1Container Statements 2==================== 3 4block 5----- 6 7Start a new namespace where any CIL statement is valid. 8 9**Statement definition:** 10 11 (block block_id 12 cil_statement 13 ... 14 ) 15 16**Where:** 17 18<table> 19<colgroup> 20<col width="25%" /> 21<col width="75%" /> 22</colgroup> 23<tbody> 24<tr class="odd"> 25<td align="left"><p><code>block</code></p></td> 26<td align="left"><p>The <code>block</code> keyword.</p></td> 27</tr> 28<tr class="even"> 29<td align="left"><p><code>block_id</code></p></td> 30<td align="left"><p>The namespace identifier.</p></td> 31</tr> 32<tr class="odd"> 33<td align="left"><p><code>cil_statement</code></p></td> 34<td align="left"><p>Zero or more valid CIL statements.</p></td> 35</tr> 36</tbody> 37</table> 38 39**Example:** 40 41See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. 42 43blockabstract 44------------- 45 46Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. 47 48**Statement definition:** 49 50 (block block_id 51 (blockabstract template_id) 52 cil_statement 53 ... 54 ) 55 56**Where:** 57 58<table> 59<colgroup> 60<col width="25%" /> 61<col width="75%" /> 62</colgroup> 63<tbody> 64<tr class="odd"> 65<td align="left"><p><code>block</code></p></td> 66<td align="left"><p>The <code>block</code> keyword.</p></td> 67</tr> 68<tr class="even"> 69<td align="left"><p><code>block_id</code></p></td> 70<td align="left"><p>The namespace identifier.</p></td> 71</tr> 72<tr class="odd"> 73<td align="left"><p><code>blockabstract</code></p></td> 74<td align="left"><p>The <code>blockabstract</code> keyword.</p></td> 75</tr> 76<tr class="even"> 77<td align="left"><p><code>template_id</code></p></td> 78<td align="left"><p>The abstract namespace identifier. This must match the <code>block_id</code> entry.</p></td> 79</tr> 80<tr class="odd"> 81<td align="left"><p><code>cil_statement</code></p></td> 82<td align="left"><p>Zero or more valid CIL statements forming the abstract block.</p></td> 83</tr> 84</tbody> 85</table> 86 87**Example:** 88 89See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example. 90 91blockinherit 92------------ 93 94Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. 95 96**Statement definition:** 97 98 (block block_id 99 (blockinherit template_id) 100 cil_statement 101 ... 102 ) 103 104**Where:** 105 106<table> 107<colgroup> 108<col width="25%" /> 109<col width="75%" /> 110</colgroup> 111<tbody> 112<tr class="odd"> 113<td align="left"><p><code>block</code></p></td> 114<td align="left"><p>The <code>block</code> keyword.</p></td> 115</tr> 116<tr class="even"> 117<td align="left"><p><code>block_id</code></p></td> 118<td align="left"><p>The namespace identifier.</p></td> 119</tr> 120<tr class="odd"> 121<td align="left"><p><code>blockinherit</code></p></td> 122<td align="left"><p>The <code>blockinherit</code> keyword.</p></td> 123</tr> 124<tr class="even"> 125<td align="left"><p><code>template_id</code></p></td> 126<td align="left"><p>The inherited namespace identifier.</p></td> 127</tr> 128<tr class="odd"> 129<td align="left"><p><code>cil_statement</code></p></td> 130<td align="left"><p>Zero or more valid CIL statements.</p></td> 131</tr> 132</tbody> 133</table> 134 135**Example:** 136 137This example contains a template `client_server` that is instantiated in two blocks (`netserver_app` and `netclient_app`): 138 139 ; This is the template block: 140 (block client_server 141 (blockabstract client_server) 142 143 ; Log file labeling 144 (type log_file) 145 (typeattributeset file_type (log_file)) 146 (typeattributeset data_file_type (log_file)) 147 (allow process log_file (dir (write search create setattr add_name))) 148 (allow process log_file (file (create open append getattr setattr))) 149 (roletype object_r log_file) 150 (context log_file_context (u object_r log_file low_low)) 151 152 ; Process labeling 153 (type process) 154 (typeattributeset domain (process)) 155 (call app_domain (process)) 156 (call net_domain (process)) 157 ) 158 159 ; This is a policy block that will inherit the abstract block above: 160 (block netclient_app 161 ; Add common policy rules to namespace: 162 (blockinherit client_server) 163 ; Label the log files 164 (filecon "/data/data/com.se4android.netclient/.*" file log_file_context) 165 ) 166 167 ; This is another policy block that will inherit the abstract block above: 168 (block netserver_app 169 ; Add common policy rules to namespace: 170 (blockinherit client_server) 171 172 ; Label the log files 173 (filecon "/data/data/com.se4android.netserver/.*" file log_file_context) 174 ) 175 176 ; This is an example of how blockinherits resolve inherits before copying 177 (block a 178 (type one)) 179 180 (block b 181 ; Notice that block a is declared here as well 182 (block a 183 (type two))) 184 185 ; This will first copy the contents of block b, which results in type b.a.two being copied. 186 ; Next, the contents of block a will be copied which will result in type a.one. 187 (block ab 188 (blockinherit b) 189 (blockinherit a)) 190 191optional 192-------- 193 194Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid: 195 196| | | | | 197| ------------------- | -------------- | ------------------ | ------------------ | 198| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) | 199| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) | 200| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) | 201| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) | 202| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | | 203 204**Statement definition:** 205 206 (optional optional_id 207 cil_statement 208 ... 209 ) 210 211**Where:** 212 213<table> 214<colgroup> 215<col width="25%" /> 216<col width="75%" /> 217</colgroup> 218<tbody> 219<tr class="odd"> 220<td align="left"><p><code>optional</code></p></td> 221<td align="left"><p>The <code>optional</code> keyword.</p></td> 222</tr> 223<tr class="even"> 224<td align="left"><p><code>optional_id</code></p></td> 225<td align="left"><p>The <code>optional</code> namespace identifier.</p></td> 226</tr> 227<tr class="odd"> 228<td align="left"><p><code>cil_statement</code></p></td> 229<td align="left"><p>Zero or more valid CIL statements.</p></td> 230</tr> 231</tbody> 232</table> 233 234**Example:** 235 236This example will instantiate the optional block `ext_gateway.move_file` into policy providing all optional CIL statements can be resolved: 237 238 (block ext_gateway 239 ...... 240 (optional move_file 241 (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file) 242 (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name))) 243 (allow process msg_filter.move_file.in_file (file (write create getattr))) 244 (allow msg_filter.move_file.in_file unconfined.object (filesystem (associate))) 245 (typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file 246 msg_filter.move_file.out_file) 247 (allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search))) 248 (allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink))) 249 ) ; End optional block 250 251 ..... 252 ) ; End block 253 254in 255-- 256 257Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. 258 259**Statement definition:** 260 261 (in container_id 262 cil_statement 263 ... 264 ) 265 266**Where:** 267 268<table> 269<colgroup> 270<col width="25%" /> 271<col width="75%" /> 272</colgroup> 273<tbody> 274<tr class="odd"> 275<td align="left"><p><code>in</code></p></td> 276<td align="left"><p>The <code>in</code> keyword.</p></td> 277</tr> 278<tr class="even"> 279<td align="left"><p><code>container_id</code></p></td> 280<td align="left"><p>A valid <code>block</code>, <code>optional</code> or <code>macro</code> namespace identifier.</p></td> 281</tr> 282<tr class="odd"> 283<td align="left"><p><code>cil_statement</code></p></td> 284<td align="left"><p>Zero or more valid CIL statements.</p></td> 285</tr> 286</tbody> 287</table> 288 289**Example:** 290 291This will add rules to the container named `system_server`: 292 293 (in system_server 294 (dontaudit process secmark_demo.dns_packet (packet (send recv))) 295 (allow process secmark_demo.dns_packet (packet (send recv))) 296 ) 297