1# FLASK 2 3# 4# Define the security object classes 5# 6 7class security 8class process 9class system 10class capability 11 12# file-related classes 13class filesystem 14class file 15class dir 16class fd 17class lnk_file 18class chr_file 19class blk_file 20class sock_file 21class fifo_file 22 23# network-related classes 24class socket 25class tcp_socket 26class udp_socket 27class rawip_socket 28class node 29class netif 30class netlink_socket 31class packet_socket 32class key_socket 33class unix_stream_socket 34class unix_dgram_socket 35 36# sysv-ipc-related classes 37class sem 38class msg 39class msgq 40class shm 41class ipc 42 43# FLASK 44# FLASK 45 46# 47# Define initial security identifiers 48# 49 50sid kernel 51 52 53# FLASK 54# 55# Define common prefixes for access vectors 56# 57# common common_name { permission_name ... } 58 59 60# 61# Define a common prefix for file access vectors. 62# 63 64common file 65{ 66 ioctl 67 read 68 write 69 create 70 getattr 71 setattr 72 lock 73 relabelfrom 74 relabelto 75 append 76 unlink 77 link 78 rename 79 execute 80 swapon 81 quotaon 82 mounton 83} 84 85 86# 87# Define a common prefix for socket access vectors. 88# 89 90common socket 91{ 92# inherited from file 93 ioctl 94 read 95 write 96 create 97 getattr 98 setattr 99 lock 100 relabelfrom 101 relabelto 102 append 103# socket-specific 104 bind 105 connect 106 listen 107 accept 108 getopt 109 setopt 110 shutdown 111 recvfrom 112 sendto 113 recv_msg 114 send_msg 115 name_bind 116} 117 118# 119# Define a common prefix for ipc access vectors. 120# 121 122common ipc 123{ 124 create 125 destroy 126 getattr 127 setattr 128 read 129 write 130 associate 131 unix_read 132 unix_write 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 transition 154 associate 155 quotamod 156 quotaget 157} 158 159class dir 160inherits file 161{ 162 add_name 163 remove_name 164 reparent 165 search 166 rmdir 167} 168 169class file 170inherits file 171{ 172 execute_no_trans 173 entrypoint 174} 175 176class lnk_file 177inherits file 178 179class chr_file 180inherits file 181 182class blk_file 183inherits file 184 185class sock_file 186inherits file 187 188class fifo_file 189inherits file 190 191class fd 192{ 193 use 194} 195 196 197# 198# Define the access vector interpretation for network-related objects. 199# 200 201class socket 202inherits socket 203 204class tcp_socket 205inherits socket 206{ 207 connectto 208 newconn 209 acceptfrom 210} 211 212class udp_socket 213inherits socket 214 215class rawip_socket 216inherits socket 217 218class node 219{ 220 tcp_recv 221 tcp_send 222 udp_recv 223 udp_send 224 rawip_recv 225 rawip_send 226 enforce_dest 227} 228 229class netif 230{ 231 tcp_recv 232 tcp_send 233 udp_recv 234 udp_send 235 rawip_recv 236 rawip_send 237} 238 239class netlink_socket 240inherits socket 241 242class packet_socket 243inherits socket 244 245class key_socket 246inherits socket 247 248class unix_stream_socket 249inherits socket 250{ 251 connectto 252 newconn 253 acceptfrom 254} 255 256class unix_dgram_socket 257inherits socket 258 259 260# 261# Define the access vector interpretation for process-related objects 262# 263 264class process 265{ 266 fork 267 transition 268 sigchld # commonly granted from child to parent 269 sigkill # cannot be caught or ignored 270 sigstop # cannot be caught or ignored 271 signull # for kill(pid, 0) 272 signal # all other signals 273 ptrace 274 getsched 275 setsched 276 getsession 277 getpgid 278 setpgid 279 getcap 280 setcap 281 share 282} 283 284 285# 286# Define the access vector interpretation for ipc-related objects 287# 288 289class ipc 290inherits ipc 291 292class sem 293inherits ipc 294 295class msgq 296inherits ipc 297{ 298 enqueue 299} 300 301class msg 302{ 303 send 304 receive 305} 306 307class shm 308inherits ipc 309{ 310 lock 311} 312 313 314# 315# Define the access vector interpretation for the security server. 316# 317 318class security 319{ 320 compute_av 321 transition_sid 322 member_sid 323 sid_to_context 324 context_to_sid 325 load_policy 326 get_sids 327 change_sid 328 get_user_sids 329} 330 331 332# 333# Define the access vector interpretation for system operations. 334# 335 336class system 337{ 338 ipc_info 339 avc_toggle 340 nfsd_control 341 bdflush 342 syslog_read 343 syslog_mod 344 syslog_console 345 ichsid 346} 347 348# 349# Define the access vector interpretation for controlling capabilities 350# 351 352class capability 353{ 354 # The capabilities are defined in include/linux/capability.h 355 # Care should be taken to ensure that these are consistent with 356 # those definitions. (Order matters) 357 358 chown 359 dac_override 360 dac_read_search 361 fowner 362 fsetid 363 kill 364 setgid 365 setuid 366 setpcap 367 linux_immutable 368 net_bind_service 369 net_broadcast 370 net_admin 371 net_raw 372 ipc_lock 373 ipc_owner 374 sys_module 375 sys_rawio 376 sys_chroot 377 sys_ptrace 378 sys_pacct 379 sys_admin 380 sys_boot 381 sys_nice 382 sys_resource 383 sys_time 384 sys_tty_config 385 mknod 386 lease 387} 388 389ifdef(`enable_mls',` 390sensitivity s0; 391 392# 393# Define the ordering of the sensitivity levels (least to greatest) 394# 395dominance { s0 } 396 397 398# 399# Define the categories 400# 401# Each category has a name and zero or more aliases. 402# 403category c0; category c1; category c2; category c3; 404category c4; category c5; category c6; category c7; 405category c8; category c9; category c10; category c11; 406category c12; category c13; category c14; category c15; 407category c16; category c17; category c18; category c19; 408category c20; category c21; category c22; category c23; 409 410level s0:c0.c23; 411 412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 413 ( h1 dom h2 ); 414') 415 416#################################### 417#################################### 418##################################### 419 420#g_b stands for global base 421 422type enable_optional; 423 424#decorative type for finding this decl, every block should have one 425type tag_g_b; 426 427attribute g_b_attr_1; 428attribute g_b_attr_2; 429attribute g_b_attr_3; 430attribute g_b_attr_4; 431attribute g_b_attr_5; 432attribute g_b_attr_6; 433 434type g_b_type_1, g_b_attr_1; 435type g_b_type_2, g_b_attr_2; 436type g_b_type_3; 437 438role g_b_role_1; 439role g_b_role_2; 440role g_b_role_3; 441role g_b_role_4; 442role g_b_role_1 types g_b_type_1; 443role g_b_role_2 types g_b_type_2; 444role g_b_role_3 types g_b_type_2; 445role g_b_role_4 types g_b_type_2; 446 447bool g_b_bool_1 false; 448bool g_b_bool_2 true; 449 450allow g_b_type_1 g_b_type_2 : security { compute_av load_policy }; 451allow g_b_type_1 g_b_type_2 : file *; # test * 452allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~ 453 454typealias g_b_type_3 alias g_b_alias_1; 455 456if (g_b_bool_1) { 457 allow g_b_type_1 g_b_type_2: lnk_file read; 458} 459 460 461optional { 462 require { 463 type enable_optional; 464 attribute g_m1_attr_2; 465 } 466 type tag_o1_b; 467 468 attribute o1_b_attr_1; 469 type o1_b_type_1, o1_b_attr_1; 470 bool o1_b_bool_1 true; 471 role o1_b_role_1; 472 role o1_b_role_1 types o1_b_type_1; 473 role o1_b_role_2; 474 role o1_b_role_2 types o1_b_type_1; 475 476 attribute o1_b_attr_2; 477 478 type o1_b_type_2, g_m1_attr_2; 479 480 if (o1_b_bool_1) { 481 allow o1_b_type_1 o1_b_type_2: lnk_file write; 482 } 483 484} 485 486optional { 487 require { 488 # this should be activated by module 1 489 type g_m1_type_1; 490 attribute o3_m1_attr_2; 491 } 492 type tag_o2_b; 493 494 type o2_b_type_1, o3_m1_attr_2; 495} 496 497optional { 498 require { 499 #this block should not come on 500 type invalid_type; 501 } 502 type tag_o3_b; 503 504 505 attribute o3_b_attr_1; 506 type o3_b_type_1; 507 bool o3_b_bool_1 true; 508 509 role o3_b_role_1; 510 role o3_b_role_1 types o3_b_type_1; 511 512 allow g_b_type_1 invalid_type : sem { create destroy }; 513} 514 515optional { 516 require { 517 # also should be enabled by module 1 518 type enable_optional; 519 type g_m1_type_1; 520 attribute o3_m1_attr_1; 521 attribute g_m1_attr_3; 522 } 523 524 type tag_o4_b; 525 526 attribute o4_b_attr_1; 527 528 role o4_b_role_1; 529 role o4_b_role_1 types g_m1_type_1; 530 531 # test for attr declared in module optional, added to in base optional 532 type o4_b_type_1, o3_m1_attr_1; 533 534 type o4_b_type_2, g_m1_attr_3; 535} 536 537optional { 538 require { 539 attribute g_m1_attr_4; 540 attribute o4_m1_attr_1; 541 } 542 type tag_o5_b; 543 544 type o5_b_type_1, g_m1_attr_4; 545 type o5_b_type_2, o4_m1_attr_1; 546} 547 548optional { 549 require { 550 type enable_optional; 551 } 552 type tag_o6_b; 553 554 typealias g_b_type_3 alias g_b_alias_2; 555} 556 557optional { 558 require { 559 type g_m_alias_1; 560 } 561 type tag_o7_b; 562 563 allow g_m_alias_1 enable_optional:file read; 564} 565 566gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23) 567gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5) 568 569#################################### 570#line 1 "initial_sid_contexts" 571 572sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0) 573 574 575############################################ 576#line 1 "fs_use" 577# 578fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 579fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 580fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0); 581 582 583genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0) 584 585 586#################################### 587#line 1 "net_contexts" 588 589#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0 590 591#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0 592 593# 594#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0 595 596nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(g_b_user_1:object_r:g_b_type_1, s0) 597 598 599 600 601