Home | History | Annotate | Download | only in sepolicy 
      1 #########################################
      2 # MLS declarations
      3 #
      4 
      5 # Generate the desired number of sensitivities and categories.
      6 gen_sens(mls_num_sens)
      7 gen_cats(mls_num_cats)
      8 
      9 # Generate level definitions for each sensitivity and category.
     10 gen_levels(mls_num_sens,mls_num_cats)
     11 
     12 
     13 #################################################
     14 # MLS policy constraints
     15 #
     16 
     17 #
     18 # Process constraints
     19 #
     20 
     21 # Process transition:  Require equivalence unless the subject is trusted.
     22 mlsconstrain process { transition dyntransition }
     23 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     24 
     25 # Process read operations: No read up unless trusted.
     26 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
     27 	     (l1 dom l2 or t1 == mlstrustedsubject);
     28 
     29 # Process write operations:  No write down unless trusted.
     30 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
     31 	     (l1 domby l2 or t1 == mlstrustedsubject);
     32 
     33 #
     34 # Socket constraints
     35 #
     36 
     37 # Create/relabel operations:  Subject must be equivalent to object unless
     38 # the subject is trusted.  Sockets inherit the range of their creator.
     39 mlsconstrain socket_class_set { create relabelfrom relabelto }
     40 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     41 
     42 # Datagram send: Sender must be dominated by receiver unless one of them is
     43 # trusted.
     44 mlsconstrain unix_dgram_socket { sendto }
     45 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     46 
     47 # Stream connect:  Client must be equivalent to server unless one of them
     48 # is trusted.
     49 mlsconstrain unix_stream_socket { connectto }
     50 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     51 
     52 #
     53 # Directory/file constraints
     54 #
     55 
     56 # Create/relabel operations:  Subject must be equivalent to object unless
     57 # the subject is trusted. Also, files should always be single-level.
     58 # Do NOT exempt mlstrustedobject types from this constraint.
     59 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
     60 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
     61 
     62 # Read operations: Subject must dominate object unless the subject
     63 # or the object is trusted.
     64 mlsconstrain dir { read getattr search }
     65 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     66 
     67 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
     68 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     69 
     70 # Write operations: Subject must be dominated by the object unless the
     71 # subject or the object is trusted.
     72 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
     73 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     74 
     75 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
     76 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     77 
     78 # Special case for FIFOs.
     79 # These can be unnamed pipes, in which case they will be labeled with the
     80 # creating process' label. Thus we also have an exemption when the "object"
     81 # is a MLS trusted subject and can receive data at any level.
     82 mlsconstrain fifo_file { read getattr }
     83 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
     84 
     85 mlsconstrain fifo_file { write setattr append unlink link rename }
     86 	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
     87 
     88 #
     89 # IPC constraints
     90 #
     91 
     92 # Create/destroy: equivalence or trusted.
     93 mlsconstrain ipc_class_set { create destroy }
     94 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
     95 
     96 # Read ops: No read up unless trusted.
     97 mlsconstrain ipc_class_set r_ipc_perms
     98 	     (l1 dom l2 or t1 == mlstrustedsubject);
     99 
    100 # Write ops: No write down unless trusted.
    101 mlsconstrain ipc_class_set w_ipc_perms
    102 	     (l1 domby l2 or t1 == mlstrustedsubject);
    103 
    104 #
    105 # Binder IPC constraints
    106 #
    107 # Presently commented out, as apps are expected to call one another.
    108 # This would only make sense if apps were assigned categories
    109 # based on allowable communications rather than per-app categories.
    110 #mlsconstrain binder call
    111 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    112