1 ################################################# 2 # MLS policy constraints 3 # 4 5 # 6 # Process constraints 7 # 8 9 # Process transition: Require equivalence unless the subject is trusted. 10 mlsconstrain process { transition dyntransition } 11 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 12 13 # Process read operations: No read up unless trusted. 14 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 15 (l1 dom l2 or t1 == mlstrustedsubject); 16 17 # Process write operations: Require equivalence unless trusted. 18 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 19 (l1 eq l2 or t1 == mlstrustedsubject); 20 21 # 22 # Socket constraints 23 # 24 25 # Create/relabel operations: Subject must be equivalent to object unless 26 # the subject is trusted. Sockets inherit the range of their creator. 27 mlsconstrain socket_class_set { create relabelfrom relabelto } 28 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 29 30 # Datagram send: Sender must be equivalent to the receiver unless one of them 31 # is trusted. 32 mlsconstrain unix_dgram_socket { sendto } 33 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 34 35 # Stream connect: Client must be equivalent to server unless one of them 36 # is trusted. 37 mlsconstrain unix_stream_socket { connectto } 38 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 39 40 # 41 # Directory/file constraints 42 # 43 44 # Create/relabel operations: Subject must be equivalent to object unless 45 # the subject is trusted. Also, files should always be single-level. 46 # Do NOT exempt mlstrustedobject types from this constraint. 47 mlsconstrain dir_file_class_set { create relabelfrom relabelto } 48 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 49 50 # 51 # Constraints for app data files only. 52 # 53 54 # Only constrain open, not read/write. 55 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 56 # Subject must dominate object unless the subject is trusted. 57 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } 58 (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject); 59 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } 60 (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject); 61 62 # 63 # Constraints for file types other than app data files. 64 # 65 66 # Read operations: Subject must dominate object unless the subject 67 # or the object is trusted. 68 mlsconstrain dir { read getattr search } 69 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 70 71 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 72 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 73 74 # Write operations: Subject must be equivalent to the object unless the 75 # subject or the object is trusted. 76 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 77 (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 78 79 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 80 (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 81 82 # Special case for FIFOs. 83 # These can be unnamed pipes, in which case they will be labeled with the 84 # creating process' label. Thus we also have an exemption when the "object" 85 # is a domain type, so that processes can communicate via unnamed pipes 86 # passed by binder or local socket IPC. 87 mlsconstrain fifo_file { read getattr } 88 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 89 90 mlsconstrain fifo_file { write setattr append unlink link rename } 91 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); 92 93 # 94 # Binder IPC constraints 95 # 96 # Presently commented out, as apps are expected to call one another. 97 # This would only make sense if apps were assigned categories 98 # based on allowable communications rather than per-app categories. 99 #mlsconstrain binder call 100 # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 101