PERFORCE change 111497 for review

Todd Miller millert at FreeBSD.org
Mon Dec 11 14:18:11 PST 2006 

http://perforce.freebsd.org/chv.cgi?CH=111497

Change 111497 by millert at millert_macbook on 2006/12/11 21:54:33

	Update policy.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mds.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/authlogin.fc#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#6 (text+ko) ====

@@ -1631,6 +1631,7 @@
 KernelEventAgent = module
 kextd = module
 lookupd = module
+mds = module
 
 
 ATconfig = module

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#5 (text+ko) ====

@@ -3,6 +3,8 @@
 # MLS sensitivity: s0
 # MCS categories: <none>
 
+/private/var/log/windowserver.log		--		gen_context(system_u:object_r:WindowServer_var_log_t,s0)
+
 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer		--	gen_context(system_u:object_r:WindowServer_exec_t,s0)
 
 /System/Library/Displays.*		gen_context(system_u:object_r:WindowServer_resource_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#8 (text+ko) ====

@@ -11,6 +11,9 @@
 domain_type(WindowServer_t)
 init_domain(WindowServer_t, WindowServer_exec_t)
 
+type WindowServer_var_log_t;
+logging_log_file(WindowServer_var_log_t)
+
 ########################################
 #
 # WindowServer local policy
@@ -26,6 +29,12 @@
 allow WindowServer_t self:fifo_file { read write };
 allow WindowServer_t self:unix_stream_socket create_stream_socket_perms;
 
+# log files
+allow WindowServer_t WindowServer_var_log_t:file create_file_perms;
+allow WindowServer_t WindowServer_var_log_t:sock_file create_file_perms;
+allow WindowServer_t WindowServer_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(WindowServer_t,WindowServer_var_log_t,{ sock_file file dir })
+
 # Allow WindowServer to re-exec itself
 allow WindowServer_t WindowServer_exec_t:file execute_no_trans;
 
@@ -124,3 +133,5 @@
 userdom_search_all_users_home_content(WindowServer_t)
 userdom_read_all_users_home_content_files(WindowServer_t)
 
+# Read files in /tmp
+files_read_generic_tmp_files(WindowServer_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#9 (text+ko) ====

@@ -157,8 +157,15 @@
 # Read CoreServices libs, etc
 darwin_allow_CoreServices_read(configd_t)
 
-# Read /private/var
+# Read/write /private/var
+files_rw_var_files(configd_t)
+# Add files_read_var_files() since it allows reading of symlinks where 
+# files_rw_var_files does not.
 files_read_var_files(configd_t)
+files_search_var(configd_t)
+# Not sure why it wants to search this dir, it should know what it wants
+allow configd_t var_log_t:dir search;
+
 
 # Read /private
 darwin_allow_private_read(configd_t)
@@ -169,3 +176,28 @@
 # I'm certain there's a "proper" way to do this...
 allow configd_t port_t:tcp_socket name_connect;
 
+# Read securityd temp files
+securityd_tmp_rw(configd_t)
+
+# Read darwin_security_t files
+darwin_allow_security_read(configd_t)
+
+# Read/write/manage keychain files
+darwin_allow_keychain_rw(configd_t)
+darwin_allow_keychain_manage(configd_t)
+
+# Read files in /tmp
+files_getattr_tmp_dirs(configd_t)
+files_search_tmp(configd_t)
+files_read_generic_tmp_files(configd_t)
+files_manage_generic_tmp_files(configd_t)
+
+# Read keychain files
+darwin_allow_keychain_search(configd_t)
+darwin_allow_keychain_read(configd_t)
+
+# Read user home dirs
+userdom_search_all_users_home_content(configd_t)
+userdom_read_all_users_home_content_files(configd_t)
+userdom_manage_all_users_home_content_files(configd_t)
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.fc#2 (text+ko) ====

@@ -3,4 +3,4 @@
 # MLS sensitivity: s0
 # MCS categories: <none>
 
-/System/Library/CoreServices/coreservicesd		--	gen_context(system_u:object_r:coreservicesd_exec_t,s0)
+/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd		--	gen_context(system_u:object_r:coreservicesd_exec_t,s0) 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreservicesd.te#2 (text+ko) ====

@@ -24,3 +24,59 @@
 ## internal communication is often done using fifo and unix sockets.
 allow coreservicesd_t self:fifo_file { read write };
 allow coreservicesd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Talk to self
+mach_allow_message(coreservicesd_t, coreservicesd_t)
+allow coreservicesd_t self:mach_task set_special_port;
+allow coreservicesd_t self:process signal;
+allow coreservicesd_t self:shm { create read setattr write };
+allow coreservicesd_t self:udp_socket create;
+
+# Talk to launchd
+init_allow_ipc(coreservicesd_t)
+
+# Talk to kernel
+kernel_allow_ipc(coreservicesd_t)
+
+# Talk to WindowServer
+WindowServer_allow_ipc(coreservicesd_t)
+
+# Talk to configd
+configd_allow_ipc(coreservicesd_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(coreservicesd_t)
+darwin_allow_CoreServices_execute(coreservicesd_t)
+
+# Use caches
+darwin_allow_cache_read(coreservicesd_t)
+
+# Read prefs
+darwin_allow_global_pref_read(coreservicesd_t)
+darwin_allow_host_pref_read(coreservicesd_t)
+
+# Read /private
+darwin_allow_private_read(coreservicesd_t)
+
+# Talk to diskarbitrationd
+diskarbitrationd_allow_ipc(coreservicesd_t)
+
+# Use frameworks
+frameworks_read(coreservicesd_t)
+
+# Talk to loginwindow
+loginwindow_allow_ipc(coreservicesd_t)
+# An interface should be defined for this.
+allow coreservicesd_t loginwindow_t:process taskforpid;
+
+# Read user home dirs
+userdom_search_all_users_home_content(coreservicesd_t)
+userdom_read_all_users_home_content_files(coreservicesd_t)
+
+# Read var files
+files_read_var_files(coreservicesd_t)
+files_read_var_symlinks(coreservicesd_t)
+
+
+
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/kextd.te#5 (text+ko) ====

@@ -27,6 +27,7 @@
 
 # Misc
 allow kextd_t self:fd use;
+allow kextd_t fs_t:filesystem getattr;
 allow kextd_t self:mach_port { copy_send make_send_once send };
 allow kextd_t random_device_t:chr_file read;
 allow kextd_t nfs_t:filesystem getattr;
@@ -76,6 +77,8 @@
 
 # Use tmp files
 files_tmp_file(kextd_t)
+files_manage_generic_tmp_files(kextd_t)
+files_manage_generic_tmp_files(kextd_t)
 
 # Read /private/var
 files_read_var_files(kextd_t)
@@ -87,6 +90,8 @@
 # Read the kernel
 kernel_read_kernel(kextd_t)
 
-
  # Use CoreServices
 darwin_allow_CoreServices_read(kextd_t)
+
+# Read modules
+modutils_read_module_deps(kextd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#6 (text+ko) ====

@@ -82,7 +82,7 @@
 darwin_allow_CoreServices_execute(loginwindow_t)
 
 # Read prefs
-darwin_allow_global_pref_read(loginwindow_t)
+darwin_allow_global_pref_rw(loginwindow_t)
 darwin_allow_host_pref_read(loginwindow_t)
 
 # Read /private
@@ -117,6 +117,7 @@
 
 # Read/Write utmp
 init_rw_utmp(loginwindow_t)
+init_manage_utmp(loginwindow_t)
 
 # Use login plugins
 darwin_allow_loginplugin_read(loginwindow_t)
@@ -131,3 +132,16 @@
 # Read services files
 darwin_allow_services_read(loginwindow_t)
 
+# Access tmp files
+files_read_generic_tmp_files(loginwindow_t)
+files_manage_generic_tmp_files(loginwindow_t)
+
+# /var file operations
+files_rw_var_files(loginwindow_t)
+files_read_var_symlinks(loginwindow_t)
+files_search_var(loginwindow_t)
+files_read_var_symlinks(loginwindow_t)
+
+# Write to WTMP
+auth_write_login_records(loginwindow_t)
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.if#4 (text+ko) ====

@@ -53,3 +53,34 @@
 	allow $1 securityd_tmp_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Allow read/write of securityd tmp files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`securityd_tmp_rw',`
+
+        allow $1 securityd_tmp_t:file rw_file_perms;
+        allow $1 securityd_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Allow managing of securityd tmp files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`securityd_tmp_manage',`
+
+        allow $1 securityd_tmp_t:file manage_file_perms;
+        allow $1 securityd_tmp_t:dir manage_dir_perms;
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/securityd.te#5 (text+ko) ====

@@ -96,9 +96,17 @@
 
 # Read/Write temp files, etc
 files_read_generic_tmp_files(securityd_t)
-securityd_tmp_read(securityd_t)
+files_read_generic_tmp_symlinks(securityd_t)
+files_manage_generic_tmp_files(securityd_t)
+# Aind since there's not interface to write tmp files...
+allow securityd_t tmp_t:file { create unlink write };
+
+securityd_tmp_rw(securityd_t)
+securityd_tmp_manage(securityd_t)
 
 # Read user home dirs
 userdom_search_all_users_home_content(securityd_t)
 userdom_read_all_users_home_content_files(securityd_t)
 
+# Allow reading of security_t files
+darwin_allow_security_read(securityd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/authlogin.fc#4 (text+ko) ====

@@ -12,7 +12,6 @@
 /private/var/log/asl.log		--	gen_context(system_u:object_r:var_log_t,s0)
 /private/var/log/netinfo.log		--	gen_context(system_u:object_r:var_log_t,s0)
 /private/var/log/install.log		--	gen_context(system_u:object_r:var_log_t,s0)
-/private/var/log/windowserver.log		--	gen_context(system_u:object_r:var_log_t,s0)
 /private/var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
 /private/var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#4 (text+ko) ====

@@ -255,6 +255,7 @@
 
         allow $1 darwin_loginplugin_t:file read_file_perms;
         allow $1 darwin_loginplugin_t:dir r_dir_perms;
+	allow $1 darwin_loginplugin_t:lnk_file r_file_perms;
 
 ')
 
@@ -500,7 +501,7 @@
         ')
 
         allow $1 darwin_security_t:file read_file_perms;
-        allow $1 darwin_security_t:file r_dir_perms;
+        allow $1 darwin_security_t:dir r_dir_perms;
 ')
 
 ########################################
@@ -556,7 +557,25 @@
         ')
 
         allow $1 darwin_keychain_t:file read_file_perms;
-        allow $1 darwin_keychain_t:file r_dir_perms;
+        allow $1 darwin_keychain_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##    Allow searching of keychain files
+## </summary>   
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`darwin_allow_keychain_search',`
+        gen_require(`
+                type darwin_keychain_t;
+        ')
+
+        allow $1 darwin_keychain_t:dir search_dir_perms;
 ')
 
 ########################################

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#7 (text+ko) ====

@@ -672,3 +672,8 @@
 darwin_allow_private_manage(init_t)
 darwin_allow_private_rw(init_t)
 
+# Allow keychain access
+darwin_allow_keychain_read(init_t)
+
+# Allow access to security files
+darwin_allow_security_read(init_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/logging.te#5 (text+ko) ====

@@ -134,6 +134,13 @@
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
 
+# Talk to launchd
+init_allow_ipc(syslogd_t)
+init_allow_bootstrap(syslogd_t)
+
+# Talk to kernel
+kernel_allow_ipc(syslogd_t)
+
 # Talk to self
 allow syslogd_t self:socket read;

More information about the trustedbsd-cvs mailing list