1 ######################################### 2 # MLS declarations 3 # 4 5 # Generate the desired number of sensitivities and categories. 6 gen_sens(mls_num_sens) 7 gen_cats(mls_num_cats) 8 9 # Generate level definitions for each sensitivity and category. 10 gen_levels(mls_num_sens,mls_num_cats) 11 12 13 ################################################# 14 # MLS policy constraints 15 # 16 17 # 18 # Process constraints 19 # 20 21 # Process transition: Require equivalence unless the subject is trusted. 22 mlsconstrain process { transition dyntransition } 23 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 24 25 # Process read operations: No read up unless trusted. 26 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 27 (l1 dom l2 or t1 == mlstrustedsubject); 28 29 # Process write operations: No write down unless trusted. 30 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 31 (l1 domby l2 or t1 == mlstrustedsubject); 32 33 # 34 # Socket constraints 35 # 36 37 # Create/relabel operations: Subject must be equivalent to object unless 38 # the subject is trusted. Sockets inherit the range of their creator. 39 mlsconstrain socket_class_set { create relabelfrom relabelto } 40 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 41 42 # Datagram send: Sender must be dominated by receiver unless one of them is 43 # trusted. 44 mlsconstrain unix_dgram_socket { sendto } 45 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 46 47 # Stream connect: Client must be equivalent to server unless one of them 48 # is trusted. 49 mlsconstrain unix_stream_socket { connectto } 50 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 51 52 # 53 # Directory/file constraints 54 # 55 56 # Create/relabel operations: Subject must be equivalent to object unless 57 # the subject is trusted. Also, files should always be single-level. 58 # Do NOT exempt mlstrustedobject types from this constraint. 59 mlsconstrain dir_file_class_set { create relabelfrom relabelto } 60 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 61 62 # 63 # Constraints for app data files only. 64 # 65 66 # Only constrain open, not read/write. 67 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 68 # Subject must be equivalent to object unless the subject is trusted. 69 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } 70 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 71 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } 72 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 73 74 # 75 # Constraints for file types other than app data files. 76 # 77 78 # Read operations: Subject must dominate object unless the subject 79 # or the object is trusted. 80 mlsconstrain dir { read getattr search } 81 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 82 83 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 84 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 85 86 # Write operations: Subject must be dominated by the object unless the 87 # subject or the object is trusted. 88 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 89 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 90 91 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 92 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 93 94 # Special case for FIFOs. 95 # These can be unnamed pipes, in which case they will be labeled with the 96 # creating process' label. Thus we also have an exemption when the "object" 97 # is a MLS trusted subject and can receive data at any level. 98 mlsconstrain fifo_file { read getattr } 99 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 100 101 mlsconstrain fifo_file { write setattr append unlink link rename } 102 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 103 104 # 105 # IPC constraints 106 # 107 108 # Create/destroy: equivalence or trusted. 109 mlsconstrain ipc_class_set { create destroy } 110 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 111 112 # Read ops: No read up unless trusted. 113 mlsconstrain ipc_class_set r_ipc_perms 114 (l1 dom l2 or t1 == mlstrustedsubject); 115 116 # Write ops: No write down unless trusted. 117 mlsconstrain ipc_class_set w_ipc_perms 118 (l1 domby l2 or t1 == mlstrustedsubject); 119 120 # 121 # Binder IPC constraints 122 # 123 # Presently commented out, as apps are expected to call one another. 124 # This would only make sense if apps were assigned categories 125 # based on allowable communications rather than per-app categories. 126 #mlsconstrain binder call 127 # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 128