Home | History | Annotate | Download | only in sepolicy
      1 #########################################
      2 # MLS declarations
      3 #
      4 
      5 # Generate the desired number of sensitivities and categories.
      6 gen_sens(mls_num_sens)
      7 gen_cats(mls_num_cats)
      8 
      9 # Generate level definitions for each sensitivity and category.
     10 gen_levels(mls_num_sens,mls_num_cats)
     11 
     12 
     13 #################################################
     14 # MLS policy constraints
     15 #
     16 
     17 #
     18 # Process constraints
     19 #
     20 
     21 # Process transition:  Require equivalence unless the subject is trusted.
     22 mlsconstrain process { transition dyntransition }
     23 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     24 
     25 # Process read operations: No read up unless trusted.
     26 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
     27 	     (l1 dom l2 or t1 == mlstrustedsubject);
     28 
     29 # Process write operations:  No write down unless trusted.
     30 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
     31 	     (l1 domby l2 or t1 == mlstrustedsubject);
     32 
     33 #
     34 # Socket constraints
     35 #
     36 
     37 # Create/relabel operations:  Subject must be equivalent to object unless
     38 # the subject is trusted.  Sockets inherit the range of their creator.
     39 mlsconstrain socket_class_set { create relabelfrom relabelto }
     40 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     41 
     42 # Datagram send: Sender must be dominated by receiver unless one of them is
     43 # trusted.
     44 mlsconstrain unix_dgram_socket { sendto }
     45 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     46 
     47 # Stream connect:  Client must be equivalent to server unless one of them
     48 # is trusted.
     49 mlsconstrain unix_stream_socket { connectto }
     50 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     51 
     52 #
     53 # Directory/file constraints
     54 #
     55 
     56 # Create/relabel operations:  Subject must be equivalent to object unless
     57 # the subject is trusted. Also, files should always be single-level.
     58 # Do NOT exempt mlstrustedobject types from this constraint.
     59 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
     60 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
     61 
     62 #
     63 # Constraints for app data files only.
     64 #
     65 
     66 # Only constrain open, not read/write.
     67 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
     68 # Subject must be equivalent to object unless the subject is trusted.
     69 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
     70 	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
     71 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
     72 	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
     73 
     74 #
     75 # Constraints for file types other than app data files.
     76 #
     77 
     78 # Read operations: Subject must dominate object unless the subject
     79 # or the object is trusted.
     80 mlsconstrain dir { read getattr search }
     81 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     82 
     83 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
     84 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     85 
     86 # Write operations: Subject must be dominated by the object unless the
     87 # subject or the object is trusted.
     88 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
     89 	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     90 
     91 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
     92 	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     93 
     94 # Special case for FIFOs.
     95 # These can be unnamed pipes, in which case they will be labeled with the
     96 # creating process' label. Thus we also have an exemption when the "object"
     97 # is a MLS trusted subject and can receive data at any level.
     98 mlsconstrain fifo_file { read getattr }
     99 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
    100 
    101 mlsconstrain fifo_file { write setattr append unlink link rename }
    102 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
    103 
    104 #
    105 # IPC constraints
    106 #
    107 
    108 # Create/destroy: equivalence or trusted.
    109 mlsconstrain ipc_class_set { create destroy }
    110 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
    111 
    112 # Read ops: No read up unless trusted.
    113 mlsconstrain ipc_class_set r_ipc_perms
    114 	     (l1 dom l2 or t1 == mlstrustedsubject);
    115 
    116 # Write ops: No write down unless trusted.
    117 mlsconstrain ipc_class_set w_ipc_perms
    118 	     (l1 domby l2 or t1 == mlstrustedsubject);
    119 
    120 #
    121 # Binder IPC constraints
    122 #
    123 # Presently commented out, as apps are expected to call one another.
    124 # This would only make sense if apps were assigned categories
    125 # based on allowable communications rather than per-app categories.
    126 #mlsconstrain binder call
    127 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    128