1Container Statements 2==================== 3 4block 5----- 6 7Start a new namespace. 8 9Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. 10 11[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks. 12 13Duplicate declarations of a [`block`](cil_container_statements.md#block) in the same namespace will normally cause an error, but inheriting a block into a namespace (with [`blockinherit`](cil_container_statements.md#blockinherit)) that already has a block with the same name will only result in a warning message and not cause an error. The policy from both blocks will end up in the binary policy. This behavior was used in the past to allow a block to be declared so that an [`in-statement`](cil_container_statements.md#in) could be used on it, but now an [`in-statement`](cil_container_statements.md#in) can be specified to occur after inheritance, so this behavior is not necessary (but is still allowed). 14 15**Statement definition:** 16 17```secil 18 (block block_id 19 cil_statement 20 ... 21 ) 22``` 23 24**Where:** 25 26<table> 27<colgroup> 28<col width="25%" /> 29<col width="75%" /> 30</colgroup> 31<tbody> 32<tr class="odd"> 33<td align="left"><p><code>block</code></p></td> 34<td align="left"><p>The <code>block</code> keyword.</p></td> 35</tr> 36<tr class="even"> 37<td align="left"><p><code>block_id</code></p></td> 38<td align="left"><p>The namespace identifier.</p></td> 39</tr> 40<tr class="odd"> 41<td align="left"><p><code>cil_statement</code></p></td> 42<td align="left"><p>Zero or more valid CIL statements.</p></td> 43</tr> 44</tbody> 45</table> 46 47**Example:** 48 49See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. 50 51blockabstract 52------------- 53 54Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. 55 56Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. 57 58**Statement definition:** 59 60```secil 61 (block block_id 62 (blockabstract template_id) 63 cil_statement 64 ... 65 ) 66``` 67 68**Where:** 69 70<table> 71<colgroup> 72<col width="25%" /> 73<col width="75%" /> 74</colgroup> 75<tbody> 76<tr class="odd"> 77<td align="left"><p><code>block</code></p></td> 78<td align="left"><p>The <code>block</code> keyword.</p></td> 79</tr> 80<tr class="even"> 81<td align="left"><p><code>block_id</code></p></td> 82<td align="left"><p>The namespace identifier.</p></td> 83</tr> 84<tr class="odd"> 85<td align="left"><p><code>blockabstract</code></p></td> 86<td align="left"><p>The <code>blockabstract</code> keyword.</p></td> 87</tr> 88<tr class="even"> 89<td align="left"><p><code>template_id</code></p></td> 90<td align="left"><p>The abstract namespace identifier. This must match the <code>block_id</code> entry.</p></td> 91</tr> 92<tr class="odd"> 93<td align="left"><p><code>cil_statement</code></p></td> 94<td align="left"><p>Zero or more valid CIL statements forming the abstract block.</p></td> 95</tr> 96</tbody> 97</table> 98 99**Example:** 100 101See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. 102 103blockinherit 104------------ 105 106Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. 107 108Inherited rules are resolved by searching namespaces in the following order: 109 110- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace. 111 112- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. 113 114- The global namespace. 115 116Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. 117 118**Statement definition:** 119 120```secil 121 (block block_id 122 (blockinherit template_id) 123 cil_statement 124 ... 125 ) 126``` 127 128**Where:** 129 130<table> 131<colgroup> 132<col width="25%" /> 133<col width="75%" /> 134</colgroup> 135<tbody> 136<tr class="odd"> 137<td align="left"><p><code>block</code></p></td> 138<td align="left"><p>The <code>block</code> keyword.</p></td> 139</tr> 140<tr class="even"> 141<td align="left"><p><code>block_id</code></p></td> 142<td align="left"><p>The namespace identifier.</p></td> 143</tr> 144<tr class="odd"> 145<td align="left"><p><code>blockinherit</code></p></td> 146<td align="left"><p>The <code>blockinherit</code> keyword.</p></td> 147</tr> 148<tr class="even"> 149<td align="left"><p><code>template_id</code></p></td> 150<td align="left"><p>The inherited namespace identifier.</p></td> 151</tr> 152<tr class="odd"> 153<td align="left"><p><code>cil_statement</code></p></td> 154<td align="left"><p>Zero or more valid CIL statements.</p></td> 155</tr> 156</tbody> 157</table> 158 159**Example:** 160 161This example contains a template `client_server` that is instantiated in two blocks (`netserver_app` and `netclient_app`): 162 163```secil 164 ; This is the template block: 165 (block client_server 166 (blockabstract client_server) 167 168 ; Log file labeling 169 (type log_file) 170 (typeattributeset file_type (log_file)) 171 (typeattributeset data_file_type (log_file)) 172 (allow process log_file (dir (write search create setattr add_name))) 173 (allow process log_file (file (create open append getattr setattr))) 174 (roletype object_r log_file) 175 (context log_file_context (u object_r log_file low_low)) 176 177 ; Process labeling 178 (type process) 179 (typeattributeset domain (process)) 180 (call app_domain (process)) 181 (call net_domain (process)) 182 ) 183 184 ; This is a policy block that will inherit the abstract block above: 185 (block netclient_app 186 ; Add common policy rules to namespace: 187 (blockinherit client_server) 188 ; Label the log files 189 (filecon "/data/data/com.se4android.netclient/.*" file log_file_context) 190 ) 191 192 ; This is another policy block that will inherit the abstract block above: 193 (block netserver_app 194 ; Add common policy rules to namespace: 195 (blockinherit client_server) 196 197 ; Label the log files 198 (filecon "/data/data/com.se4android.netserver/.*" file log_file_context) 199 ) 200 201 ; This is an example of how blockinherits resolve inherits before copying 202 (block a 203 (type one)) 204 205 (block b 206 ; Notice that block a is declared here as well 207 (block a 208 (type two))) 209 210 ; This will first copy the contents of block b, which results in type b.a.two being copied. 211 ; Next, the contents of block a will be copied which will result in type a.one. 212 (block ab 213 (blockinherit b) 214 (blockinherit a)) 215``` 216 217optional 218-------- 219 220Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. 221 222Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. 223 224[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks. 225 226**Statement definition:** 227 228```secil 229 (optional optional_id 230 cil_statement 231 ... 232 ) 233``` 234 235**Where:** 236 237<table> 238<colgroup> 239<col width="25%" /> 240<col width="75%" /> 241</colgroup> 242<tbody> 243<tr class="odd"> 244<td align="left"><p><code>optional</code></p></td> 245<td align="left"><p>The <code>optional</code> keyword.</p></td> 246</tr> 247<tr class="even"> 248<td align="left"><p><code>optional_id</code></p></td> 249<td align="left"><p>The <code>optional</code> namespace identifier.</p></td> 250</tr> 251<tr class="odd"> 252<td align="left"><p><code>cil_statement</code></p></td> 253<td align="left"><p>Zero or more valid CIL statements.</p></td> 254</tr> 255</tbody> 256</table> 257 258**Example:** 259 260This example will instantiate the optional block `ext_gateway.move_file` into policy providing all optional CIL statements can be resolved: 261 262```secil 263 (block ext_gateway 264 ...... 265 (optional move_file 266 (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file) 267 (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name))) 268 (allow process msg_filter.move_file.in_file (file (write create getattr))) 269 (allow msg_filter.move_file.in_file unconfined.object (filesystem (associate))) 270 (typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file 271 msg_filter.move_file.out_file) 272 (allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search))) 273 (allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink))) 274 ) ; End optional block 275 276 ..... 277 ) ; End block 278``` 279 280in 281-- 282 283Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This insertion can be specified to occur either before or after block inheritance has been resolved. 284 285Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks. 286 287[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks. 288 289**Statement definition:** 290 291```secil 292 (in [before|after] container_id 293 cil_statement 294 ... 295 ) 296``` 297 298**Where:** 299 300<table> 301<colgroup> 302<col width="25%" /> 303<col width="75%" /> 304</colgroup> 305<tbody> 306<tr class="odd"> 307<td align="left"><p><code>in</code></p></td> 308<td align="left"><p>The <code>in</code> keyword.</p></td> 309</tr> 310<tr class="even"> 311<td align="left"><p><code>before|after</code></p></td> 312<td align="left"><p>An optional value that specifies whether to process the [`in`](cil_container_statements.md#in) <code>before</code> or <code>after</code> block inheritance. If no value is specified, then the [`in`](cil_container_statements.md#in) will be processed before block inheritance.</p></td> 313</tr> 314<tr class="odd"> 315<td align="left"><p><code>container_id</code></p></td> 316<td align="left"><p>A valid <code>block</code>, <code>optional</code> or <code>macro</code> namespace identifier.</p></td> 317</tr> 318<tr class="even"> 319<td align="left"><p><code>cil_statement</code></p></td> 320<td align="left"><p>Zero or more valid CIL statements.</p></td> 321</tr> 322</tbody> 323</table> 324 325**Example:** 326 327This will add rules to the container named `system_server`: 328 329```secil 330 (in system_server 331 (dontaudit process secmark_demo.dns_packet (packet (send recv))) 332 (allow process secmark_demo.dns_packet (packet (send recv))) 333 ) 334``` 335