Home | History | Annotate | Download | only in sepolicy 
      1 #########################################
      2 # MLS declarations
      3 #
      4 
      5 # Generate the desired number of sensitivities and categories.
      6 gen_sens(mls_num_sens)
      7 gen_cats(mls_num_cats)
      8 
      9 # Generate level definitions for each sensitivity and category.
     10 gen_levels(mls_num_sens,mls_num_cats)
     11 
     12 
     13 #################################################
     14 # MLS policy constraints
     15 #
     16 
     17 #
     18 # Process constraints
     19 #
     20 
     21 # Process transition:  Require equivalence unless the subject is trusted.
     22 mlsconstrain process { transition dyntransition }
     23 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     24 
     25 # Process read operations: No read up unless trusted.
     26 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
     27 	     (l1 dom l2 or t1 == mlstrustedsubject);
     28 
     29 # Process write operations:  No write down unless trusted.
     30 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
     31 	     (l1 domby l2 or t1 == mlstrustedsubject);
     32 
     33 #
     34 # Socket constraints
     35 #
     36 
     37 # These permissions are between the process and its local socket,
     38 # not between a process/socket and its peer.
     39 # Equivalence is the normal situation; anything else requires trust.
     40 mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
     41 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     42 
     43 # Datagram send: Sender must be dominated by receiver unless one of them is
     44 # trusted.
     45 mlsconstrain unix_dgram_socket { sendto }
     46 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     47 
     48 # Stream connect:  Client must be equivalent to server unless one of them
     49 # is trusted.
     50 mlsconstrain unix_stream_socket { connectto }
     51 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     52 
     53 #
     54 # Directory/file constraints
     55 #
     56 
     57 # Create/relabel operations:  Subject must be equivalent to object unless
     58 # the subject is trusted. Also, files should always be single-level.
     59 # Do NOT exempt mlstrustedobject types from this constraint.
     60 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
     61 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
     62 
     63 #
     64 # Constraints for app data files only.
     65 #
     66 
     67 # Only constrain open, not read/write.
     68 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
     69 # Subject must be equivalent to object unless the subject is trusted.
     70 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
     71 	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
     72 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
     73 	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
     74 
     75 #
     76 # Constraints for file types other than app data files.
     77 #
     78 
     79 # Read operations: Subject must dominate object unless the subject
     80 # or the object is trusted.
     81 mlsconstrain dir { read getattr search }
     82 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     83 
     84 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
     85 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     86 
     87 # Write operations: Subject must be dominated by the object unless the
     88 # subject or the object is trusted.
     89 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
     90 	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     91 
     92 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
     93 	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     94 
     95 # Special case for FIFOs.
     96 # These can be unnamed pipes, in which case they will be labeled with the
     97 # creating process' label. Thus we also have an exemption when the "object"
     98 # is a MLS trusted subject and can receive data at any level.
     99 mlsconstrain fifo_file { read getattr }
    100 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
    101 
    102 mlsconstrain fifo_file { write setattr append unlink link rename }
    103 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
    104 
    105 #
    106 # IPC constraints
    107 #
    108 
    109 # Create/destroy: equivalence or trusted.
    110 mlsconstrain ipc_class_set { create destroy }
    111 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
    112 
    113 # Read ops: No read up unless trusted.
    114 mlsconstrain ipc_class_set r_ipc_perms
    115 	     (l1 dom l2 or t1 == mlstrustedsubject);
    116 
    117 # Write ops: No write down unless trusted.
    118 mlsconstrain ipc_class_set w_ipc_perms
    119 	     (l1 domby l2 or t1 == mlstrustedsubject);
    120 
    121 #
    122 # Binder IPC constraints
    123 #
    124 # Presently commented out, as apps are expected to call one another.
    125 # This would only make sense if apps were assigned categories
    126 # based on allowable communications rather than per-app categories.
    127 #mlsconstrain binder call
    128 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    129