1 2<!-- Common Interface Language (CIL) Reference Guide --> 3 <!-- container_statements.xml --> 4 5 <sect1> 6 <title>Container Statements</title> 7 <sect2 id="block"> 8 <title>block</title> 9 <para>Start a new namespace where any CIL statement is valid.</para> 10 <para><emphasis role="bold">Statement definition:</emphasis></para> 11 <programlisting><![CDATA[ 12(block block_id 13 cil_statement 14 ... 15)]]> 16 </programlisting> 17 <para><emphasis role="bold">Where:</emphasis></para> 18 <informaltable frame="all"> 19 <tgroup cols="2"> 20 <colspec colwidth="2 *"/> 21 <colspec colwidth="6 *"/> 22 <tbody> 23 <row> 24 <entry> 25 <para><literal>block</literal></para> 26 </entry> 27 <entry> 28 <para>The <literal><link linkend="block">block</link></literal> keyword.</para> 29 </entry> 30 </row> 31 <row> 32 <entry> 33 <para><literal>block_id</literal></para> 34 </entry> 35 <entry> 36 <para>The namespace identifier.</para> 37 </entry> 38 </row> 39 <row> 40 <entry> 41 <para><literal>cil_statement</literal></para> 42 </entry> 43 <entry> 44 <para>Zero or more valid CIL statements.</para> 45 </entry> 46 </row> 47 </tbody></tgroup> 48 </informaltable> 49 <para><emphasis role="bold">Example:</emphasis></para> 50 <para>See the <literal><link linkend="blockinherit">blockinherit</link></literal> statement for an example.</para> 51 </sect2> 52 53 <sect2 id="blockabstract"> 54 <title>blockabstract</title> 55 <para>Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a <literal><link linkend="blockinherit">blockinherit</link></literal> statement.</para> 56 <para><emphasis role="bold">Statement definition:</emphasis></para> 57 <programlisting><![CDATA[ 58(block block_id 59 (blockabstract template_id) 60 cil_statement 61 ... 62)]]> 63 </programlisting> 64 <para><emphasis role="bold">Where:</emphasis></para> 65 <informaltable frame="all"> 66 <tgroup cols="2"> 67 <colspec colwidth="2 *"/> 68 <colspec colwidth="6 *"/> 69 <tbody> 70 <row> 71 <entry> 72 <para><literal>block</literal></para> 73 </entry> 74 <entry> 75 <para>The <literal><link linkend="block">block</link></literal> keyword.</para> 76 </entry> 77 </row> 78 <row> 79 <entry> 80 <para><literal>block_id</literal></para> 81 </entry> 82 <entry> 83 <para>The namespace identifier.</para> 84 </entry> 85 </row> 86 <row> 87 <entry> 88 <para><literal>blockabstract</literal></para> 89 </entry> 90 <entry> 91 <para>The <literal><link linkend="blockabstract">blockabstract</link></literal> keyword.</para> 92 </entry> 93 </row> 94 <row> 95 <entry> 96 <para><literal>template_id</literal></para> 97 </entry> 98 <entry> 99 <para>The abstract namespace identifier. This must match the <literal><link linkend="block">block_id</link></literal> entry.</para> 100 </entry> 101 </row> 102 <row> 103 <entry> 104 <para><literal>cil_statement</literal></para> 105 </entry> 106 <entry> 107 <para>Zero or more valid CIL statements forming the abstract block.</para> 108 </entry> 109 </row> 110 </tbody></tgroup> 111 </informaltable> 112 <para><emphasis role="bold">Example:</emphasis></para> 113 <para>See the <literal><link linkend="blockinherit">blockinherit</link></literal> statement for an example.</para> 114 </sect2> 115 116 <sect2 id="blockinherit"> 117 <title>blockinherit</title> 118 <para>Used to add common policy rules to the current namespace via a template that has been defined with the <literal><link linkend="blockabstract">blockabstract</link></literal> statement. All <literal><link linkend="blockinherit">blockinherit</link></literal> statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.</para> 119 <para><emphasis role="bold">Statement definition:</emphasis></para> 120 <programlisting><![CDATA[ 121(block block_id 122 (blockinherit template_id) 123 cil_statement 124 ... 125)]]> 126 </programlisting> 127 <para><emphasis role="bold">Where:</emphasis></para> 128 <informaltable frame="all"> 129 <tgroup cols="2"> 130 <colspec colwidth="2 *"/> 131 <colspec colwidth="6 *"/> 132 <tbody> 133 <row> 134 <entry> 135 <para><literal>block</literal></para> 136 </entry> 137 <entry> 138 <para>The <literal><link linkend="block">block</link></literal> keyword.</para> 139 </entry> 140 </row> 141 <row> 142 <entry> 143 <para><literal>block_id</literal></para> 144 </entry> 145 <entry> 146 <para>The namespace identifier.</para> 147 </entry> 148 </row> 149 <row> 150 <entry> 151 <para><literal>blockinherit</literal></para> 152 </entry> 153 <entry> 154 <para>The <literal><link linkend="blockinherit">blockinherit</link></literal> keyword.</para> 155 </entry> 156 </row> 157 <row> 158 <entry> 159 <para><literal>template_id</literal></para> 160 </entry> 161 <entry> 162 <para>The inherited namespace identifier.</para> 163 </entry> 164 </row> 165 <row> 166 <entry> 167 <para><literal>cil_statement</literal></para> 168 </entry> 169 <entry> 170 <para>Zero or more valid CIL statements.</para> 171 </entry> 172 </row> 173 </tbody></tgroup> 174 </informaltable> 175 <para><emphasis role="bold">Example:</emphasis></para> 176 <para>This example contains a template <literal>client_server</literal> that is instantiated in two blocks (<literal>netserver_app</literal> and <literal>netclient_app</literal>):</para> 177 <programlisting><![CDATA[ 178; This is the template block: 179(block client_server 180 (blockabstract client_server) 181 182 ; Log file labeling 183 (type log_file) 184 (typeattributeset file_type (log_file)) 185 (typeattributeset data_file_type (log_file)) 186 (allow process log_file (dir (write search create setattr add_name))) 187 (allow process log_file (file (create open append getattr setattr))) 188 (roletype object_r log_file) 189 (context log_file_context (u object_r log_file low_low)) 190 191 ; Process labeling 192 (type process) 193 (typeattributeset domain (process)) 194 (call app_domain (process)) 195 (call net_domain (process)) 196) 197 198; This is a policy block that will inherit the abstract block above: 199(block netclient_app 200 ; Add common policy rules to namespace: 201 (blockinherit client_server) 202 ; Label the log files 203 (filecon "/data/data/com.se4android.netclient/.*" file log_file_context) 204) 205 206; This is another policy block that will inherit the abstract block above: 207(block netserver_app 208 ; Add common policy rules to namespace: 209 (blockinherit client_server) 210 211 ; Label the log files 212 (filecon "/data/data/com.se4android.netserver/.*" file log_file_context) 213) 214 215; This is an example of how blockinherits resolve inherits before copying 216(block a 217 (type one)) 218 219(block b 220 ; Notice that block a is declared here as well 221 (block a 222 (type two))) 223 224; This will first copy the contents of block b, which results in type b.a.two being copied. 225; Next, the contents of block a will be copied which will result in type a.one. 226(block ab 227 (blockinherit b) 228 (blockinherit a))]]> 229 </programlisting> 230 </sect2> 231 232 <sect2 id="optional"> 233 <title>optional</title> 234 <para>Declare an <literal><link linkend="optional">optional</link></literal> namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. <literal><link linkend="tunableif">tunableif</link></literal> and <literal><link linkend="macro">macro</link></literal> statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within <literal><link linkend="optional">optional</link></literal>'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:</para> 235 236 <informaltable frame="all"> 237 <tgroup cols="4"> 238 <tbody> 239 <row> 240 <entry> 241 <para><literal><link linkend="allow">allow</link></literal></para> 242 </entry> 243 <entry> 244 <para><literal><link linkend="auditallow">auditallow</link></literal></para> 245 </entry> 246 <entry> 247 <para><literal><link linkend="booleanif">booleanif</link></literal></para> 248 </entry> 249 <entry> 250 <para><literal><link linkend="dontaudit">dontaudit</link></literal></para> 251 </entry> 252 </row> 253 <row> 254 <entry> 255 <para><literal><link linkend="typepermissive">typepermissive</link></literal></para> 256 </entry> 257 <entry> 258 <para><literal><link linkend="rangetransition">rangetransition</link></literal></para> 259 </entry> 260 <entry> 261 <para><literal><link linkend="role">role</link></literal></para> 262 </entry> 263 <entry> 264 <para><literal><link linkend="roleallow">roleallow</link></literal></para> 265 </entry> 266 </row> 267 <row> 268 <entry> 269 <para><literal><link linkend="roleattribute">roleattribute</link></literal></para> 270 </entry> 271 <entry> 272 <para><literal><link linkend="roletransition">roletransition</link></literal></para> 273 </entry> 274 <entry> 275 <para><literal><link linkend="type">type</link></literal></para> 276 </entry> 277 <entry> 278 <para><literal><link linkend="typealias">typealias</link></literal></para> 279 </entry> 280 </row> 281 <row> 282 <entry> 283 <para><literal><link linkend="typeattribute">typeattribute</link></literal></para> 284 </entry> 285 <entry> 286 <para><literal><link linkend="typechange">typechange</link></literal></para> 287 </entry> 288 <entry> 289 <para><literal><link linkend="typemember">typemember</link></literal></para> 290 </entry> 291 <entry> 292 <para><literal><link linkend="typetransition">typetransition</link></literal></para> 293 </entry> 294 </row> 295 </tbody> 296 </tgroup> 297 </informaltable> 298 299 <para><emphasis role="bold">Statement definition:</emphasis></para> 300 <programlisting><![CDATA[ 301(optional optional_id 302 cil_statement 303 ... 304)]]> 305 </programlisting> 306 <para><emphasis role="bold">Where:</emphasis></para> 307 <informaltable frame="all"> 308 <tgroup cols="2"> 309 <colspec colwidth="2 *"/> 310 <colspec colwidth="6 *"/> 311 <tbody> 312 <row> 313 <entry> 314 <para><literal>optional</literal></para> 315 </entry> 316 <entry> 317 <para>The <literal><link linkend="optional">optional</link></literal> keyword.</para> 318 </entry> 319 </row> 320 <row> 321 <entry> 322 <para><literal>optional_id</literal></para> 323 </entry> 324 <entry> 325 <para>The <literal><link linkend="optional">optional</link></literal> namespace identifier.</para> 326 </entry> 327 </row> 328 <row> 329 <entry> 330 <para><literal>cil_statement</literal></para> 331 </entry> 332 <entry> 333 <para>Zero or more valid CIL statements.</para> 334 </entry> 335 </row> 336 </tbody></tgroup> 337 </informaltable> 338 339 <para><emphasis role="bold">Example:</emphasis></para> 340 <para>This example will instantiate the optional block <literal>ext_gateway.move_file</literal> into policy providing all optional CIL statements can be resolved:</para> 341 <programlisting><![CDATA[ 342(block ext_gateway 343 ...... 344 (optional move_file 345 (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file) 346 (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name))) 347 (allow process msg_filter.move_file.in_file (file (write create getattr))) 348 (allow msg_filter.move_file.in_file unconfined.object (filesystem (associate))) 349 (typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file 350 msg_filter.move_file.out_file) 351 (allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search))) 352 (allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink))) 353 ) ; End optional block 354 355 ..... 356) ; End block]]> 357 </programlisting> 358 </sect2> 359 360 <sect2 id="in"> 361 <title>in</title> 362 <para>Allows the insertion of CIL statements into a named container (<literal><link linkend="block">block</link></literal>, <literal><link linkend="optional">optional</link></literal> or <literal><link linkend="macro">macro</link></literal>). This statement is not allowed in <literal><link linkend="booleanif">booleanif</link></literal> or <literal><link linkend="tunableif">tunableif</link></literal> statements.</para> 363 <para><emphasis role="bold">Statement definition:</emphasis></para> 364 <programlisting><![CDATA[ 365(in container_id 366 cil_statement 367 ... 368)]]> 369 </programlisting> 370 <para><emphasis role="bold">Where:</emphasis></para> 371 <informaltable frame="all"> 372 <tgroup cols="2"> 373 <colspec colwidth="2 *"/> 374 <colspec colwidth="6 *"/> 375 <tbody> 376 <row> 377 <entry> 378 <para><literal>in</literal></para> 379 </entry> 380 <entry> 381 <para>The <literal>in</literal> keyword.</para> 382 </entry> 383 </row> 384 <row> 385 <entry> 386 <para><literal>container_id</literal></para> 387 </entry> 388 <entry> 389 <para>A valid <literal><link linkend="block">block</link></literal>, <literal><link linkend="optional">optional</link></literal> or <literal><link linkend="macro">macro</link></literal> namespace identifier.</para> 390 </entry> 391 </row> 392 <row> 393 <entry> 394 <para><literal>cil_statement</literal></para> 395 </entry> 396 <entry> 397 <para>Zero or more valid CIL statements.</para> 398 </entry> 399 </row> 400 </tbody></tgroup> 401 </informaltable> 402 403 <para><emphasis role="bold">Example:</emphasis></para> 404 <para>This will add rules to the container named <literal>system_server</literal>:</para> 405 <programlisting><![CDATA[ 406(in system_server 407 (dontaudit process secmark_demo.dns_packet (packet (send recv))) 408 (allow process secmark_demo.dns_packet (packet (send recv))) 409)]]> 410 </programlisting> 411 </sect2> 412 </sect1> 413 414