PERFORCE change 76201 for review

Andrew Reisse areisse at FreeBSD.org
Fri Apr 29 14:51:17 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=76201

Change 76201 by areisse at areisse_ibook on 2005/04/29 14:50:35

	Support for building the msgid->security class mappings.
	Autogenerate security classes and permissions for mach services
	(just bootstrap namespace now). Convert the TE rules to use the
	new names.
	To use this policy, you must install the sebsd_migscs
	file in the root directory and add a OF variable
	load_sebsd_migscs with value sebsd_migscs.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/migscs.pl#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#3 (text+ko) ====

@@ -1,13 +1,14 @@
 include ../../Makeconfig
+include $(DARWIN_ROOT)/build/Mig.mk
 
 POLICY= policy.16
 SCRIPTS= create-extattr.sh sebsd-relabel.sh
 INSTALL?= install
 
-all: $(POLICY)
+all: $(POLICY) sebsd_migscs
 
-INPUTS = flask/security_classes initial_sids \
-	flask/access_vectors rules.m4 users initial_sid_contexts fs_use \
+INPUTS = flask/security_classes mig_classes initial_sids \
+	flask/access_vectors mig_access_vectors rules.m4 users initial_sid_contexts fs_use \
 	devfs
 
 policy.conf: $(INPUTS)
@@ -27,7 +28,7 @@
 
 clean:
 	rm -f bininclude $(POLICY) policy.conf  policy.h rules.m4 fc.out \
-	    genfs
+	    genfs mig_access_vectors mig_classes sebsd_migscs mig_msgids
 
 relabel: fc
 	@echo This is broken
@@ -38,3 +39,20 @@
 	(cd $(CURDIR)/..; tar -cf - policy) | (cd $(DESTDIR)/private/etc/sedarwin/; tar -xf -)
 	cp -f Makefile.install $(DESTDIR)/private/etc/sedarwin/policy/Makefile
 
+
+# Mig security classes and access vectors
+
+DEFS = $(DARWIN_ROOT)/system_cmds/mach_init.tproj/bootstrap.defs
+
+mig_msgids: $(DEFS)
+	for i in $(DEFS); do $(MIG) -user /dev/null -server /dev/null -header /dev/null -sheader /dev/null -flasksc `basename $$i .defs`.flask $$i; cat `basename $$i .defs`.flask >> $@; done
+
+mig_access_vectors: mig_msgids
+	cat $< | awk '{print $$1, $$2}' > $@
+	echo ';' >> $@
+
+mig_classes: mig_access_vectors
+	grep '^class' $< > $@
+
+sebsd_migscs: flask/security_classes mig_msgids
+	cat flask/security_classes mig_msgids | perl migscs.pl
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#2 (text+ko) ====

@@ -378,11 +378,3 @@
 	set_special_port
 }
 
-class mach_names
-{
-	register
-	look_up
-	getparent
-	makesubset
-	create_server
-};
==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#2 (text+ko) ====


==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#2 (text+ko) ====

@@ -1168,13 +1168,16 @@
 
 define(`mach_bootstrap', `
 allow $1 $2:mach_port { send copy_send make_send };
-allow $1 $3:mach_names look_up;
+allow $1 $2:mi_bootstrap { bootstrap_look_up bootstrap_look_up_array };
 allow init_d $1:mach_port { send copy_send };
 ')
 
 define(`mach_bootstrap_register', `
-allow $1 $2:mach_names register;
+allow $1 $2:mi_bootstrap *;
 allow $1 $2:mach_port { send copy_send };
 allow init_d $1:mach_port { send copy_send };
 ')
 
+define(`boot_names_t', `init_d')
+define(`user_names_t', `user_d')
+define(`user_secret_names_t', `user_secret_d')

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#2 (text+ko) ====

@@ -36,9 +36,9 @@
 type user_port_t;
 type time_port_t;
 
-type boot_names_t, names;
-type user_names_t, names;
-type user_secret_names_t, names;
+#type boot_names_t, names;
+#type user_names_t, names;
+#type user_secret_names_t, names;
 
 type root_t, file;
 type appl_t, file;
@@ -119,7 +119,7 @@
 allow domain2 self:mach_port { send make_send copy_send move_recv };
 allow domain2 kernel_d:mach_port { send make_send copy_send };
 allow domain2 self:mach_task set_special_port;
-allow domain2 self:mach_names { look_up };
+allow domain2 self:mi_bootstrap { bootstrap_look_up };
 allow domain2 root_t:dir { search getattr read };
 allow kernel_d domain2:mach_port { send make_send copy_send };
 
@@ -165,16 +165,16 @@
 allow_mach_ipc(loginwindow_d,windowserver_d);
 allow_mach_ipc(loginwindow_d,unlabeled_t);
 
-allow init_d self:mach_names { register look_up };
+allow init_d self:mi_bootstrap { bootstrap_register bootstrap_look_up };
 
 allow kernel_d names:mach_port send;
 
 allow_mach_ipc(init_d,coreservices_d); #???
 mach_bootstrap(init_d,boot_names_t,boot_names_t); #???
-type_change loginwindow_d loginwindow_d:mach_names user_names_t; #XXX
+mach_bootstrap_register(init_d,boot_names_t);
+#type_change loginwindow_d loginwindow_d:mach_names user_names_t; #XXX
 allow init_d init_d:mach_port relabelfrom;
 allow init_d boot_names_t:mach_port relabelto;
-allow init_d boot_names_t:mach_names { register create_server }; #???
 allow init_d user_names_t:mach_port { copy_send relabelto };
 
 allow_mach_ipc(systemstarter_d,unlabeled_t);
@@ -186,8 +186,8 @@
 mach_bootstrap(systemstarter_d,boot_names_t,securityserver_d);
 mach_bootstrap(systemstarter_d,boot_names_t,windowserver_d);
 mach_bootstrap(systemstarter_d,boot_names_t,boot_names_t);
-allow systemstarter_d init_d:mach_names look_up;
-allow systemstarter_d boot_names_t:mach_names { register create_server };
+allow systemstarter_d init_d:mi_bootstrap { bootstrap_look_up bootstrap_look_up_array };
+allow systemstarter_d boot_names_t:mi_bootstrap { bootstrap_register bootstrap_create_server };
 
 mach_bootstrap(coreservices_d,boot_names_t,boot_names_t);
 mach_bootstrap(coreservices_d,boot_names_t,init_d);
@@ -203,7 +203,7 @@
 allow_mach_ipc(windowserver_d,init_d); # for wsloginui
 allow_mach_ipc(windowserver_d,coreservices_d); # for wsloginui
 mach_bootstrap_register(windowserver_d,boot_names_t);
-allow windowserver_d init_d:mach_names register;
+allow windowserver_d init_d:mi_bootstrap bootstrap_register;
 
 allow_mach_ipc(loginwindow_d,coreservices_d);
 allow_mach_ipc(loginwindow_d,init_d);
@@ -214,7 +214,7 @@
 mach_bootstrap(loginwindow_d,boot_names_t,windowserver_d);
 mach_bootstrap(loginwindow_d,boot_names_t,securityserver_d);
 mach_bootstrap_register(loginwindow_d,boot_names_t);
-allow loginwindow_d boot_names_t:mach_names makesubset;
+allow loginwindow_d boot_names_t:mi_bootstrap bootstrap_subset;
 
 mach_bootstrap(securityserver_d,boot_names_t,init_d);
 mach_bootstrap(securityserver_d,boot_names_t,boot_names_t);
@@ -229,7 +229,7 @@
 allow_mach_ipc(lookupd_d,init_d); #DirectoryService?
 allow_mach_ipc(lookupd_d,cron_d);
 mach_bootstrap(lookupd_d,boot_names_t,boot_names_t);
-allow lookupd_d boot_names_t:mach_names create_server;
+allow lookupd_d boot_names_t:mi_bootstrap bootstrap_create_server;
 
 mach_bootstrap(cron_d,boot_names_t,init_d);
 allow_mach_ipc(cron_d,init_d);
@@ -259,7 +259,7 @@
 #
 define(`user_sys_access',`
 
-allow $1 { $1 init_d }:mach_names { register look_up };
+allow $1 { $1 init_d }:mi_bootstrap { bootstrap_register bootstrap_look_up bootstrap_look_up_array };
 
 mach_bootstrap(init_d,$2,securityserver_d); #???
 
@@ -277,7 +277,7 @@
 mach_bootstrap(loginwindow_d,$2,systemstarter_d); #???
 mach_bootstrap(loginwindow_d,$2,$1); #???
 mach_bootstrap_register(loginwindow_d,$2);
-allow loginwindow_d $2:mach_names create_server;
+allow loginwindow_d $2:mi_bootstrap bootstrap_create_server;
 
 mach_bootstrap(securityserver_d,$2,$2);
 mach_bootstrap(securityserver_d,$2,$1);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list