Home | History | Annotate | Download | only in private
      1 #################################################
      2 # MLS policy constraints
      3 #
      4 
      5 #
      6 # Process constraints
      7 #
      8 
      9 # Process transition:  Require equivalence unless the subject is trusted.
     10 mlsconstrain process { transition dyntransition }
     11 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     12 
     13 # Process read operations: No read up unless trusted.
     14 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
     15 	     (l1 dom l2 or t1 == mlstrustedsubject);
     16 
     17 # Process write operations:  Require equivalence unless trusted.
     18 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
     19 	     (l1 eq l2 or t1 == mlstrustedsubject);
     20 
     21 #
     22 # Socket constraints
     23 #
     24 
     25 # Create/relabel operations:  Subject must be equivalent to object unless
     26 # the subject is trusted.  Sockets inherit the range of their creator.
     27 mlsconstrain socket_class_set { create relabelfrom relabelto }
     28 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
     29 
     30 # Datagram send: Sender must be equivalent to the receiver unless one of them
     31 # is trusted.
     32 mlsconstrain unix_dgram_socket { sendto }
     33 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     34 
     35 # Stream connect:  Client must be equivalent to server unless one of them
     36 # is trusted.
     37 mlsconstrain unix_stream_socket { connectto }
     38 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
     39 
     40 #
     41 # Directory/file constraints
     42 #
     43 
     44 # Create/relabel operations:  Subject must be equivalent to object unless
     45 # the subject is trusted. Also, files should always be single-level.
     46 # Do NOT exempt mlstrustedobject types from this constraint.
     47 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
     48 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
     49 
     50 #
     51 # Constraints for app data files only.
     52 #
     53 
     54 # Only constrain open, not read/write.
     55 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
     56 # Subject must dominate object unless the subject is trusted.
     57 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
     58 	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
     59 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
     60 	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
     61 
     62 #
     63 # Constraints for file types other than app data files.
     64 #
     65 
     66 # Read operations: Subject must dominate object unless the subject
     67 # or the object is trusted.
     68 mlsconstrain dir { read getattr search }
     69 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     70 
     71 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
     72 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     73 
     74 # Write operations: Subject must be equivalent to the object unless the
     75 # subject or the object is trusted.
     76 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
     77 	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     78 
     79 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
     80 	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
     81 
     82 # Special case for FIFOs.
     83 # These can be unnamed pipes, in which case they will be labeled with the
     84 # creating process' label. Thus we also have an exemption when the "object"
     85 # is a domain type, so that processes can communicate via unnamed pipes
     86 # passed by binder or local socket IPC.
     87 mlsconstrain fifo_file { read getattr }
     88 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
     89 
     90 mlsconstrain fifo_file { write setattr append unlink link rename }
     91 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
     92 
     93 #
     94 # Binder IPC constraints
     95 #
     96 # Presently commented out, as apps are expected to call one another.
     97 # This would only make sense if apps were assigned categories
     98 # based on allowable communications rather than per-app categories.
     99 #mlsconstrain binder call
    100 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    101