PERFORCE change 110124 for review

Todd Miller millert at FreeBSD.org
Thu Nov 16 19:21:39 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=110124

Change 110124 by millert at millert_macbook on 2006/11/16 19:17:24

	Update policy

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/DirectoryService.te#6 (text+ko) ====

@@ -51,6 +51,7 @@
 # support files
 allow DirectoryService_t DirectoryService_resource_t:file { execute getattr read setattr write };
 allow DirectoryService_t DirectoryService_resource_t:dir {  getattr read search };
+allow DirectoryService_t DirectoryService_resource_t:lnk_file {  getattr read };
 
 # file descriptors and sockets
 allow DirectoryService_t self:fd use;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/KernelEventAgent.te#4 (text+ko) ====

@@ -33,3 +33,10 @@
 
 # Talk to launchd
 init_allow_ipc(KernelEventAgent_t)
+init_allow_bootstrap(KernelEventAgent_t)
+
+# Talk to kernel
+kernel_allow_ipc(KernelEventAgent_t)
+
+# Talk to securityd
+securityd_allow_ipc(KernelEventAgent_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#3 (text+ko) ====

@@ -5,4 +5,4 @@
 
 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/WindowServer		--	gen_context(system_u:object_r:WindowServer_exec_t,s0)
 
-/System/Library/Displays/Overrides	--	gen_context(system_u:object_r:WindowServer_resource_t)
+/System/Library/Displays/.*	--	gen_context(system_u:object_r:WindowServer_resource_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#6 (text+ko) ====

@@ -114,3 +114,5 @@
 # Read modules
 allow WindowServer_t modules_dep_t:dir search;
 
+# Read general resource files
+darwin_allow_resource_read(WindowServer_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#7 (text+ko) ====

@@ -145,7 +145,7 @@
 WindowServer_allow_shm(configd_t)
 
 # Read prefs, etc
-darwin_allow_global_pref_read(configd_t)
+darwin_allow_global_pref_rw(configd_t)
 darwin_allow_host_pref_read(configd_t)
 darwin_allow_system_read(configd_t)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#6 (text+ko) ====

@@ -35,12 +35,20 @@
 allow diskarbitrationd_t diskarbitrationd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(diskarbitrationd_t,diskarbitrationd_var_run_t, { file sock_file })
 
+# Apparently diskarbitrationd transitions to fsadm_t at some point...
+init_allow_ipc(fsadm_t)
+kernel_allow_ipc(fsadm_t)
+mach_allow_message(fsadm_t, fsadm_t)
+allow fsadm_t device_t:chr_file { getattr ioctl read write };
+
 # Misc 
 allow diskarbitrationd_t self:process signal;
 allow diskarbitrationd_t self:socket { connect write };
 allow diskarbitrationd_t self:udp_socket create;
 allow diskarbitrationd_t self:unix_dgram_socket create;
+allow diskarbitrationd_t sbin_t:dir search;
 
+
 # Allow various file operations
 allow diskarbitrationd_t nfs_t:dir getattr;
 allow diskarbitrationd_t nfs_t:filesystem mount;
@@ -96,6 +104,13 @@
 # Allow access to frameworks
 frameworks_read(diskarbitrationd_t)
 
-
 # Read /private/var
 files_read_var_files(diskarbitrationd_t)
+
+# Allow reading of /private
+darwin_allow_private_read(diskarbitrationd_t)
+
+# Read fstools files
+fstools_read_files(diskarbitrationd_t)
+
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/frameworks.if#2 (text+ko) ====

@@ -16,7 +16,7 @@
         allow $1 framework_t:file read_file_perms;
         allow $1 framework_t:dir r_dir_perms;
         allow $1 framework_t:dir search_dir_perms;
-	allow configd_t framework_t:lnk_file { getattr read };
+	allow $1 framework_t:lnk_file { getattr read };
 
 ')
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#4 (text+ko) ====

@@ -74,3 +74,19 @@
 # Talk to configd
 configd_allow_ipc(loginwindow_t)
 configd_allow_shm(loginwindow_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(loginwindow_t)
+
+# Read prefs
+darwin_allow_global_pref_read(loginwindow_t)
+darwin_allow_host_pref_read(loginwindow_t)
+
+# Read /private
+darwin_allow_private_read(loginwindow_t)
+
+# Read /System
+darwin_allow_system_read(loginwindow_t)
+
+# Use frameworks
+frameworks_read(loginwindow_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/lookupd.te#3 (text+ko) ====

@@ -88,4 +88,15 @@
 # Talk to loginwindow
 loginwindow_allow_ipc(lookupd_t)
 
+# Use CoreServices
+darwin_allow_CoreServices_read(lookupd_t)
+
+# Read /private
+darwin_allow_private_read(lookupd_t)
+
+# Read /System
+darwin_allow_system_read(lookupd_t)
+
+# Use frameworks
+frameworks_read(lookupd_t)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/mDNSResponder.te#3 (text+ko) ====

@@ -44,6 +44,8 @@
 allow mDNSResponder_t self:fd use;
 allow mDNSResponder_t self:socket { accept bind create read write };
 allow mDNSResponder_t self:udp_socket create;
+allow mDNSResponder_t self:tcp_socket create;
+allow mDNSResponder_t self:unix_dgram_socket create;
 
 # Misc
 allow mDNSResponder_t mnt_t:dir search;
@@ -61,3 +63,17 @@
 
 # Allow mDNSResponder to talk to configd
 configd_allow_ipc(mDNSResponder_t)
+
+# Aloow mDNSResponder to talk to lookupd
+lookupd_allow_ipc(mDNSResponder_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(mDNSResponder_t)
+
+# Read prefs
+darwin_allow_global_pref_read(mDNSResponder_t)
+darwin_allow_host_pref_read(mDNSResponder_t)
+
+# Read /private
+darwin_allow_private_read(mDNSResponder_t)
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/memberd.te#3 (text+ko) ====

@@ -38,7 +38,14 @@
 # Talk to launchd
 init_allow_ipc(memberd_t)
 init_allow_shm(memberd_t)
+init_allow_bootstrap(memberd_t)
 
+# Talk tro self
+allow memberd_t self:mach_port make_send_once;
+
+# Talk to kernel
+kernel_allow_ipc(memberd_t)
+
 # Talk to loginwindow
 loginwindow_allow_ipc(memberd_t)
 
@@ -47,3 +54,5 @@
 
 # Talk to WindowServer
 WindowServer_allow_ipc(memberd_t)
+
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.fc#5 (text+ko) ====

@@ -13,6 +13,7 @@
 #
 # /etc
 #
+/etc					gen_context(system_u:object_r:etc_t,s0)
 /private/etc			-d	gen_context(system_u:object_r:etc_t,s0)
 /private/etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /private/etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
@@ -74,7 +75,8 @@
 
 #
 # /private/var
-#
+#h
+/var					gen_context(system_u:object_r:var_t,s0)
 /private/var			-d	gen_context(system_u:object_r:var_t,s0)
 /private/var/.*				gen_context(system_u:object_r:var_t,s0)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/files.if#4 (text+ko) ====

@@ -3614,6 +3614,7 @@
 
 	allow $1 var_t:dir search_dir_perms;
 	allow $1 var_t:file r_file_perms;
+	allow $1 var_t:lnk_file { read };
 ')
 
 ########################################

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.fc#2 (text+ko) ====

@@ -1,8 +1,12 @@
 /Library/Preferences/.GlobalPreferences.plist	--	gen_context(system_u:object_r:darwin_global_pref_t,s0)
+/Library/Preferences				-d	gen_context(system_u:object_r:darwin_global_pref_t,s0)
 /private/var/db/.AppleSetupDone			--	gen_context(system_u:object_r:darwin_global_pref_t,s0)
-/Library/Preferences/SystemConfiguration.*	--	gen_context(system_u:object_r:darwin_global_pref_t,s0)
+/Library/Preferences/SystemConfiguration.*		gen_context(system_u:object_r:darwin_global_pref_t,s0)
 /private/var/root/Library/Preferences/ByHost.*		gen_context(system_u:object_r:darwin_host_pref_t,s0)
 /System/Library/CoreServices.*				gen_context(system_u:object_r:darwin_CoreServices_t,s0)
 
 /private					-d	gen_context(system_u:object_r:darwin_private_t,s0)
 
+/Library/ColorSync.*					gen_context(system_u:object_r:darwin_resource_t,s0)
+/System/Library/ColorSync.*					gen_context(system_u:object_r:darwin_resource_t,s0)
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.if#2 (text+ko) ====

@@ -21,6 +21,27 @@
 
 ########################################
 ## <summary>
+##    Allow reading/writing of global preference files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`darwin_allow_global_pref_rw',`
+        gen_require(`
+                type darwin_global_pref_t;
+        ')
+
+        allow $1 darwin_global_pref_t:file rw_file_perms;
+        allow $1 darwin_global_pref_t:dir rw_dir_perms;
+	allow $1 darwin_global_pref_t:file link_file_perms;
+
+')
+
+########################################
+## <summary>
 ##    Allow reading of host preference files
 ## </summary>
 ## <param name="domain">
@@ -57,6 +78,7 @@
 
 	allow $1 darwin_CoreServices_t:file read_file_perms;
 	allow $1 darwin_CoreServices_t:dir r_dir_perms;
+	allow $1 darwin_CoreServices_t:lnk_file { getattr read };
 
 ')
 
@@ -117,3 +139,22 @@
 
 ')
 
+########################################
+## <summary>
+##    Allow reading of general resource files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`darwin_allow_resource_read',`
+        gen_require(`
+                type darwin_resource_t;
+        ')
+
+	allow $1 darwin_resource_t:file read_file_perms;
+	allow $1 darwin_resource_t:dir r_dir_perms;
+
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/darwin.te#2 (text+ko) ====

@@ -9,6 +9,7 @@
 type darwin_host_pref_t;
 type darwin_CoreServices_t;
 type darwin_system_t;
+type darwin_resource_t;
 
 type darwin_private_t;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.te#5 (text+ko) ====

@@ -642,6 +642,9 @@
 
 # Talk to yourself for bootstrap namespace
 init_allow_bootstrap(init_t)
+ 
+# Talk to self
+init_allow_ipc(init_t)
 
 # Talk to the kernel
 kernel_allow_ipc(init_t)
@@ -656,3 +659,10 @@
 
 # Use Frameworks
 frameworks_read(init_t)
+
+# Use CoreServices
+darwin_allow_CoreServices_read(init_t)
+
+darwin_allow_private_read(init_t)
+
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/libraries.fc#4 (text+ko) ====

@@ -8,6 +8,11 @@
 #/System/Library/Frameworks			gen_context(system_u:object_r:lib_t,s0)
 #/System/Library/Frameworks/.*			gen_context(system_u:object_r:lib_t,s0)
 
+#
+# /Library
+#
+/Library				-d	gen_context(system_u:object_r:lib_t,s0)
+
 
 #
 # /usr

More information about the trustedbsd-cvs mailing list