1######################################### 2# MLS declarations 3# 4 5# Generate the desired number of sensitivities and categories. 6gen_sens(mls_num_sens) 7gen_cats(mls_num_cats) 8 9# Generate level definitions for each sensitivity and category. 10gen_levels(mls_num_sens,mls_num_cats) 11 12 13################################################# 14# MLS policy constraints 15# 16 17# 18# Process constraints 19# 20 21# Process transition: Require equivalence unless the subject is trusted. 22mlsconstrain process { transition dyntransition } 23 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 24 25# Process read operations: No read up unless trusted. 26mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 27 (l1 dom l2 or t1 == mlstrustedsubject); 28 29# Process write operations: No write down unless trusted. 30mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 31 (l1 domby l2 or t1 == mlstrustedsubject); 32 33# 34# Socket constraints 35# 36 37# These permissions are between the process and its local socket, 38# not between a process/socket and its peer. 39# Equivalence is the normal situation; anything else requires trust. 40mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown } 41 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 42 43# Datagram send: Sender must be dominated by receiver unless one of them is 44# trusted. 45mlsconstrain unix_dgram_socket { sendto } 46 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 47 48# Stream connect: Client must be equivalent to server unless one of them 49# is trusted. 50mlsconstrain unix_stream_socket { connectto } 51 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 52 53# 54# Directory/file constraints 55# 56 57# Create/relabel operations: Subject must be equivalent to object unless 58# the subject is trusted. Also, files should always be single-level. 59# Do NOT exempt mlstrustedobject types from this constraint. 60mlsconstrain dir_file_class_set { create relabelfrom relabelto } 61 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 62 63# 64# Constraints for app data files only. 65# 66 67# Only constrain open, not read/write. 68# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 69# Subject must be equivalent to object unless the subject is trusted. 70mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } 71 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 72mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } 73 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 74 75# 76# Constraints for file types other than app data files. 77# 78 79# Read operations: Subject must dominate object unless the subject 80# or the object is trusted. 81mlsconstrain dir { read getattr search } 82 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 83 84mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 85 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 86 87# Write operations: Subject must be dominated by the object unless the 88# subject or the object is trusted. 89mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 90 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 91 92mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 93 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 94 95# Special case for FIFOs. 96# These can be unnamed pipes, in which case they will be labeled with the 97# creating process' label. Thus we also have an exemption when the "object" 98# is a MLS trusted subject and can receive data at any level. 99mlsconstrain fifo_file { read getattr } 100 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 101 102mlsconstrain fifo_file { write setattr append unlink link rename } 103 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 104 105# 106# IPC constraints 107# 108 109# Create/destroy: equivalence or trusted. 110mlsconstrain ipc_class_set { create destroy } 111 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 112 113# Read ops: No read up unless trusted. 114mlsconstrain ipc_class_set r_ipc_perms 115 (l1 dom l2 or t1 == mlstrustedsubject); 116 117# Write ops: No write down unless trusted. 118mlsconstrain ipc_class_set w_ipc_perms 119 (l1 domby l2 or t1 == mlstrustedsubject); 120 121# 122# Binder IPC constraints 123# 124# Presently commented out, as apps are expected to call one another. 125# This would only make sense if apps were assigned categories 126# based on allowable communications rather than per-app categories. 127#mlsconstrain binder call 128# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 129