Home | History | Annotate | Download | only in docs 
      1 Container Statements
      2 ====================
      3 
      4 block
      5 -----
      6 
      7 Start a new namespace where any CIL statement is valid.
      8 
      9 **Statement definition:**
     10 
     11     (block block_id
     12         cil_statement
     13         ...
     14     )
     15 
     16 **Where:**
     17 
     18 <table>
     19 <colgroup>
     20 <col width="25%" />
     21 <col width="75%" />
     22 </colgroup>
     23 <tbody>
     24 <tr class="odd">
     25 <td align="left"><p><code>block</code></p></td>
     26 <td align="left"><p>The <code>block</code> keyword.</p></td>
     27 </tr>
     28 <tr class="even">
     29 <td align="left"><p><code>block_id</code></p></td>
     30 <td align="left"><p>The namespace identifier.</p></td>
     31 </tr>
     32 <tr class="odd">
     33 <td align="left"><p><code>cil_statement</code></p></td>
     34 <td align="left"><p>Zero or more valid CIL statements.</p></td>
     35 </tr>
     36 </tbody>
     37 </table>
     38 
     39 **Example:**
     40 
     41 See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example.
     42 
     43 blockabstract
     44 -------------
     45 
     46 Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
     47 
     48 **Statement definition:**
     49 
     50     (block block_id
     51         (blockabstract template_id)
     52         cil_statement
     53         ...
     54     )
     55 
     56 **Where:**
     57 
     58 <table>
     59 <colgroup>
     60 <col width="25%" />
     61 <col width="75%" />
     62 </colgroup>
     63 <tbody>
     64 <tr class="odd">
     65 <td align="left"><p><code>block</code></p></td>
     66 <td align="left"><p>The <code>block</code> keyword.</p></td>
     67 </tr>
     68 <tr class="even">
     69 <td align="left"><p><code>block_id</code></p></td>
     70 <td align="left"><p>The namespace identifier.</p></td>
     71 </tr>
     72 <tr class="odd">
     73 <td align="left"><p><code>blockabstract</code></p></td>
     74 <td align="left"><p>The <code>blockabstract</code> keyword.</p></td>
     75 </tr>
     76 <tr class="even">
     77 <td align="left"><p><code>template_id</code></p></td>
     78 <td align="left"><p>The abstract namespace identifier. This must match the <code>block_id</code> entry.</p></td>
     79 </tr>
     80 <tr class="odd">
     81 <td align="left"><p><code>cil_statement</code></p></td>
     82 <td align="left"><p>Zero or more valid CIL statements forming the abstract block.</p></td>
     83 </tr>
     84 </tbody>
     85 </table>
     86 
     87 **Example:**
     88 
     89 See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example.
     90 
     91 blockinherit
     92 ------------
     93 
     94 Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
     95 
     96 **Statement definition:**
     97 
     98     (block block_id
     99         (blockinherit template_id)
    100         cil_statement
    101         ...
    102     )
    103 
    104 **Where:**
    105 
    106 <table>
    107 <colgroup>
    108 <col width="25%" />
    109 <col width="75%" />
    110 </colgroup>
    111 <tbody>
    112 <tr class="odd">
    113 <td align="left"><p><code>block</code></p></td>
    114 <td align="left"><p>The <code>block</code> keyword.</p></td>
    115 </tr>
    116 <tr class="even">
    117 <td align="left"><p><code>block_id</code></p></td>
    118 <td align="left"><p>The namespace identifier.</p></td>
    119 </tr>
    120 <tr class="odd">
    121 <td align="left"><p><code>blockinherit</code></p></td>
    122 <td align="left"><p>The <code>blockinherit</code> keyword.</p></td>
    123 </tr>
    124 <tr class="even">
    125 <td align="left"><p><code>template_id</code></p></td>
    126 <td align="left"><p>The inherited namespace identifier.</p></td>
    127 </tr>
    128 <tr class="odd">
    129 <td align="left"><p><code>cil_statement</code></p></td>
    130 <td align="left"><p>Zero or more valid CIL statements.</p></td>
    131 </tr>
    132 </tbody>
    133 </table>
    134 
    135 **Example:**
    136 
    137 This example contains a template `client_server` that is instantiated in two blocks (`netserver_app` and `netclient_app`):
    138 
    139     ; This is the template block:
    140     (block client_server
    141         (blockabstract client_server)
    142 
    143         ; Log file labeling
    144         (type log_file)
    145         (typeattributeset file_type (log_file))
    146         (typeattributeset data_file_type (log_file))
    147         (allow process log_file (dir (write search create setattr add_name)))
    148         (allow process log_file (file (create open append getattr setattr)))
    149         (roletype object_r log_file)
    150         (context log_file_context (u object_r log_file low_low))
    151 
    152         ; Process labeling
    153         (type process)
    154         (typeattributeset domain (process))
    155         (call app_domain (process))
    156         (call net_domain (process))
    157     )
    158 
    159     ; This is a policy block that will inherit the abstract block above:
    160     (block netclient_app
    161         ; Add common policy rules to namespace:
    162         (blockinherit client_server)
    163         ; Label the log files
    164         (filecon "/data/data/com.se4android.netclient/.*" file log_file_context)
    165     )
    166 
    167     ; This is another policy block that will inherit the abstract block above:
    168     (block netserver_app
    169        ; Add common policy rules to namespace:
    170         (blockinherit client_server)
    171 
    172         ; Label the log files
    173         (filecon "/data/data/com.se4android.netserver/.*" file log_file_context)
    174     )
    175 
    176     ; This is an example of how blockinherits resolve inherits before copying
    177     (block a
    178         (type one))
    179 
    180     (block b
    181         ; Notice that block a is declared here as well
    182         (block a
    183             (type two)))
    184 
    185     ; This will first copy the contents of block b, which results in type b.a.two being copied.
    186     ; Next, the contents of block a will be copied which will result in type a.one.
    187     (block ab
    188         (blockinherit b)
    189         (blockinherit a))
    190 
    191 optional
    192 --------
    193 
    194 Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
    195 
    196 |                     |                |                    |                    |
    197 | ------------------- | -------------- | ------------------ | ------------------ |
    198 | [`allow`](cil_access_vector_rules.md#allow)             | [`allowx`](cil_access_vector_rules.md#allowx)       | [`auditallow`](cil_access_vector_rules.md#auditallow)       | [`auditallowx`](cil_access_vector_rules.md#auditallowx)      |
    199 | [`booleanif`](cil_conditional_statements.md#booleanif)         | [`dontaudit`](cil_access_vector_rules.md#dontaudit)    | [`dontauditx`](cil_access_vector_rules.md#dontauditx)       | [`typepermissive`](cil_type_statements.md#typepermissive)   |
    200 | [`rangetransition`](cil_mls_labeling_statements.md#rangetransition)   | [`role`](cil_role_statements.md#role)         | [`roleallow`](cil_role_statements.md#roleallow)        | [`roleattribute`](cil_role_statements.md#roleattribute)    |
    201 | [`roletransition`](cil_role_statements.md#roletransition)    | [`type`](cil_type_statements.md#type)         | [`typealias`](cil_type_statements.md#typealias)        | [`typeattribute`](cil_type_statements.md#typeattribute)    |
    202 | [`typechange`](cil_type_statements.md#typechange)        | [`typemember`](cil_type_statements.md#typemember)   | [`typetransition`](cil_type_statements.md#typetransition)   |                    |
    203 
    204 **Statement definition:**
    205 
    206     (optional optional_id
    207         cil_statement
    208         ...
    209     )
    210 
    211 **Where:**
    212 
    213 <table>
    214 <colgroup>
    215 <col width="25%" />
    216 <col width="75%" />
    217 </colgroup>
    218 <tbody>
    219 <tr class="odd">
    220 <td align="left"><p><code>optional</code></p></td>
    221 <td align="left"><p>The <code>optional</code> keyword.</p></td>
    222 </tr>
    223 <tr class="even">
    224 <td align="left"><p><code>optional_id</code></p></td>
    225 <td align="left"><p>The <code>optional</code> namespace identifier.</p></td>
    226 </tr>
    227 <tr class="odd">
    228 <td align="left"><p><code>cil_statement</code></p></td>
    229 <td align="left"><p>Zero or more valid CIL statements.</p></td>
    230 </tr>
    231 </tbody>
    232 </table>
    233 
    234 **Example:**
    235 
    236 This example will instantiate the optional block `ext_gateway.move_file` into policy providing all optional CIL statements can be resolved:
    237 
    238     (block ext_gateway
    239         ......
    240         (optional move_file
    241             (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
    242             (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))
    243             (allow process msg_filter.move_file.in_file (file (write create getattr)))
    244             (allow msg_filter.move_file.in_file unconfined.object (filesystem (associate)))
    245             (typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file
    246                 msg_filter.move_file.out_file)
    247             (allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search)))
    248             (allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink)))
    249         ) ; End optional block
    250 
    251         .....
    252     ) ; End block
    253 
    254 in
    255 --
    256 
    257 Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
    258 
    259 **Statement definition:**
    260 
    261     (in container_id
    262         cil_statement
    263         ...
    264     )
    265 
    266 **Where:**
    267 
    268 <table>
    269 <colgroup>
    270 <col width="25%" />
    271 <col width="75%" />
    272 </colgroup>
    273 <tbody>
    274 <tr class="odd">
    275 <td align="left"><p><code>in</code></p></td>
    276 <td align="left"><p>The <code>in</code> keyword.</p></td>
    277 </tr>
    278 <tr class="even">
    279 <td align="left"><p><code>container_id</code></p></td>
    280 <td align="left"><p>A valid <code>block</code>, <code>optional</code> or <code>macro</code> namespace identifier.</p></td>
    281 </tr>
    282 <tr class="odd">
    283 <td align="left"><p><code>cil_statement</code></p></td>
    284 <td align="left"><p>Zero or more valid CIL statements.</p></td>
    285 </tr>
    286 </tbody>
    287 </table>
    288 
    289 **Example:**
    290 
    291 This will add rules to the container named `system_server`:
    292 
    293     (in system_server
    294         (dontaudit process secmark_demo.dns_packet (packet (send recv)))
    295         (allow process secmark_demo.dns_packet (packet (send recv)))
    296     )
    297