PERFORCE change 79091 for review

Tue Jun 28 19:00:08 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=79091

Change 79091 by areisse at areisse_ibook on 2005/06/28 18:59:55

	Make the flask configuration used by the TE policy match that
	used by the policy module.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/initial_sids#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkaccess_vector.sh#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkflask.sh#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/Makefile#2 (text+ko) ====


==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/access_vectors#3 (text+ko) ====

@@ -160,13 +160,20 @@
 	connectto
 	newconn
 	acceptfrom
+	node_bind
 }
 
 class udp_socket
 inherits socket
+{
+	node_bind
+}
 
 class rawip_socket
 inherits socket
+{
+	node_bind
+}
 
 class node 
 {
@@ -220,10 +227,11 @@
 {
 	fork
 	transition
-	sigchld
-	sigkill
-	sigstop
-	signal
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
 	ptrace
 	getsched
 	setsched
@@ -233,7 +241,13 @@
 	getcap
 	setcap
 	share
+	getattr
+	setexec
+	setfscreate
 	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
 }
 
 
@@ -257,6 +271,7 @@
 {
 	send
 	receive
+	destroy
 }
 
 class shm
@@ -265,7 +280,6 @@
 	lock
 }
 
-
 #
 # Define the access vector interpretation for the security server. 
 #
@@ -273,16 +287,14 @@
 class security
 {
 	compute_av
-	notify_perm
-	transition_sid
-	member_sid
-	sid_to_context
-	context_to_sid
+	compute_create
+	compute_member
+	check_context
 	load_policy
-	get_sids
-	register_avc
-	change_sid
-	get_user_sids
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
 }
 
 
@@ -292,15 +304,8 @@
 
 class system
 {
-	net_io_control
-	route_control
-	arp_control
-	rarp_control
 	ipc_info
-	avc_toggle
-	nfsd_control
-	bdflush
-	syslog_read
+	syslog_read  
 	syslog_mod
 	syslog_console
 }
@@ -322,23 +327,11 @@
 	fowner          
 	fsetid          
 	kill
-	link_dir
 	setfcap            
 	setgid           
 	setuid 
-	mac_downgrade
-	mac_read
-	mac_relabel_subj
-	mac_upgrade
-	mac_write
-	inf_nofloat_obj
-	inf_nofloat_subj
-	inf_relabel_obj
-	inf_relabel_subj
 	audit_control
 	audit_write        
-	setpcap
-	xxx_invalid1          
 	linux_immutable  
 	net_bind_service 
 	net_broadcast    
@@ -358,7 +351,6 @@
 	sys_time         
 	sys_tty_config  
 	mknod
-	lease
 }
 
 class mach_port
@@ -377,4 +369,3 @@
 	terminate
 	set_special_port
 }
-

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/initial_sids#2 (text+ko) ====

@@ -32,6 +32,8 @@
 sid devpts
 sid nfs
 sid policy
+sid scmp_packet
+sid devnull
 sid tmpfs
 
 # FLASK

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkaccess_vector.sh#2 (text+ko) ====

@@ -36,22 +36,22 @@
 		printf("/* %s */\n\n", subproject) > cpermfile;
 
 		printf("/* %s */\n\n", subproject) > inheritfile;
-		printf("struct av_inherit\n") > inheritfile;
+		printf("typedef struct\n") > inheritfile;
 		printf("{\n") > inheritfile;
-		printf("    u16 tclass;\n") > inheritfile;
+		printf("    security_class_t tclass;\n") > inheritfile;
 		printf("    char **common_pts;\n") > inheritfile; 
-		printf("    u32 common_base;\n") > inheritfile; 
-		printf("};\n\n") > inheritfile;
-		printf("static struct av_inherit av_inherit[] = {\n") > inheritfile;
+		printf("    access_vector_t common_base;\n") > inheritfile; 
+		printf("} av_inherit_t;\n\n") > inheritfile;
+		printf("static av_inherit_t av_inherit[] = {\n") > inheritfile;
 	
 		printf("/* %s */\n\n", subproject) > avpermfile;
-		printf("struct av_perm_to_string\n") > avpermfile;
+		printf("typedef struct\n") > avpermfile;
 		printf("{\n") > avpermfile;
-		printf("    u16 tclass;\n") > avpermfile;
-		printf("    u32 value;\n") > avpermfile; 
+		printf("    security_class_t tclass;\n") > avpermfile;
+		printf("    access_vector_t value;\n") > avpermfile; 
 		printf("    char *name;\n") > avpermfile; 
-		printf("};\n\n") > avpermfile;
-		printf("static struct av_perm_to_string av_perm_to_string[] = {\n") > avpermfile;
+		printf("} av_perm_to_string_t;\n\n") > avpermfile;
+		printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile;
 	}
 /^[ \t]*#/	{ 
 			next;
@@ -129,12 +129,15 @@
 					      spaces = 1;
 					for (i = 0; i < spaces; i++) 
 						printf(" ") > outfile; 
-					printf("0x%08xUL\n", common_perms[combined]) > outfile; 
+					pt = common_perms[combined];
+					printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile;
+					#printf("0x%08xUL\n", common_perms[combined]) > outfile; 
 				}
 			}
 			printf("\n") > outfile;
 	
-			printf("   { SECCLASS_%s, common_%s_perm_to_string, 0x%08xUL },\n", toupper(tclass), inherits, permission) > inheritfile; 
+			printf("   { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits,
+				permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile; 
 
 			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
 			next;
@@ -209,8 +212,8 @@
 
 			for (i = 0; i < spaces; i++) 
 				printf(" ") > outfile; 
-			printf("0x%08xUL\n", permission) > outfile; 
-			permission = permission * 2;
+			printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile; 
+			permission = permission + 1;
 		}
 $1 == "}"	{
 			if (nextstate != "CLASS-CLOSEBRACKET" && 
@@ -239,9 +242,11 @@
 		printf("\n/* %s */\n", subproject) > cpermfile;
 	
 		printf("};\n\n") > inheritfile;
+		printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile;
 		printf("\n/* %s */\n", subproject) > inheritfile;
 
 		printf("};\n\n") > avpermfile;
+		printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile;
 		printf("\n/* %s */\n", subproject) > avpermfile;
 	}'
 

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/mkflask.sh#2 (text+ko) ====

@@ -23,8 +23,10 @@
 
 		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
 
-		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
-		printf("#define _SELINUX_FLASK_H_\n") > outfile;
+		printf("#ifndef _LINUX_FLASK_H_\n") > outfile;
+		printf("#define _LINUX_FLASK_H_\n") > outfile;
+		printf("\n#include <sedarwin/flask_types.h>\n") > outfile;
+
 		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
 		printf("/*\n * Security object class definitions\n */\n") > debugfile;

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/flask/security_classes#3 (text+ko) ====

@@ -45,6 +45,5 @@
 #classes only used by name
 
 class mach_task
-class mach_names
 
 # FLASK
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

