temporary directories.
+## Allow Mach IP with configd
## </summary>
## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
+## <summary>
+## Type to be used as a domain.
+## </summary>
## </param>
#
-interface(`automount_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type automount_tmp_t;
- ')
+interface(`automount_allow_ipc',`
+ #gen_require(`
+ #class mach_port all_mach_port_perms;
+ #)'
- dontaudit $1 automount_tmp_t:dir getattr;
+ # Allow bidirection communication with automount
+ mach_allow_ipc(automount_t, $1)
')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/automount.te#4 (text+ko) ====
@@ -8,21 +8,11 @@
type automount_t;
type automount_exec_t;
-init_daemon_domain(automount_t,automount_exec_t)
+init_domain(automount_t,automount_exec_t)
type automount_var_run_t;
files_pid_file(automount_var_run_t)
-type automount_etc_t;
-files_config_file(automount_etc_t)
-
-type automount_lock_t;
-files_lock_file(automount_lock_t)
-
-type automount_tmp_t;
-files_tmp_file(automount_tmp_t)
-files_mountpoint(automount_tmp_t)
-
########################################
#
# Local policy
@@ -37,24 +27,10 @@
allow automount_t self:tcp_socket create_stream_socket_perms;
allow automount_t self:udp_socket create_socket_perms;
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
+allow automount_t self:socket rw_socket_perms;
-allow automount_t automount_etc_t:file { getattr read };
-# because config files can be shell scripts
-can_exec(automount_t, automount_etc_t)
can_exec(automount_t, automount_exec_t)
-allow automount_t automount_lock_t:file create_file_perms;
-files_lock_filetrans(automount_t,automount_lock_t,file)
-
-allow automount_t automount_tmp_t:dir create_dir_perms;
-allow automount_t automount_tmp_t:file create_file_perms;
-files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
-
-# Allow automount to create and delete directories in / and /home
-allow automount_t automount_tmp_t:dir create_dir_perms;
-files_home_filetrans(automount_t,automount_tmp_t,dir)
-files_root_filetrans(automount_t,automount_tmp_t,dir)
-
allow automount_t automount_var_run_t:file create_file_perms;
allow automount_t automount_var_run_t:dir rw_dir_perms;
files_pid_filetrans(automount_t,automount_var_run_t,file)
@@ -190,6 +166,51 @@
seutil_sigchld_newrole(automount_t)
')
-optional_policy(`
- udev_read_db(automount_t)
-')
+# Allow automount to talk to itself
+mach_allow_message(automount_t, automount_t)
+
+# Allow automount to talk to the kernel
+kernel_allow_ipc(automount_t)
+
+# Allow Mach IPC w/ init_t (launchd)
+init_allow_ipc(automount_t)
+
+# Talk to configd
+configd_allow_ipc(automount_t)
+
+# Talk to lookupd
+lookupd_allow_ipc(automount_t)
+
+# Talk to securityd
+securityd_allow_ipc(automount_t)
+
+# Talk to diskarbitrationd
+diskarbitrationd_allow_ipc(automount_t)
+
+# Talk to notifyd
+notifyd_allow_ipc(automount_t)
+notifyd_allow_shm(automount_t)
+
+darwin_allow_system_read(automount_t)
+frameworks_read(automount_t)
+darwin_allow_private_read(automount_t)
+
+# Allow read access to /var
+allow automount_t var_t:{file lnk_file} read;
+
+# Allow read access to resolv.conf
+# XXX - should not be configd_var_run_t
+allow automount_t configd_var_run_t:file read;
+
+# Talk to bootstrap server
+init_allow_bootstrap(automount_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(automount_t)
+allow automount_t coreservicesd_t:shm { read write };
+
+# Mounting filesystems
+allow automount_t fs_t:dir { search read mounton };
+allow automount_t nfs_t:dir { search read };
+allow automount_t volfs_t:dir { search read };
+allow automount_t fs_t:file { getattr read };
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/services/ntp.te#6 (text+ko) ====
@@ -11,7 +11,9 @@
type ntpd_t;
type ntpd_exec_t;
-init_daemon_domain(ntpd_t,ntpd_exec_t)
+init_domain(ntpd_t,ntpd_exec_t)
+
+# XXX - configd appears to run ntpd as well
configd_domain(ntpd_t,ntpd_exec_t)
type ntpd_log_t;
@@ -24,7 +26,7 @@
files_pid_file(ntpd_var_run_t)
type ntpdate_exec_t;
-init_system_domain(ntpd_t,ntpdate_exec_t)
+init_domain(ntpd_t,ntpdate_exec_t)
########################################
#
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#6 (text+ko) ====
@@ -35,8 +35,8 @@
')
allow $1 darwin_global_pref_t:file rw_file_perms;
+ allow $1 darwin_global_pref_t:file link_file_perms;
allow $1 darwin_global_pref_t:dir rw_dir_perms;
- allow $1 darwin_global_pref_t:file link_file_perms;
')
@@ -56,6 +56,7 @@
')
allow $1 darwin_global_pref_t:file manage_file_perms;
+ allow $1 darwin_global_pref_t:dir rw_dir_perms;
')
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#16 (text+ko) ====
@@ -408,10 +408,6 @@
')
optional_policy(`
- automount_exec_config(initrc_t)
-')
-
-optional_policy(`
bind_read_config(initrc_t)
# for chmod in start script
More information about the p4-projects
mailing list