PERFORCE change 67063 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Dec 14 15:19:28 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=67063
Change 67063 by areisse at areisse_tislabs on 2004/12/14 15:19:13
Rebuild flask include files. Change AVC_TOGGLE to SETENFORCE.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_inherit.h#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_perm_to_string.h#5 (text+ko) ====
@@ -54,6 +54,7 @@
{ SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld" },
{ SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill" },
{ SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop" },
+ { SECCLASS_PROCESS, PROCESS__SIGNULL, "signull" },
{ SECCLASS_PROCESS, PROCESS__SIGNAL, "signal" },
{ SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace" },
{ SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched" },
@@ -64,6 +65,13 @@
{ SECCLASS_PROCESS, PROCESS__GETCAP, "getcap" },
{ SECCLASS_PROCESS, PROCESS__SETCAP, "setcap" },
{ SECCLASS_PROCESS, PROCESS__SHARE, "share" },
+ { SECCLASS_PROCESS, PROCESS__GETATTR, "getattr" },
+ { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" },
+ { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" },
+ { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" },
+ { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" },
+ { SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit" },
+ { SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh" },
{ SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" },
{ SECCLASS_MSG, MSG__SEND, "send" },
{ SECCLASS_MSG, MSG__RECEIVE, "receive" },
@@ -74,24 +82,15 @@
{ SECCLASS_POSIX_SEM, POSIX_SEM__WRITE, "write" },
{ SECCLASS_POSIX_SEM, POSIX_SEM__READ, "read" },
{ SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av" },
- { SECCLASS_SECURITY, SECURITY__NOTIFY_PERM, "notify_perm" },
- { SECCLASS_SECURITY, SECURITY__TRANSITION_SID, "transition_sid" },
- { SECCLASS_SECURITY, SECURITY__MEMBER_SID, "member_sid" },
- { SECCLASS_SECURITY, SECURITY__SID_TO_CONTEXT, "sid_to_context" },
- { SECCLASS_SECURITY, SECURITY__CONTEXT_TO_SID, "context_to_sid" },
+ { SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create" },
+ { SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member" },
+ { SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context" },
{ SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy" },
- { SECCLASS_SECURITY, SECURITY__GET_SIDS, "get_sids" },
- { SECCLASS_SECURITY, SECURITY__REGISTER_AVC, "register_avc" },
- { SECCLASS_SECURITY, SECURITY__CHANGE_SID, "change_sid" },
- { SECCLASS_SECURITY, SECURITY__GET_USER_SIDS, "get_user_sids" },
- { SECCLASS_SYSTEM, SYSTEM__NET_IO_CONTROL, "net_io_control" },
- { SECCLASS_SYSTEM, SYSTEM__ROUTE_CONTROL, "route_control" },
- { SECCLASS_SYSTEM, SYSTEM__ARP_CONTROL, "arp_control" },
- { SECCLASS_SYSTEM, SYSTEM__RARP_CONTROL, "rarp_control" },
+ { SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel" },
+ { SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user" },
+ { SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce" },
+ { SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool" },
{ SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info" },
- { SECCLASS_SYSTEM, SYSTEM__AVC_TOGGLE, "avc_toggle" },
- { SECCLASS_SYSTEM, SYSTEM__NFSD_CONTROL, "nfsd_control" },
- { SECCLASS_SYSTEM, SYSTEM__BDFLUSH, "bdflush" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod" },
{ SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console" },
@@ -139,6 +138,9 @@
{ SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config" },
{ SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod" },
{ SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease" },
+ { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" },
+ { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" },
+ { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" },
};
#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/av_permissions.h#6 (text+ko) ====
@@ -482,16 +482,24 @@
#define PROCESS__SIGCHLD 0x0000000000000004UL
#define PROCESS__SIGKILL 0x0000000000000008UL
#define PROCESS__SIGSTOP 0x0000000000000010UL
-#define PROCESS__SIGNAL 0x0000000000000020UL
-#define PROCESS__PTRACE 0x0000000000000040UL
-#define PROCESS__GETSCHED 0x0000000000000080UL
-#define PROCESS__SETSCHED 0x0000000000000100UL
-#define PROCESS__GETSESSION 0x0000000000000200UL
-#define PROCESS__GETPGID 0x0000000000000400UL
-#define PROCESS__SETPGID 0x0000000000000800UL
-#define PROCESS__GETCAP 0x0000000000001000UL
-#define PROCESS__SETCAP 0x0000000000002000UL
-#define PROCESS__SHARE 0x0000000000004000UL
+#define PROCESS__SIGNULL 0x0000000000000020UL
+#define PROCESS__SIGNAL 0x0000000000000040UL
+#define PROCESS__PTRACE 0x0000000000000080UL
+#define PROCESS__GETSCHED 0x0000000000000100UL
+#define PROCESS__SETSCHED 0x0000000000000200UL
+#define PROCESS__GETSESSION 0x0000000000000400UL
+#define PROCESS__GETPGID 0x0000000000000800UL
+#define PROCESS__SETPGID 0x0000000000001000UL
+#define PROCESS__GETCAP 0x0000000000002000UL
+#define PROCESS__SETCAP 0x0000000000004000UL
+#define PROCESS__SHARE 0x0000000000008000UL
+#define PROCESS__GETATTR 0x0000000000010000UL
+#define PROCESS__SETEXEC 0x0000000000020000UL
+#define PROCESS__SETFSCREATE 0x0000000000040000UL
+#define PROCESS__NOATSECURE 0x0000000000080000UL
+#define PROCESS__SIGINH 0x0000000000100000UL
+#define PROCESS__SETRLIMIT 0x0000000000200000UL
+#define PROCESS__RLIMITINH 0x0000000000400000UL
#define IPC__WRITE 0x0000000000000020UL
#define IPC__UNIX_WRITE 0x0000000000000100UL
@@ -546,28 +554,19 @@
#define POSIX_SEM__READ 0x0000000000000010UL
#define SECURITY__COMPUTE_AV 0x0000000000000001UL
-#define SECURITY__NOTIFY_PERM 0x0000000000000002UL
-#define SECURITY__TRANSITION_SID 0x0000000000000004UL
-#define SECURITY__MEMBER_SID 0x0000000000000008UL
-#define SECURITY__SID_TO_CONTEXT 0x0000000000000010UL
-#define SECURITY__CONTEXT_TO_SID 0x0000000000000020UL
-#define SECURITY__LOAD_POLICY 0x0000000000000040UL
-#define SECURITY__GET_SIDS 0x0000000000000080UL
-#define SECURITY__REGISTER_AVC 0x0000000000000100UL
-#define SECURITY__CHANGE_SID 0x0000000000000200UL
-#define SECURITY__GET_USER_SIDS 0x0000000000000400UL
+#define SECURITY__COMPUTE_CREATE 0x0000000000000002UL
+#define SECURITY__COMPUTE_MEMBER 0x0000000000000004UL
+#define SECURITY__CHECK_CONTEXT 0x0000000000000008UL
+#define SECURITY__LOAD_POLICY 0x0000000000000010UL
+#define SECURITY__COMPUTE_RELABEL 0x0000000000000020UL
+#define SECURITY__COMPUTE_USER 0x0000000000000040UL
+#define SECURITY__SETENFORCE 0x0000000000000080UL
+#define SECURITY__SETBOOL 0x0000000000000100UL
-#define SYSTEM__NET_IO_CONTROL 0x0000000000000001UL
-#define SYSTEM__ROUTE_CONTROL 0x0000000000000002UL
-#define SYSTEM__ARP_CONTROL 0x0000000000000004UL
-#define SYSTEM__RARP_CONTROL 0x0000000000000008UL
-#define SYSTEM__IPC_INFO 0x0000000000000010UL
-#define SYSTEM__AVC_TOGGLE 0x0000000000000020UL
-#define SYSTEM__NFSD_CONTROL 0x0000000000000040UL
-#define SYSTEM__BDFLUSH 0x0000000000000080UL
-#define SYSTEM__SYSLOG_READ 0x0000000000000100UL
-#define SYSTEM__SYSLOG_MOD 0x0000000000000200UL
-#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000400UL
+#define SYSTEM__IPC_INFO 0x0000000000000001UL
+#define SYSTEM__SYSLOG_READ 0x0000000000000002UL
+#define SYSTEM__SYSLOG_MOD 0x0000000000000004UL
+#define SYSTEM__SYSLOG_CONSOLE 0x0000000000000008UL
#define CAPABILITY__CHOWN 0x0000000000000001UL
#define CAPABILITY__DAC_EXECUTE 0x0000000000000002UL
@@ -614,5 +613,9 @@
#define CAPABILITY__MKNOD 0x0000040000000000UL
#define CAPABILITY__LEASE 0x0000080000000000UL
+#define PASSWD__PASSWD 0x0000000000000001UL
+#define PASSWD__CHFN 0x0000000000000002UL
+#define PASSWD__CHSH 0x0000000000000004UL
+
/* FLASK */
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/class_to_string.h#5 (text+ko) ====
@@ -35,5 +35,6 @@
"shm",
"ipc",
"posix_sem",
+ "passwd",
};
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/common_perm_to_string.h#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/initial_sid_to_string.h#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask.h#5 (text+ko) ====
@@ -37,6 +37,7 @@
#define SECCLASS_SHM 28
#define SECCLASS_IPC 29
#define SECCLASS_POSIX_SEM 30
+#define SECCLASS_PASSWD 31
/*
* Security identifier indices for initial entities
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#5 (text+ko) ====
@@ -116,7 +116,7 @@
if (error)
return (error);
- error = thread_has_system (curthread, SYSTEM__AVC_TOGGLE);
+ error = thread_has_system (curthread, SECURITY__SETENFORCE);
if (error)
return error;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list