PERFORCE change 95810 for review

Todd Miller millert at FreeBSD.org
Fri Apr 21 18:30:52 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=95810

Change 95810 by millert at millert_g5tower on 2006/04/21 18:30:32

	Remove a horrible policy hack and have mach_init use
	mac_execve() instead.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#9 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#9 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#6 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#9 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#9 (text+ko) ====

@@ -49,6 +49,7 @@
 #import <sys/time.h>
 #import <sys/resource.h>
 #import <sys/wait.h>
+#import <sys/mac.h>
 #import <pthread.h>
 #import	<string.h>
 #import	<ctype.h>
@@ -825,8 +826,9 @@
 static void
 exec_server(server_t *serverp)
 {
-	char **argv;
+	char **argv, *cp, textlabel[512];
 	sigset_t mask;
+	mac_t label;
 
 	/*
 	 * Setup environment for server, someday this should be Mach stuff
@@ -881,12 +883,19 @@
 	sigemptyset(&mask);
 	(void) sigprocmask(SIG_SETMASK, &mask, (sigset_t *)NULL);
 
+	if (mach_get_task_label_text(mach_task_self(), "sebsd", textlabel) == 0
+	    && (cp = rindex(textlabel, ':')) != NULL) {
+		*(cp + 1) = '\0';
+		strlcat(textlabel, "mach_servers_d");
+		if (mac_from_text(&label, textlabel) == 0)
+			mac_set_proc(label);
+	}
 	execv(argv[0], argv);
 	unix_fatal("Disabled server %x bootstrap %x: \"%s\": exec()",
 			   serverp->port,
 			   serverp->bootstrap->bootstrap_port,
 			   serverp->cmd);
-}	
+}
 
 static char **
 argvize(const char *string)

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#9 (text+ko) ====

@@ -37,7 +37,7 @@
 install:
 	$(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 ${POLICY} ${DESTDIR}
 	$(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 sebsd_migscs ${DESTDIR}
-	$(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 failsafe_context ${DESTDIR}/private/etc/sedarwin
+	$(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 failsafe_context ${DESTDIR}/private/etc/sedarwin/contexts
 	$(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 700 ${SCRIPTS} ${DESTDIR}/private/etc/sedarwin
 	(cd $(CURDIR)/.. && tar -X policy/excludes -cf - policy) | (cd $(DESTDIR)/private/etc/sedarwin/ && tar -xf -)
 	(cd $(FLASK)/.. && tar -cf - flask) | (cd $(DESTDIR)/private/etc/sedarwin/policy && tar -xf -)

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/macros/global_macros.te#6 (text+ko) ====

@@ -310,63 +310,6 @@
 
 #################################
 #
-# domain_exec_trans(parent_domain, child_domain)
-#
-# Permissions for transitioning to a new domain.
-#
-
-define(`domain_exec_trans',`
-
-#
-# Allow the process to transition to the new domain.
-#
-allow $1 $2:process transition;
-
-#
-# Do not audit when glibc secure mode is enabled upon the transition.
-#
-dontaudit $1 $2:process noatsecure;
-
-#
-# Allow the process to execute the program.
-# 
-allow $1 *:file { read x_file_perms };
-
-#
-# Allow the process to reap the new domain.
-#
-allow $2 $1:process sigchld;
-
-#
-# Allow the new domain to inherit and use file 
-# descriptions from the creating process and vice versa.
-#
-allow $2 $1:fd use;
-allow $1 $2:fd use;
-
-#
-# Allow the new domain to write back to the old domain via a pipe.
-#
-allow $2 $1:fifo_file rw_file_perms;
-
-#
-# Allow the new domain to read and execute the program.
-#
-allow $2 *:file rx_file_perms;
-
-#
-# Allow the new domain to be entered via the program.
-#
-allow $2 *:file entrypoint;
-
-#
-# Make the transition
-#
-type_transition $1 *:process $2;
-')
-
-#################################
-#
 # domain_auto_trans(parent_domain, program_type, child_domain)
 #
 # Define a default domain transition and allow it.

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#9 (text+ko) ====

@@ -131,15 +131,14 @@
 #allow init_d { bin_t shell_exec_t file_t }:dir_file_class_set rw_file_perms;
 #allow init_d bin_t:file execute_no_trans;
 
-# Things executed by mach_init transition to mach_servers_d
-# XXX - awful hack
-domain_exec_trans(mach_init_d,mach_servers_d);
-
 # Transition from init_d -> mach_init_d when mach_init starts
 # and then back to init_d when BSD init is exec'd
 domain_auto_trans(init_d,mach_init_exec_t,mach_init_d);
 domain_auto_trans(mach_init_d,init_exec_t,init_d);
 
+# mach_init_d does its own transition to mach_servers_d
+allow mach_init_d mach_servers_d:process transition;
+
 # User transitions for login and sshd
 domain_auto_trans(init_d,login_exec_t,login_d);
 domain_auto_trans(user_d,login_exec_t,login_d);
@@ -194,11 +193,17 @@
 allow user_d security_t:security *;
 
 # Transitions for mach servers started by mach_init
-domain_auto_trans(mach_init_d,windowserver_exec_t,windowserver_d);
-domain_auto_trans(mach_init_d,lookupd_exec_t,lookupd_d);
-domain_auto_trans(mach_init_d,notifyd_exec_t,notifyd_d);
-domain_auto_trans(mach_init_d,diskarbitrationd_exec_t,diskarbitrationd_d);
-domain_auto_trans(mach_init_d,configd_exec_t,configd_d);
+allow mach_servers_d file_t:file entrypoint;
+domain_auto_trans(mach_servers_d,windowserver_exec_t,windowserver_d);
+allow mach_servers_d windowserver_exec_t:file entrypoint;
+domain_auto_trans(mach_servers_d,lookupd_exec_t,lookupd_d);
+allow mach_servers_d lookupd_exec_t:file entrypoint;
+domain_auto_trans(mach_servers_d,notifyd_exec_t,notifyd_d);
+allow mach_servers_d notifyd_exec_t:file entrypoint;
+domain_auto_trans(mach_servers_d,diskarbitrationd_exec_t,diskarbitrationd_d);
+allow mach_servers_d diskarbitrationd_exec_t:file entrypoint;
+domain_auto_trans(mach_servers_d,configd_exec_t,configd_d);
+allow mach_servers_d configd_exec_t:file entrypoint;
 
 # Transitions for things started by BSD init
 domain_auto_trans(init_d,systemstarter_exec_t,systemstarter_d);

More information about the trustedbsd-cvs mailing list