PERFORCE change 113394 for review
Todd Miller
millert at FreeBSD.org
Mon Jan 22 20:10:33 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113394
Change 113394 by millert at millert_macbook on 2007/01/22 19:57:15
More work on coreservicesd.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#7 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#7 (text+ko) ====
@@ -27,9 +27,10 @@
# Talk to self
mach_allow_message(coreservicesd_t, coreservicesd_t)
-allow coreservicesd_t self:process signal;
+allow coreservicesd_t self:process { signal taskforpid };
allow coreservicesd_t self:shm { create read setattr write };
allow coreservicesd_t self:udp_socket create;
+allow coreservicesd_t self:mach_port move_recv;
# Talk to launchd
init_allow_ipc(coreservicesd_t)
@@ -39,9 +40,20 @@
# Talk to WindowServer
WindowServer_allow_ipc(coreservicesd_t)
+allow coreservicesd_t WindowServer_t:process taskforpid;
# Talk to configd
configd_allow_ipc(coreservicesd_t)
+allow coreservicesd_t configd_t:process taskforpid;
+
+# Talk to securityd
+securityd_allow_ipc(coreservicesd_t)
+allow coreservicesd_t securityd_t:process taskforpid;
+
+# Talk to init process
+allow coreservicesd_t init_t:process taskforpid;
+allow coreservicesd_t init_t:mi_bootstrap { bootstrap_look_up bootstrap_check_in };
+allow coreservicesd_t init_t:mi_notify_ipc notify_server_register_plain;
# Use CoreServices
darwin_allow_CoreServices_read(coreservicesd_t)
@@ -62,6 +74,7 @@
# Use frameworks
frameworks_read(coreservicesd_t)
+frameworks_execute(coreservicesd_t)
# Talk to loginwindow
loginwindow_allow_ipc(coreservicesd_t)
@@ -82,3 +95,12 @@
# Access cache files
allow coreservicesd_t darwin_cache_t:dir { getattr search };
+
+# Search dirs
+allow coreservicesd_t { darwin_system_t mnt_t fs_t }:dir { getattr search };
+
+# Use /dev/fsevents
+allow coreservicesd_t device_t:chr_file { read ioctl };
+
+# Stat filesystems
+allow coreservicesd_t fs_t:filesystem getattr;
More information about the trustedbsd-cvs
mailing list