PERFORCE change 113381 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 19:54:07 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113381

Change 113381 by millert at millert_macbook on 2007/01/22 19:48:33

	Handle set_special_port in a generic manner.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#10 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#7 (text+ko) ====

@@ -67,7 +67,6 @@
 allow DirectoryService_t sbin_t:dir { getattr search read };
 allow DirectoryService_t port_t:tcp_socket name_connect;
 allow DirectoryService_t self:fifo_file { getattr ioctl };
-allow DirectoryService_t self:mach_task set_special_port;
 allow DirectoryService_t self:process signal;
 allow DirectoryService_t self:socket create;
 allow DirectoryService_t bin_t:dir search;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#9 (text+ko) ====

@@ -89,7 +89,6 @@
 allow WindowServer_t nfs_t:lnk_file read;
 allow WindowServer_t nfs_t:dir search;
 allow WindowServer_t mnt_t:dir search;
-allow WindowServer_t self:mach_task set_special_port;
 allow WindowServer_t self:process { setsched signal };
 allow WindowServer_t self:shm { create getattr read setattr write };
 allow WindowServer_t bin_t:dir search;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#10 (text+ko) ====

@@ -63,7 +63,6 @@
 allow configd_t bin_t:file { execute_no_trans getattr read };
 allow configd_t self:fd use;
 allow configd_t self:fifo_file getattr;
-allow configd_t self:mach_task set_special_port;
 allow configd_t self:process { setsched signal };
 allow configd_t self:rawip_socket create;
 allow configd_t self:socket { bind create listen read write };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#3 (text+ko) ====

@@ -27,7 +27,6 @@
 
 # Talk to self
 mach_allow_message(coreservicesd_t, coreservicesd_t)
-allow coreservicesd_t self:mach_task set_special_port;
 allow coreservicesd_t self:process signal;
 allow coreservicesd_t self:shm { create read setattr write };
 allow coreservicesd_t self:udp_socket create;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#9 (text+ko) ====

@@ -48,8 +48,6 @@
 allow diskarbitrationd_t self:udp_socket create;
 allow diskarbitrationd_t self:unix_dgram_socket create;
 allow diskarbitrationd_t sbin_t:dir search;
-allow diskarbitrationd_t self:mach_task set_special_port;
-
 
 # Allow disk/device/fs operations
 allow diskarbitrationd_t device_t:chr_file { ioctl read };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#6 (text+ko) ====

@@ -39,7 +39,6 @@
 
 # Talk to self
 mach_allow_message(kextd_t, kextd_t)
-allow kextd_t self:mach_task set_special_port;
 allow kextd_t self:process signal;
 allow kextd_t self:udp_socket create;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#7 (text+ko) ====

@@ -31,7 +31,6 @@
 allow loginwindow_t console_device_t:chr_file { read setattr write };
 allow loginwindow_t lib_t:file execute_no_trans;
 allow loginwindow_t self:fd use;
-allow loginwindow_t self:mach_task set_special_port;
 allow loginwindow_t self:process { taskforpid signal }; # XXX
 allow loginwindow_t self:shm { create read setattr write };
 allow loginwindow_t self:socket { connect write };

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#5 (text+ko) ====

@@ -42,7 +42,6 @@
 allow lookupd_t self:udp_socket create;
 allow lookupd_t self:tcp_socket create;
 allow lookupd_t self:unix_dgram_socket create;
-allow lookupd_t self:mach_task set_special_port;
 
 
 # Misc

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#6 (text+ko) ====

@@ -29,7 +29,6 @@
 allow securityd_t self:unix_stream_socket create_stream_socket_perms;
 
 # Talk to self
-allow securityd_t self:mach_task set_special_port;
 allow securityd_t self:process signal;
 allow securityd_t self:socket { connect write };
 allow securityd_t self:udp_socket create;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#2 (text+ko) ====

@@ -10,4 +10,4 @@
 	class mach_port app_mach_port_perms;
 ')
 
-
+allow domain self:mach_task set_special_port;


More information about the trustedbsd-cvs mailing list