1<!-- Common Interface Language (CIL) Reference Guide --> 2 <!-- access_vector_rules.xml --> 3 4 <sect1 id="av_rules"> 5 <title>Access Vector Rules</title> 6 <sect2 id="allow"> 7 <title>allow</title> 8 <para>Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class (<literal><link linkend="validatetrans">validatetrans</link></literal> or <literal><link linkend="mlsvalidatetrans">mlsvalidatetrans</link></literal>) or source, target class and permissions (<literal><link linkend="constrain">constrain</link></literal> or <literal><link linkend="mlsconstrain">mlsconstrain</link></literal> statements).</para> 9 <para><emphasis role="bold">Rule definition:</emphasis></para> 10 <programlisting><![CDATA[(allow source_id target_id|self classpermissionset_id ...)]]></programlisting> 11 <para><emphasis role="bold">Where:</emphasis></para> 12 <informaltable frame="all"> 13 <tgroup cols="2"> 14 <colspec colwidth="2.25 *"/> 15 <colspec colwidth="6 *"/> 16 <tbody> 17 <row> 18 <entry> 19 <para><literal><link linkend="allow">allow</link></literal></para> 20 </entry> 21 <entry> 22 <para>The <literal><link linkend="allow">allow</link></literal> keyword.</para> 23 </entry> 24 </row> 25 <row> 26 <entry> 27 <para><literal>source_id</literal></para> 28 </entry> 29 <entry> 30 <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 31 </entry> 32 </row> 33 <row> 34 <entry> 35 <para><literal>target_id</literal></para> 36 </entry> 37 <entry> 38 <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 39 <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> 40 </entry> 41 </row> 42 <row> 43 <entry> 44 <para><literal>classpermissionset_id</literal></para> 45 </entry> 46 <entry> 47 <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> 48 </entry> 49 </row> 50 </tbody></tgroup> 51 </informaltable> 52 53 <para><emphasis role="bold">Examples:</emphasis></para> 54 <para>These examples show a selection of possible permutations of <literal><link linkend="allow">allow</link></literal> rules:</para> 55 <programlisting><![CDATA[ 56(class binder (impersonate call set_context_mgr transfer receive)) 57(class property_service (set)) 58(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 59 60(classpermission cps_zygote) 61(classpermissionset cps_zygote (zygote (not (specifyids)))) 62 63(classmap android_classes (set_1 set_2 set_3)) 64 65(classmapping android_classes set_1 (binder (all))) 66(classmapping android_classes set_1 (property_service (set))) 67(classmapping android_classes set_1 (zygote (not (specifycapabilities)))) 68 69(classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) 70(classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) 71 72(classmapping android_classes set_3 cps_zygote) 73(classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) 74 75(block av_rules 76 (type type_1) 77 (type type_2) 78 (type type_3) 79 (type type_4) 80 (type type_5) 81 82 (typeattribute all_types) 83 (typeattributeset all_types (all)) 84 85; These examples have named and anonymous classpermissionset's and 86; classmap/classmapping statements 87 (allow type_1 self (property_service (set))) ; anonymous 88 (allow type_2 self (zygote (specifyids))) ; anonymous 89 (allow type_3 self cps_zygote) ; named 90 (allow type_4 self (android_classes (set_3))) ; classmap/classmapping 91 (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping 92 93;; This rule will cause the build to fail unless --disable-neverallow 94; (neverallow type_5 all_types (property_service (set))) 95 (allow type_5 type_5 (property_service (set))) 96 (allow type_1 all_types (property_service (set))) 97)]]> 98 </programlisting> 99 </sect2> 100 101 <sect2 id="auditallow"> 102 <title>auditallow</title> 103 <para>Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event.</para> 104 <para><emphasis role="bold">Rule definition:</emphasis></para> 105 <programlisting><![CDATA[(auditallow source_id target_id|self classpermissionset_id ...)]]></programlisting> 106 <para><emphasis role="bold">Where:</emphasis></para> 107 <informaltable frame="all"> 108 <tgroup cols="2"> 109 <colspec colwidth="2.5 *"/> 110 <colspec colwidth="6 *"/> 111 <tbody> 112 <row> 113 <entry> 114 <para><literal>auditallow</literal></para> 115 </entry> 116 <entry> 117 <para>The <literal>auditallow</literal> keyword.</para> 118 </entry> 119 </row> 120 <row> 121 <entry> 122 <para><literal>source_id</literal></para> 123 </entry> 124 <entry> 125 <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 126 </entry> 127 </row> 128 <row> 129 <entry> 130 <para><literal>target_id</literal></para> 131 </entry> 132 <entry> 133 <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 134 <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> 135 </entry> 136 </row> 137 <row> 138 <entry> 139 <para><literal>classpermissionset_id</literal></para> 140 </entry> 141 <entry> 142 <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> 143 </entry> 144 </row> 145 </tbody></tgroup> 146 </informaltable> 147 148 <para><emphasis role="bold">Example:</emphasis></para> 149 <para>This example will log an audit event whenever the corresponding <literal><link linkend="allow">allow</link></literal> rule grants access to the specified permissions:</para> 150 <programlisting><![CDATA[ 151(allow release_app.process secmark_demo.browser_packet (packet (send recv append bind))) 152 153(auditallow release_app.process secmark_demo.browser_packet (packet (send recv))) 154]]> 155 </programlisting> 156 </sect2> 157 158 <sect2 id="dontaudit"> 159 <title>dontaudit</title> 160 <para>Do not audit the access rights defined when access denied. This stops excessive log entries for known events.</para> 161 <para>Note that these rules can be omitted by the CIL compiler command line parameter <literal>-D</literal> or <literal>--disable-dontaudit</literal> flags.</para> 162 <para><emphasis role="bold">Rule definition:</emphasis></para> 163 <programlisting><![CDATA[(dontaudit source_id target_id|self classpermissionset_id ...)]]></programlisting> 164 <para><emphasis role="bold">Where:</emphasis></para> 165 <informaltable frame="all"> 166 <tgroup cols="2"> 167 <colspec colwidth="2.25 *"/> 168 <colspec colwidth="6 *"/> 169 <tbody> 170 <row> 171 <entry> 172 <para><literal>dontaudit</literal></para> 173 </entry> 174 <entry> 175 <para>The <literal>dontaudit</literal> keyword.</para> 176 </entry> 177 </row> 178 <row> 179 <entry> 180 <para><literal>source_id</literal></para> 181 </entry> 182 <entry> 183 <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 184 </entry> 185 </row> 186 <row> 187 <entry> 188 <para><literal>target_id</literal></para> 189 </entry> 190 <entry> 191 <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 192 <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> 193 </entry> 194 </row> 195 <row> 196 <entry> 197 <para><literal>classpermissionset_id</literal></para> 198 </entry> 199 <entry> 200 <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> 201 </entry> 202 </row> 203 </tbody></tgroup> 204 </informaltable> 205 206 <para><emphasis role="bold">Example:</emphasis></para> 207 <para>This example will not audit the denied access:</para> 208 <programlisting><![CDATA[(dontaudit zygote.process self (capability (fsetid)))]]> 209 </programlisting> 210 </sect2> 211 212 <sect2 id="neverallow"> 213 <title>neverallow</title> 214 <para>Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified.</para> 215 <para>Note that these rules can be over-ridden by the CIL compiler command line parameter <literal>-N</literal> or <literal>--disable-neverallow</literal> flags.</para> 216 <para><emphasis role="bold">Rule definition:</emphasis></para> 217 <programlisting><![CDATA[(neverallow source_id target_id|self classpermissionset_id ...)]]></programlisting> 218 <para><emphasis role="bold">Where:</emphasis></para> 219 <informaltable frame="all"> 220 <tgroup cols="2"> 221 <colspec colwidth="2.25 *"/> 222 <colspec colwidth="6 *"/> 223 <tbody> 224 <row> 225 <entry> 226 <para><literal>neverallow</literal></para> 227 </entry> 228 <entry> 229 <para>The <literal>neverallow</literal> keyword.</para> 230 </entry> 231 </row> 232 <row> 233 <entry> 234 <para><literal>source_id</literal></para> 235 </entry> 236 <entry> 237 <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 238 </entry> 239 </row> 240 <row> 241 <entry> 242 <para><literal>target_id</literal></para> 243 </entry> 244 <entry> 245 <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> 246 <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> 247 </entry> 248 </row> 249 <row> 250 <entry> 251 <para><literal>classpermissionset_id</literal></para> 252 </entry> 253 <entry> 254 <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> 255 </entry> 256 </row> 257 </tbody></tgroup> 258 </informaltable> 259 260 <para><emphasis role="bold">Example:</emphasis></para> 261 <para>This example will not compile as <literal>type_3</literal> is not allowed to be a source type for the <literal><link linkend="allow">allow</link></literal> rule:</para> 262 <programlisting><![CDATA[ 263(class property_service (set)) 264 265(block av_rules 266 (type type_1) 267 (type type_2) 268 (type type_3) 269 (typeattribute all_types) 270 (typeattributeset all_types ((all))) 271 272 (neverallow type_3 all_types (property_service (set))) 273 ; This rule will fail compilation: 274 (allow type_3 self (property_service (set))) 275)]]> 276 </programlisting> 277 </sect2> 278 279 </sect1> 280