Home | History | Annotate | Download | only in test-linker 
      1 # FLASK
      2 
      3 #
      4 # Define the security object classes 
      5 #
      6 
      7 class security
      8 class process
      9 class system
     10 class capability
     11 
     12 # file-related classes
     13 class filesystem
     14 class file
     15 class dir
     16 class fd
     17 class lnk_file
     18 class chr_file
     19 class blk_file
     20 class sock_file
     21 class fifo_file
     22 
     23 # network-related classes
     24 class socket
     25 class tcp_socket
     26 class udp_socket
     27 class rawip_socket
     28 class node
     29 class netif
     30 class netlink_socket
     31 class packet_socket
     32 class key_socket
     33 class unix_stream_socket
     34 class unix_dgram_socket
     35 
     36 # sysv-ipc-related clases
     37 class sem
     38 class msg
     39 class msgq
     40 class shm
     41 class ipc
     42 
     43 # FLASK
     44 # FLASK
     45 
     46 #
     47 # Define initial security identifiers 
     48 #
     49 
     50 sid kernel
     51 
     52 
     53 # FLASK
     54 #
     55 # Define common prefixes for access vectors
     56 #
     57 # common common_name { permission_name ... }
     58 
     59 
     60 #
     61 # Define a common prefix for file access vectors.
     62 #
     63 
     64 common file
     65 {
     66 	ioctl
     67 	read
     68 	write
     69 	create
     70 	getattr
     71 	setattr
     72 	lock
     73 	relabelfrom
     74 	relabelto
     75 	append
     76 	unlink
     77 	link
     78 	rename
     79 	execute
     80 	swapon
     81 	quotaon
     82 	mounton
     83 }
     84 
     85 
     86 #
     87 # Define a common prefix for socket access vectors.
     88 #
     89 
     90 common socket
     91 {
     92 # inherited from file
     93 	ioctl
     94 	read
     95 	write
     96 	create
     97 	getattr
     98 	setattr
     99 	lock
    100 	relabelfrom
    101 	relabelto
    102 	append
    103 # socket-specific
    104 	bind
    105 	connect
    106 	listen
    107 	accept
    108 	getopt
    109 	setopt
    110 	shutdown
    111 	recvfrom
    112 	sendto
    113 	recv_msg
    114 	send_msg
    115 	name_bind
    116 }	
    117 
    118 #
    119 # Define a common prefix for ipc access vectors.
    120 #
    121 
    122 common ipc
    123 {
    124 	create
    125 	destroy
    126 	getattr
    127 	setattr
    128 	read
    129 	write
    130 	associate
    131 	unix_read
    132 	unix_write
    133 }
    134 
    135 #
    136 # Define the access vectors.
    137 #
    138 # class class_name [ inherits common_name ] { permission_name ... }
    139 
    140 
    141 #
    142 # Define the access vector interpretation for file-related objects.
    143 #
    144 
    145 class filesystem
    146 {
    147 	mount
    148 	remount
    149 	unmount
    150 	getattr
    151 	relabelfrom
    152 	relabelto
    153 	transition
    154 	associate
    155 	quotamod
    156 	quotaget
    157 }
    158 
    159 class dir
    160 inherits file
    161 {
    162 	add_name
    163 	remove_name
    164 	reparent
    165 	search
    166 	rmdir
    167 }
    168 
    169 class file
    170 inherits file
    171 {
    172 	execute_no_trans
    173 	entrypoint
    174 }
    175 
    176 class lnk_file
    177 inherits file
    178 
    179 class chr_file
    180 inherits file
    181 
    182 class blk_file
    183 inherits file
    184 
    185 class sock_file
    186 inherits file
    187 
    188 class fifo_file
    189 inherits file
    190 
    191 class fd
    192 {
    193 	use
    194 }
    195 
    196 
    197 #
    198 # Define the access vector interpretation for network-related objects.
    199 #
    200 
    201 class socket
    202 inherits socket
    203 
    204 class tcp_socket
    205 inherits socket
    206 {
    207 	connectto
    208 	newconn
    209 	acceptfrom
    210 }
    211 
    212 class udp_socket
    213 inherits socket
    214 
    215 class rawip_socket
    216 inherits socket
    217 
    218 class node 
    219 {
    220 	tcp_recv
    221 	tcp_send
    222 	udp_recv
    223 	udp_send
    224 	rawip_recv
    225 	rawip_send
    226 	enforce_dest
    227 }
    228 
    229 class netif
    230 {
    231 	tcp_recv
    232 	tcp_send
    233 	udp_recv
    234 	udp_send
    235 	rawip_recv
    236 	rawip_send
    237 }
    238 
    239 class netlink_socket
    240 inherits socket
    241 
    242 class packet_socket
    243 inherits socket
    244 
    245 class key_socket
    246 inherits socket
    247 
    248 class unix_stream_socket
    249 inherits socket
    250 {
    251 	connectto
    252 	newconn
    253 	acceptfrom
    254 }
    255 
    256 class unix_dgram_socket
    257 inherits socket
    258 
    259 
    260 #
    261 # Define the access vector interpretation for process-related objects
    262 #
    263 
    264 class process
    265 {
    266 	fork
    267 	transition
    268 	sigchld # commonly granted from child to parent
    269 	sigkill # cannot be caught or ignored
    270 	sigstop # cannot be caught or ignored
    271 	signull # for kill(pid, 0)
    272 	signal  # all other signals
    273 	ptrace
    274 	getsched
    275 	setsched
    276 	getsession
    277 	getpgid
    278 	setpgid
    279 	getcap
    280 	setcap
    281 	share
    282 }
    283 
    284 
    285 #
    286 # Define the access vector interpretation for ipc-related objects
    287 #
    288 
    289 class ipc
    290 inherits ipc
    291 
    292 class sem
    293 inherits ipc
    294 
    295 class msgq
    296 inherits ipc
    297 {
    298 	enqueue
    299 }
    300 
    301 class msg
    302 {
    303 	send
    304 	receive
    305 }
    306 
    307 class shm
    308 inherits ipc
    309 {
    310 	lock
    311 }
    312 
    313 
    314 #
    315 # Define the access vector interpretation for the security server. 
    316 #
    317 
    318 class security
    319 {
    320 	compute_av
    321 	transition_sid
    322 	member_sid
    323 	sid_to_context
    324 	context_to_sid
    325 	load_policy
    326 	get_sids
    327 	change_sid
    328 	get_user_sids
    329 }
    330 
    331 
    332 #
    333 # Define the access vector interpretation for system operations.
    334 #
    335 
    336 class system
    337 {
    338 	ipc_info
    339 	avc_toggle
    340 	nfsd_control
    341 	bdflush
    342 	syslog_read
    343 	syslog_mod
    344 	syslog_console
    345 	ichsid
    346 }
    347 
    348 #
    349 # Define the access vector interpretation for controling capabilies
    350 #
    351 
    352 class capability
    353 {
    354 	# The capabilities are defined in include/linux/capability.h
    355 	# Care should be taken to ensure that these are consistent with
    356 	# those definitions. (Order matters)
    357 
    358 	chown           
    359 	dac_override    
    360 	dac_read_search 
    361 	fowner          
    362 	fsetid          
    363 	kill            
    364 	setgid           
    365 	setuid           
    366 	setpcap          
    367 	linux_immutable  
    368 	net_bind_service 
    369 	net_broadcast    
    370 	net_admin        
    371 	net_raw          
    372 	ipc_lock         
    373 	ipc_owner        
    374 	sys_module       
    375 	sys_rawio        
    376 	sys_chroot       
    377 	sys_ptrace       
    378 	sys_pacct        
    379 	sys_admin        
    380 	sys_boot         
    381 	sys_nice         
    382 	sys_resource     
    383 	sys_time         
    384 	sys_tty_config  
    385 	mknod
    386 	lease
    387 }
    388 
    389 ifdef(`enable_mls',`
    390 sensitivity s0;
    391 
    392 #
    393 # Define the ordering of the sensitivity levels (least to greatest)
    394 #
    395 dominance { s0 }
    396 
    397 
    398 #
    399 # Define the categories
    400 #
    401 # Each category has a name and zero or more aliases.
    402 #
    403 category c0; category c1; category c2; category c3;
    404 category c4; category c5; category c6; category c7;
    405 category c8; category c9; category c10; category c11;
    406 category c12; category c13; category c14; category c15;
    407 category c16; category c17; category c18; category c19;
    408 category c20; category c21; category c22; category c23;
    409 
    410 level s0:c0.c23;
    411 
    412 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
    413 	( h1 dom h2 );
    414 ')
    415 
    416 ####################################
    417 ####################################
    418 #####################################
    419 
    420 #g_b stands for global base
    421 
    422 type enable_optional;
    423 
    424 #decorative type for finding this decl, every block should have one
    425 type tag_g_b;
    426 
    427 attribute g_b_attr_1;
    428 attribute g_b_attr_2;
    429 attribute g_b_attr_3;
    430 attribute g_b_attr_4;
    431 attribute g_b_attr_5;
    432 attribute g_b_attr_6;
    433 
    434 type g_b_type_1, g_b_attr_1;
    435 type g_b_type_2, g_b_attr_2;
    436 type g_b_type_3;
    437 
    438 role g_b_role_1;
    439 role g_b_role_2;
    440 role g_b_role_3;
    441 role g_b_role_4;
    442 role g_b_role_1 types g_b_type_1;
    443 role g_b_role_2 types g_b_type_2;
    444 role g_b_role_3 types g_b_type_2;
    445 role g_b_role_4 types g_b_type_2;
    446 
    447 bool g_b_bool_1 false;
    448 bool g_b_bool_2 true;
    449 
    450 allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
    451 allow g_b_type_1 g_b_type_2 : file *; # test *
    452 allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
    453 
    454 typealias g_b_type_3 alias g_b_alias_1;
    455 
    456 if (g_b_bool_1) {
    457 	allow g_b_type_1 g_b_type_2: lnk_file read;
    458 }
    459 
    460 
    461 optional {
    462 	require {
    463 		type enable_optional;
    464 		attribute g_m1_attr_2;
    465 	}
    466 	type tag_o1_b;
    467 
    468 	attribute o1_b_attr_1;
    469 	type o1_b_type_1, o1_b_attr_1;
    470 	bool o1_b_bool_1 true;
    471 	role o1_b_role_1;
    472 	role o1_b_role_1 types o1_b_type_1;
    473 	role o1_b_role_2;
    474 	role o1_b_role_2 types o1_b_type_1;
    475 
    476 	attribute o1_b_attr_2;
    477 
    478 	type o1_b_type_2, g_m1_attr_2;
    479 
    480 	if (o1_b_bool_1) {
    481 		allow o1_b_type_1 o1_b_type_2: lnk_file write;
    482 	}
    483 	
    484 }
    485 
    486 optional {
    487 	require {
    488 		# this should be activated by module 1
    489 		type g_m1_type_1;
    490 		attribute o3_m1_attr_2;
    491 	}	
    492 	type tag_o2_b;	
    493 
    494 	type o2_b_type_1, o3_m1_attr_2;
    495 }
    496 
    497 optional {
    498 	require {
    499 		#this block should not come on
    500 		type invalid_type;
    501 	}
    502 	type tag_o3_b;
    503 
    504 
    505 	attribute o3_b_attr_1;
    506 	type o3_b_type_1;
    507 	bool o3_b_bool_1 true;
    508 
    509 	role o3_b_role_1;
    510 	role o3_b_role_1 types o3_b_type_1;
    511 
    512 	allow g_b_type_1 invalid_type : sem { create destroy };
    513 }
    514 
    515 optional {
    516 	require {
    517 		# also should be enabled by module 1
    518 		type enable_optional;
    519 		type g_m1_type_1;
    520 		attribute o3_m1_attr_1;
    521 		attribute g_m1_attr_3;
    522 	}
    523 	
    524 	type tag_o4_b;
    525 
    526 	attribute o4_b_attr_1;
    527 
    528 	role o4_b_role_1;
    529 	role o4_b_role_1 types g_m1_type_1;
    530 
    531 	# test for attr declared in module optional, added to in base optional
    532 	type o4_b_type_1, o3_m1_attr_1;
    533 
    534 	type o4_b_type_2, g_m1_attr_3;
    535 }
    536 
    537 optional {
    538 	require {
    539 		attribute g_m1_attr_4;
    540 		attribute o4_m1_attr_1;
    541 	}
    542 	type tag_o5_b;
    543 
    544 	type o5_b_type_1, g_m1_attr_4;
    545 	type o5_b_type_2, o4_m1_attr_1;
    546 }
    547 
    548 optional {
    549 	require {
    550 		type enable_optional;
    551 	}
    552 	type tag_o6_b;
    553 
    554 	typealias g_b_type_3 alias g_b_alias_2;
    555 }
    556 
    557 optional {
    558 	require {
    559 		type g_m_alias_1;
    560 	}
    561 	type tag_o7_b;
    562 
    563 	allow g_m_alias_1 enable_optional:file read;
    564 }
    565 
    566 gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
    567 gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
    568 
    569 ####################################
    570 #line 1 "initial_sid_contexts"
    571 
    572 sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
    573 
    574 
    575 ############################################
    576 #line 1 "fs_use"
    577 #
    578 fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
    579 fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
    580 fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
    581 
    582 
    583 genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)
    584 
    585 
    586 ####################################
    587 #line 1 "net_contexts"
    588 
    589 #portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
    590 
    591 #netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
    592 
    593 #
    594 #nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
    595 
    596 nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
    597 
    598 
    599 
    600 
    601