PERFORCE change 42908 for review
Andrew Reisse
areisse at FreeBSD.org
Fri Nov 21 20:51:16 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=42908
Change 42908 by areisse at areisse_ibook on 2003/11/21 12:50:45
sedarwin todo list
enforcing mode enabled by default
fixes to policy to enable enforcing mode
wslogin dialog looks nicer
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/TODO#1 add
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_lookup.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#5 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#18 edit
.. //depot/projects/trustedbsd/sedarwin/policy/rules#2 edit
.. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/classes.nib#2 edit
.. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/info.nib#2 edit
.. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/objects.nib#2 edit
.. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/vfs/vfs_lookup.c#3 (text+ko) ====
@@ -460,8 +460,8 @@
if (p) {
error = mac_check_vnode_lookup(p->p_ucred, dp, cnp);
if (error) {
- printf("MAC_check_vnode_lookup: failed with error %d!\n", error);
-/* goto bad; */
+ /*printf("MAC_check_vnode_lookup: failed with error %d!\n", error);*/
+ goto bad;
}
} else {
printf("MAC_check_vnode_lookup: NULL process!\n");
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#5 (text+ko) ====
@@ -35,7 +35,7 @@
#include <security/sebsd/avc/av_inherit.h>
#include <security/sebsd/avc/av_perm_to_string.h>
-int selinux_enforcing = 0;
+int selinux_enforcing = 1;
#define AVC_CACHE_SLOTS 512
#define AVC_CACHE_MAXNODES 410
@@ -982,13 +982,13 @@
denied = requested & ~(ae->avd.allowed);
- if (!requested || denied) {
+ if (/*!requested || */denied) {
if (selinux_enforcing) {
spin_unlock_irqrestore(&avc_lock,flags);
rc = EACCES;
goto out;
} else {
- ae->avd.allowed |= requested;
+ ae->avd.allowed |= requested;
spin_unlock_irqrestore(&avc_lock,flags);
goto out;
}
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#18 (text+ko) ====
@@ -333,6 +333,8 @@
}
}
+ file->sclass = vnode_type_to_security_class (vp->v_type);
+
return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
perm, aeref ? aeref : &file->avcr, &ad);
}
==== //depot/projects/trustedbsd/sedarwin/policy/rules#2 (text+ko) ====
@@ -1,20 +1,22 @@
attribute domain;
+attribute file;
+attribute fs;
include(global_macros.te)
-type unlabeled_t;
-type file_t;
-#type bin_t;
-type shell_exec_t;
+type unlabeled_t, file, fs;
+type file_t, file;
+type bin_t, file;
+type shell_exec_t, file;
+type login_exec_t, file;
type init_d, domain;
-type login_exec_t;
type login_d, domain;
type user_d, domain;
type user_secret_d, domain;
type sysadm_d, domain;
type kernel_d, domain;
type security_t;
-type fs_t;
+type fs_t, fs;
type devpts_t;
type user_devpts_t;
type sysadm_devpts_t;
@@ -50,6 +52,8 @@
allow system_r user_secret_r;
allow system_r sysadm_r;
+allow file fs:filesystem associate;
+
#allow init_d { bin_t shell_exec_t file_t }:dir_file_class_set rw_file_perms;
#allow init_d bin_t:file execute_no_trans;
domain_auto_trans(init_d,login_exec_t,login_d);
@@ -59,13 +63,16 @@
domain_trans(login_d,shell_exec_t,sysadm_d);
type_change user_d devpts_t:chr_file user_devpts_t;
-allow domain {shell_exec_t unlabeled_t}:{file lnk_file sock_file} {create_file_perms execute };
-allow domain unlabeled_t:dir { create_dir_perms };
+allow domain file:{file lnk_file sock_file} {create_file_perms execute };
+allow domain file:dir { create_dir_perms };
allow domain {null_device_t console_device_t memory_device_t random_device_t device_t}:{file chr_file} create_file_perms;
allow domain device_t:blk_file create_file_perms;
allow domain {devpts_t user_devpts_t sysadm_devpts_t}:chr_file create_file_perms;
-allow domain domain:process { signal };
+allow domain domain:process { signal sigkill setsched getsession };
+allow domain file:{dir file lnk_file sock_file} { relabelfrom relabelto };
allow user_secret_d secret_t:{file lnk_file} create_file_perms;
allow user_secret_d secret_t:dir { create_file_perms rw_dir_perms };
-allow user_secret_d { secret_t unlabeled_t }:{file dir} { relabelfrom relabelto };+allow user_secret_d { secret_t unlabeled_t file_t }:{file dir} { relabelfrom relabelto };
+allow secret_t fs:filesystem associate;
+
==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/classes.nib#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/info.nib#2 (text+ko) ====
@@ -8,7 +8,6 @@
<string>291.0</string>
<key>IBLockedObjects</key>
<array>
- <integer>199</integer>
<integer>200</integer>
</array>
<key>IBOpenObjects</key>
==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/objects.nib#2 (binary) ====
==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#4 (text+ko) ====
@@ -12,7 +12,7 @@
#define errexit(args...) \
{ \
syslog (LOG_ERR, ##args); \
- return 1; \
+ kill (getppid(), 15); return 1; \
}
const char *username = "root";
@@ -68,7 +68,9 @@
if (mac_from_text(&execlabel, shm+1))
errexit("%s is not a valid domain", shm[1]);
- return mac_set_proc (execlabel);
+ if (mac_set_proc (execlabel))
+ kill (getppid(), 15);
+ return 0;
}
if (sebsd_enabled())
@@ -133,9 +135,8 @@
free(labeltext);
}
- if (execlabel)
- return mac_set_proc (execlabel);
- else
- return 0;
+ if (mac_set_proc (execlabel))
+ kill (getppid (), 15);
+ return 0;
}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list