PERFORCE change 107355 for review

Todd Miller millert at FreeBSD.org
Fri Oct 6 06:21:19 PDT 2006 

http://perforce.freebsd.org/chv.cgi?CH=107355

Change 107355 by millert at millert_g5tower on 2006/10/06 13:20:12

	Load the migscs file into Info.plist on install and modify
	update_plist.pl to take an install directory option.
	
	Add interface for allowing bootstrap lookups and an example
	for coreaudiod.  It should be noted that right now this is
	just unconstrained allowing of mach messaging. We should
	trim this down to just the operations required for performing
	lookups.
	
	Add WindowServer and loginwindow modules.
	
	Add basic Mach policy interface.
	
	Allow diskarbitrationd and configd to converse via Mach IPC.
	
	Add default context for loginwindow_t.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mcs/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mls/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mcs/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mls/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted/default_contexts#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/WindowServer.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/loginwindow.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.fc#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.if#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/mach.te#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#3 (text+ko) ====

@@ -55,7 +55,7 @@
 
 ifeq ($(SEDARWIN_BUILD),1)
 install: install-src $(loadpath) $(fcpath) $(ncpath) $(appfiles)
-	./update_plist --policy=$(loadpath) --policy-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install
+	./update_plist --policy=$(loadpath) --migscs=sebsd_migscs --install-dir=/etc/sedarwin/$(strip $(NAME))/policy ../sedarwin/mac_sedarwin.kext/Contents/Info.plist && make -C ../sedarwin mac_sedarwin.kext.tar install
 else
 install: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
 	./update_plist --policy=$(loadpath) /System/Library/Extensions/mac_sedarwin.kext/Contents/Info.plist

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mcs/default_contexts#2 (text+ko) ====

@@ -10,3 +10,4 @@
 sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
 staff_r:staff_sudo_t:s0	sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
 user_r:user_sudo_t:s0	sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:loginwindow_t:s0	staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict-mls/default_contexts#2 (text+ko) ====

@@ -10,3 +10,4 @@
 sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
 staff_r:staff_sudo_t:s0	sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
 user_r:user_sudo_t:s0	sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:loginwindow_t:s0	staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-strict/default_contexts#2 (text+ko) ====

@@ -10,3 +10,4 @@
 sysadm_r:sysadm_sudo_t	sysadm_r:sysadm_t
 staff_r:staff_sudo_t	sysadm_r:sysadm_t staff_r:staff_t
 user_r:user_sudo_t	sysadm_r:sysadm_t user_r:user_t
+system_r:loginwindow_t	staff_r:staff_t user_r:user_t sysadm_r:sysadm_t 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mcs/default_contexts#2 (text+ko) ====

@@ -7,3 +7,4 @@
 system_r:sysadm_su_t:s0		system_r:unconfined_t:s0
 system_r:unconfined_t:s0	system_r:unconfined_t:s0
 system_r:xdm_t:s0		system_r:unconfined_t:s0
+system_r:loginwindow_t:s0	system_r:unconfined_t:s0

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted-mls/default_contexts#2 (text+ko) ====

@@ -7,3 +7,4 @@
 system_r:sysadm_su_t:s0		system_r:unconfined_t:s0
 system_r:unconfined_t:s0	system_r:unconfined_t:s0
 system_r:xdm_t:s0		system_r:unconfined_t:s0
+system_r:loginwindow_t:s0	system_r:unconfined_t:s0

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/config/appconfig-targeted/default_contexts#2 (text+ko) ====

@@ -7,3 +7,4 @@
 system_r:sysadm_su_t		system_r:unconfined_t
 system_r:unconfined_t		system_r:unconfined_t
 system_r:xdm_t			system_r:unconfined_t
+system_r:loginwindow_t		system_r:unconfined_t

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules.conf#3 (text+ko) ====

@@ -1611,6 +1611,7 @@
 #
 # Darwin System Configuration Daemon
 #
+mach = module
 configd = module
 DirectoryService = module
 coreaudiod = module
@@ -1621,3 +1622,5 @@
 notifyd = module
 securityd = module
 update = module
+WindowServer = module
+loginwindow = module

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.if#2 (text+ko) ====

@@ -54,3 +54,22 @@
         allow $1 configd_t:fifo_file rw_file_perms;
         allow $1 configd_t:process sigchld;
 ')
+
+########################################
+## <summary>
+##     Allow Mach IP with configd
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`configd_mach_ipc',`
+	#gen_require(`
+		#class mach_port all_mach_port_perms;
+	#)'
+
+	# Allow bidirection comminication with configd
+	mach_allow_ipc(configd_t, $1)
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/configd.te#2 (text+ko) ====

@@ -20,6 +20,11 @@
 #
 # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
 
+# Allow config d to talk to itself via mach ipc
+# Note: We just use mach_allow_message here since configd_t -> configd_t
+# is effectively bidirectional.
+mach_allow_message(configd_t, configd_t)
+
 # Some common macros (you might be able to remove some)
 files_read_etc_files(configd_t)
 libs_use_ld_so(configd_t)

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/coreaudiod.te#2 (text+ko) ====

@@ -9,6 +9,7 @@
 type coreaudiod_exec_t;
 domain_type(coreaudiod_t)
 init_domain(coreaudiod_t, coreaudiod_exec_t)
+init_mach_ipc(coreaudiod_t)
 
 ########################################
 #

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/darwin/diskarbitrationd.te#2 (text+ko) ====

@@ -34,3 +34,7 @@
 allow diskarbitrationd_t diskarbitrationd_var_run_t:sock_file manage_file_perms;
 allow diskarbitrationd_t diskarbitrationd_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(diskarbitrationd_t,diskarbitrationd_var_run_t, { file sock_file })
+
+# Allow Mach IPC with configd
+configd_mach_ipc(diskarbitrationd_t)
+

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/system/init.if#3 (text+ko) ====

@@ -1094,3 +1094,19 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##     Allow Mach IPC with init
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Type to be used as a domain.
+##      </summary>
+## </param>
+#
+interface(`init_mach_ipc',`
+
+        # Allow bidirectional comminication with configd
+        mach_allow_ipc(init_t, $1)
+')

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/update_plist#3 (xtext) ====

@@ -13,17 +13,19 @@
 use File::Temp qw/ :mktemp /;
 use Getopt::Long;
 use PropertyList qw( :all );
+use File::Basename;
 
 my $plist_file;
 my $policy_file;
 my $migscs_file;
 my $enforcing_mode;
-my $policy_dir = "/etc/sedarwin/policy";
+my $install_dir;
+my $install_dir_default = "/etc/sedarwin/refpolicy/policy";
 
 $status = GetOptions("policy=s" => \$policy_file, "migscs=s" => \$migscs_file,
-    "enforce!" => \$enforcing_mode, "policy-dir=s" => \$policy_dir);
+    "enforce!" => \$enforcing_mode, "install-dir=s" => \$install_dir);
 &usage() unless $status && $#ARGV == 0;
-die "$0: policy dir must be fully-qualified\n" unless $policy_dir =~ /^\//;
+die "$0: install dir must be fully-qualified\n" unless $install_dir =~ /^\//;
 
 $plist_file = $ARGV[0];
 my $data = Mac::PropertyList::parse_plist_file($plist_file) ||
@@ -66,8 +68,14 @@
     close(FH);
     $module_data{'policy_data'} = Mac::PropertyList::data->new($policy_data);
     $policy_data = undef;
-    $policy_file = "$policy_dir/$policy_file" unless $policy_file =~ /^\//;
-    $module_data{'policy_path'} = Mac::PropertyList::string->new($policy_file);
+
+    my ($basename, $dirname) = fileparse($policy_file);
+    if (defined($install_dir) || !defined($dirname)) {
+	$dirname = $install_dir || $install_dir_default;
+    }
+    $dirname =~ s/\/*$//;
+    $module_data{'policy_path'} =
+	Mac::PropertyList::string->new("$dirname/$basename");
 }
 
 # Store migscs
@@ -84,8 +92,14 @@
     close(FH);
     $module_data{'migscs_data'} = Mac::PropertyList::data->new($migscs_data);
     $migscs_data = undef;
-    $migscs_file = "$policy_dir/$migscs_file" unless $migscs_file =~ /^\//;
-    $module_data{'migscs_path'} = Mac::PropertyList::string->new($migscs_file);
+
+    my ($basename, $dirname) = fileparse($migscs_file);
+    if (defined($install_dir) || !defined($dirname)) {
+	$dirname = $install_dir || $install_dir_default;
+    }
+    $dirname =~ s/\/*$//;
+    $module_data{'migscs_path'} =
+	Mac::PropertyList::string->new("$dirname/$basename");
 }
 
 # Convert %module_data into a plist dict and store in $data
@@ -113,5 +127,5 @@
 exit 0;
 
 sub usage() {
-	die "usage: $0 [--policy-dir=directory] [--policy=polify_file] [--migscs=migscs_file] [--enforce|--noenforce] plist_file\n";
+	die "usage: $0 [--install-dir=directory] [--policy=polify_file] [--migscs=migscs_file] [--enforce|--noenforce] plist_file\n";
 }

More information about the trustedbsd-cvs mailing list