PERFORCE change 67061 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Dec 14 14:11:05 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=67061
Change 67061 by areisse at areisse_tislabs on 2004/12/14 14:10:46
bring flask configuration changes that were made in the kernel tree
over to the policy.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#6 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#5 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#2 (text+ko) ====
@@ -1,40 +1,26 @@
-# flask needs to know where to export the libselinux headers.
-LIBSELINC ?= ../../libselinux/include
+#
+# Makefile for building the SELinux module as part of the kernel.
+#
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.5
-
AWK = awk
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
FLASK_H_DEPEND = security_classes initial_sids
AV_H_DEPEND = access_vectors
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+FLASK_H_FILES = av_inherit.h av_perm_to_string.h av_permissions.h class_to_string.h common_perm_to_string.h initial_sid_to_string.h
-all: $(ALL_H_FILES)
+all: flask.h av_permissions.h
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+flask.h: $(FLASK_H_DEPEND)
+ /bin/sh ./mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+av_permissions.h: $(AV_H_DEPEND)
+ /bin/sh ./mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-tolib: all
- install -m 644 $(ALL_H_FILES) $(LIBSELINC)/selinux
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
+install: flask.h av_permissions.h
+ install -C -m0644 $(FLASK_H_FILES) ../avc
+ install -C -m0644 flask.h ..
clean:
rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
+ rm -f $(FLASK_IH_FILES)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#6 (text+ko) ====
@@ -220,10 +220,11 @@
{
fork
transition
- sigchld
- sigkill
- sigstop
- signal
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
ptrace
getsched
setsched
@@ -233,11 +234,13 @@
getcap
setcap
share
- signull
getattr
setexec
setfscreate
noatsecure
+ siginh
+ setrlimit
+ rlimitinh
}
@@ -289,6 +292,8 @@
load_policy
compute_relabel
compute_user
+ setenforce # was avc_toggle in system class
+ setbool
}
@@ -298,15 +303,8 @@
class system
{
- net_io_control
- route_control
- arp_control
- rarp_control
ipc_info
- avc_toggle
- nfsd_control
- bdflush
- syslog_read
+ syslog_read
syslog_mod
syslog_console
}
@@ -367,6 +365,11 @@
lease
}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
class passwd
{
passwd
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/initial_sids#4 (text+ko) ====
@@ -28,7 +28,10 @@
sid sysctl_vm
sid sysctl_dev
sid kmod
+sid devfs
+sid devpts
+sid nfs
sid policy
-sid scmp_packet
+sid tmpfs
# FLASK
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#2 (text+ko) ====
@@ -36,22 +36,22 @@
printf("/* %s */\n\n", subproject) > cpermfile;
printf("/* %s */\n\n", subproject) > inheritfile;
- printf("struct av_inherit\n") > inheritfile;
+ printf("typedef struct\n") > inheritfile;
printf("{\n") > inheritfile;
- printf(" u16 tclass;\n") > inheritfile;
+ printf(" security_class_t tclass;\n") > inheritfile;
printf(" char **common_pts;\n") > inheritfile;
- printf(" u32 common_base;\n") > inheritfile;
- printf("};\n\n") > inheritfile;
- printf("static struct av_inherit av_inherit[] = {\n") > inheritfile;
+ printf(" access_vector_t common_base;\n") > inheritfile;
+ printf("} av_inherit_t;\n\n") > inheritfile;
+ printf("static av_inherit_t av_inherit[] = {\n") > inheritfile;
printf("/* %s */\n\n", subproject) > avpermfile;
- printf("struct av_perm_to_string\n") > avpermfile;
+ printf("typedef struct\n") > avpermfile;
printf("{\n") > avpermfile;
- printf(" u16 tclass;\n") > avpermfile;
- printf(" u32 value;\n") > avpermfile;
+ printf(" security_class_t tclass;\n") > avpermfile;
+ printf(" access_vector_t value;\n") > avpermfile;
printf(" char *name;\n") > avpermfile;
- printf("};\n\n") > avpermfile;
- printf("static struct av_perm_to_string av_perm_to_string[] = {\n") > avpermfile;
+ printf("} av_perm_to_string_t;\n\n") > avpermfile;
+ printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile;
}
/^[ \t]*#/ {
next;
@@ -129,12 +129,15 @@
spaces = 1;
for (i = 0; i < spaces; i++)
printf(" ") > outfile;
- printf("0x%08xUL\n", common_perms[combined]) > outfile;
+ pt = common_perms[combined];
+ printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile;
+ #printf("0x%08xUL\n", common_perms[combined]) > outfile;
}
}
printf("\n") > outfile;
- printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08xUL },\n", toupper(tclass), inherits, permission) > inheritfile;
+ printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits,
+ permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile;
nextstate = "CLASS_OR_CLASS-OPENBRACKET";
next;
@@ -209,8 +212,8 @@
for (i = 0; i < spaces; i++)
printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
+ printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile;
+ permission = permission + 1;
}
$1 == "}" {
if (nextstate != "CLASS-CLOSEBRACKET" &&
@@ -239,9 +242,11 @@
printf("\n/* %s */\n", subproject) > cpermfile;
printf("};\n\n") > inheritfile;
+ printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile;
printf("\n/* %s */\n", subproject) > inheritfile;
printf("};\n\n") > avpermfile;
+ printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile;
printf("\n/* %s */\n", subproject) > avpermfile;
}'
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#2 (text+ko) ====
@@ -23,8 +23,10 @@
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("#ifndef _LINUX_FLASK_H_\n") > outfile;
+ printf("#define _LINUX_FLASK_H_\n") > outfile;
+ printf("\n#include <security/sebsd/flask_types.h>\n") > outfile;
+
printf("\n/*\n * Security object class definitions\n */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
printf("/*\n * Security object class definitions\n */\n") > debugfile;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/security_classes#5 (text+ko) ====
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list