PERFORCE change 113397 for review

Todd Miller millert at FreeBSD.org
Mon Jan 22 20:11:31 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=113397

Change 113397 by millert at millert_macbook on 2007/01/22 19:58:33

	Clean up notifyd.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#6 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#7 (text+ko) ====

@@ -73,6 +73,9 @@
 # Use Frameworks
 frameworks_read(mDNSResponder_t)
 
+# Allow shared memory usage w/ notifyd
+notifyd_allow_shm(mDNSResponder_t)
+
 # Read prefs
 darwin_allow_global_pref_read(mDNSResponder_t)
 darwin_allow_host_pref_read(mDNSResponder_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#6 (text+ko) ====

@@ -55,6 +55,9 @@
 # Talk to WindowServer
 WindowServer_allow_ipc(memberd_t)
 
+# Allow shared memory usage w/ notifyd
+notifyd_allow_shm(memberd_t)
+
 # Use Frameworks
 frameworks_read(memberd_t)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/notifyd.te#6 (text+ko) ====

@@ -24,7 +24,11 @@
 ## internal communication is often done using fifo and unix sockets.
 allow notifyd_t self:fifo_file { read write };
 allow notifyd_t self:unix_stream_socket create_stream_socket_perms;
+allow notifyd_t self:socket connect;
+allow notifyd_t self:shm { create setattr write read };
 
+# Perform filesystem operations
+fs_getattr_xattr_fs(notifyd_t)
 # Misc
 allow notifyd_t mnt_t:dir { getattr search };
 allow notifyd_t nfs_t:lnk_file { getattr read };
@@ -32,12 +36,18 @@
 # Talk to self
 mach_allow_message(notifyd_t, notifyd_t)
 
+# Allow bootstrap lookups
+init_allow_bootstrap(notifyd_t)
+
 # Talk to kernel
 kernel_allow_ipc(notifyd_t)
 
 # Talk to launchd
 init_allow_ipc(notifyd_t)
 
+# Allow communication with memberd
+memberd_allow_ipc(notifyd_t)
+
 # Talk to CoreServices
 allow notifyd_t coreservicesd_t:mach_port { hold_send_once send move_send_once };
 
@@ -47,3 +57,6 @@
 
 # Read /private
 darwin_allow_private_read(notifyd_t)
+
+# /var operations
+files_read_var_symlinks(notifyd_t)

More information about the trustedbsd-cvs mailing list