diff options
| author | John Turner <jturner.usa@gmail.com> | 2025-08-16 14:43:06 -0400 |
|---|---|---|
| committer | John Turner <jturner.usa@gmail.com> | 2025-08-16 14:43:06 -0400 |
| commit | 58ffeaf9b49e662e49d24a2d71dcdc9fac2949f8 (patch) | |
| tree | 84c645e32aac8eb468f41df33fbac7b0a8584887 /src/misc | |
| parent | cfd55472db08f37b2123c350ce76fb3d916d25f6 (diff) | |
| download | selinux-policy-58ffeaf9b49e662e49d24a2d71dcdc9fac2949f8.tar.gz | |
auto format all files
Diffstat (limited to 'src/misc')
31 files changed, 1041 insertions, 1041 deletions
diff --git a/src/misc/av.cil b/src/misc/av.cil index afc8687..0847331 100644 --- a/src/misc/av.cil +++ b/src/misc/av.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class blk_file ()) @@ -20,11 +20,11 @@ (classorder (unordered lnk_file)) (class process - (dyntransition execheap execmem execstack fork getattr getcap getpgid - getrlimit getsched getsession noatsecure ptrace rlimitinh - setexec setcap setcurrent setfscreate setkeycreate setpgid - setrlimit setsched setsockcreate share sigchld siginh - sigkill signal signull sigstop transition)) + (dyntransition execheap execmem execstack fork getattr getcap getpgid + getrlimit getsched getsession noatsecure ptrace rlimitinh + setexec setcap setcurrent setfscreate setkeycreate setpgid + setrlimit setsched setsockcreate share sigchld siginh + sigkill signal signull sigstop transition)) (classorder (unordered process)) (class process2 (nnp_transition nosuid_transition)) @@ -42,7 +42,7 @@ (classcommon sock_file common_file) (common common_file - (append audit_access create execmod execute getattr ioctl lock link map - mounton open quotaon read relabelfrom relabelto rename setattr - unlink watch watch_mount watch_reads watch_sb watch_with_perm - write)) + (append audit_access create execmod execute getattr ioctl lock link map + mounton open quotaon read relabelfrom relabelto rename setattr + unlink watch watch_mount watch_reads watch_sb watch_with_perm + write)) diff --git a/src/misc/av/binderav.cil b/src/misc/av/binderav.cil index 592d066..23827f1 100644 --- a/src/misc/av/binderav.cil +++ b/src/misc/av/binderav.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class binder (call impersonate set_context_mgr transfer)) (classorder (unordered binder)) (macro call_invalid_binders ((type ARG1)) - (allow ARG1 .invalid (binder (call)))) + (allow ARG1 .invalid (binder (call)))) (macro transfer_invalid_binders ((type ARG1)) - (allow ARG1 .invalid (binder (transfer)))) + (allow ARG1 .invalid (binder (transfer)))) (in invalid.unconfined @@ -17,24 +17,24 @@ (in subj (macro call_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (call)))) + (allow ARG1 typeattr (binder (call)))) (macro impersonate_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (impersonate)))) + (allow ARG1 typeattr (binder (impersonate)))) (macro transfer_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (transfer))))) + (allow ARG1 typeattr (binder (transfer))))) (in subj.macro_template (macro call_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (call)))) + (allow ARG1 subj (binder (call)))) (macro impersonate_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (impersonate)))) + (allow ARG1 subj (binder (impersonate)))) (macro transfer_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (transfer))))) + (allow ARG1 subj (binder (transfer))))) (in subj.unconfined diff --git a/src/misc/av/bpfav.cil b/src/misc/av/bpfav.cil index 286b656..0dcc5e8 100644 --- a/src/misc/av/bpfav.cil +++ b/src/misc/av/bpfav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class bpf (map_create map_read map_write prog_load prog_run)) @@ -11,18 +11,18 @@ (in mcs (mlsconstrain (bpf (map_read map_write prog_run)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (bpf (map_read map_write prog_run)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/capabilityav.cil b/src/misc/av/capabilityav.cil index fa0635a..6b079f5 100644 --- a/src/misc/av/capabilityav.cil +++ b/src/misc/av/capabilityav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class cap_userns ()) @@ -19,16 +19,16 @@ (classcommon capability2 common_capability2) (common common_capability - (audit_control audit_write chown dac_read_search dac_override fowner - fsetid ipc_lock ipc_owner kill linux_immutable lease - mknod net_admin net_bind_service net_broadcast net_raw - setfcap setgid setpcap setuid sys_admin sys_boot - sys_chroot sys_module sys_nice sys_pacct sys_ptrace - sys_rawio sys_resource sys_time sys_tty_config)) + (audit_control audit_write chown dac_read_search dac_override fowner + fsetid ipc_lock ipc_owner kill linux_immutable lease + mknod net_admin net_bind_service net_broadcast net_raw + setfcap setgid setpcap setuid sys_admin sys_boot + sys_chroot sys_module sys_nice sys_pacct sys_ptrace + sys_rawio sys_resource sys_time sys_tty_config)) (common common_capability2 - (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override - perfmon syslog wake_alarm)) + (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override + perfmon syslog wake_alarm)) (in subj.unconfined diff --git a/src/misc/av/fdav.cil b/src/misc/av/fdav.cil index 9ded93b..b625ceb 100644 --- a/src/misc/av/fdav.cil +++ b/src/misc/av/fdav.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class fd (use)) (classorder (unordered fd)) (macro use_invalid_fds ((type ARG1)) - (allow ARG1 invalid (fd (use)))) + (allow ARG1 invalid (fd (use)))) (in invalid.unconfined @@ -14,78 +14,78 @@ (in mcs (mlsconstrain (fd (use)) - (or (or (dom h1 h2) - (neq t1 constrained.typeattr)) - (and (eq t1 usefdsource.typeattr) - (eq t2 usefdtarget.typeattr)))) + (or (or (dom h1 h2) + (neq t1 constrained.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) (block usefdsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) (block usefdtarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in rbacsep (constrain (fd (use)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 usefdsource.typeattr) - (eq t2 usefdtarget.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) (block usefdsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) (block usefdtarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj (block interactivefd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call .mcs.usefdtarget.type (typeattr))) + (call .mcs.usefdtarget.type (typeattr))) (block useinteractivefd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr interactivefd.typeattr (fd (use))))) + (allow typeattr interactivefd.typeattr (fd (use))))) (in subj.all_macro_template (macro use_all_fds ((type ARG1)) - (allow ARG1 typeattr (fd (use))))) + (allow ARG1 typeattr (fd (use))))) (in subj.macro_template (macro use_subj_fds ((type ARG1)) - (allow ARG1 subj (fd (use))))) + (allow ARG1 subj (fd (use))))) (in subj.unconfined diff --git a/src/misc/av/iouringav.cil b/src/misc/av/iouringav.cil index 2e1c3aa..9476784 100644 --- a/src/misc/av/iouringav.cil +++ b/src/misc/av/iouringav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class io_uring (cmd override_creds sqpoll)) @@ -35,8 +35,8 @@ (in mcs (mlsconstrain (io_uring (override_creds)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in nodedev.unconfined @@ -57,12 +57,12 @@ (in rbacsep (constrain (io_uring (override_creds)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in securityfile.unconfined diff --git a/src/misc/av/ipcav.cil b/src/misc/av/ipcav.cil index 938daa9..a0041ac 100644 --- a/src/misc/av/ipcav.cil +++ b/src/misc/av/ipcav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class ipc ()) @@ -19,8 +19,8 @@ (classcommon shm common_ipc) (common common_ipc - (associate create destroy getattr read setattr unix_read unix_write - write)) + (associate create destroy getattr read setattr unix_read unix_write + write)) (classpermission create_ipc) (classpermission create_msgq) @@ -38,17 +38,17 @@ (classpermission readwrite_shm) (classpermissionset create_ipc - (ipc (associate create destroy getattr read setattr - unix_read unix_write write))) + (ipc (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset create_msgq - (msgq (associate create destroy enqueue getattr read setattr - unix_read unix_write write))) + (msgq (associate create destroy enqueue getattr read setattr + unix_read unix_write write))) (classpermissionset create_sem - (sem (associate create destroy getattr read setattr - unix_read unix_write write))) + (sem (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset create_shm - (shm (associate create destroy getattr read setattr - unix_read unix_write write))) + (shm (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset read_ipc (ipc (associate getattr read unix_read))) (classpermissionset read_msgq (msgq (associate getattr read unix_read))) @@ -56,14 +56,14 @@ (classpermissionset read_shm (shm (associate getattr read unix_read))) (classpermissionset readwrite_ipc - (ipc (associate getattr read unix_read unix_write write))) + (ipc (associate getattr read unix_read unix_write write))) (classpermissionset readwrite_msgq - (msgq (associate enqueue getattr read unix_read unix_write - write))) + (msgq (associate enqueue getattr read unix_read unix_write + write))) (classpermissionset readwrite_sem - (sem (associate getattr read unix_read unix_write write))) + (sem (associate getattr read unix_read unix_write write))) (classpermissionset readwrite_shm - (shm (associate getattr read unix_read unix_write write))) + (shm (associate getattr read unix_read unix_write write))) (classmap constrainipcsubject (create getattr read setattr write)) @@ -95,10 +95,10 @@ (in ibac (constrain (constrainipcsubject (create)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -110,27 +110,27 @@ (in mcs (mlsconstrain (constrainipcsubject (create getattr read setattr write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (constrainipcsubject (create)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (constrainipcsubject (getattr read setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/kernelserviceav.cil b/src/misc/av/kernelserviceav.cil index 7ab098a..e99cb67 100644 --- a/src/misc/av/kernelserviceav.cil +++ b/src/misc/av/kernelserviceav.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class kernel_service (create_files_as use_as_override)) (classorder (unordered kernel_service)) (macro createfilesas_invalid_kernel_services ((type ARG1)) - (allow ARG1 invalid (kernel_service (create_files_as)))) + (allow ARG1 invalid (kernel_service (create_files_as)))) (macro createfilesas_unlabeled_kernel_services ((type ARG1)) - (allow ARG1 unlabeled (kernel_service (create_files_as)))) + (allow ARG1 unlabeled (kernel_service (create_files_as)))) (macro useasoverride_invalid_kernel_services ((type ARG1)) - (allow ARG1 invalid (kernel_service (use_as_override)))) + (allow ARG1 invalid (kernel_service (use_as_override)))) (in file @@ -19,17 +19,17 @@ (block all_macro_template_kernel_services - (blockabstract all_macro_template_kernel_services) + (blockabstract all_macro_template_kernel_services) - (macro createfileas_all_kernel_services ((type ARG1)) - (allow ARG1 typeattr (kernel_service (create_files_as))))) + (macro createfileas_all_kernel_services ((type ARG1)) + (allow ARG1 typeattr (kernel_service (create_files_as))))) (block macro_template_kernel_services - (blockabstract macro_template_kernel_services) + (blockabstract macro_template_kernel_services) - (macro createfileas_file_kernel_services ((type ARG1)) - (allow ARG1 file (kernel_service (create_files_as)))))) + (macro createfileas_file_kernel_services ((type ARG1)) + (allow ARG1 file (kernel_service (create_files_as)))))) (in file.unconfined diff --git a/src/misc/av/keyav.cil b/src/misc/av/keyav.cil index 508ea64..3a5ebaf 100644 --- a/src/misc/av/keyav.cil +++ b/src/misc/av/keyav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class key (create link read search setattr view write)) @@ -7,10 +7,10 @@ (in ibac (constrain (key (create)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -19,27 +19,27 @@ (in mcs (mlsconstrain (key (create read setattr view write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (key (create)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (key (read setattr view write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/memprotectav.cil b/src/misc/av/memprotectav.cil index b43db24..1e89e53 100644 --- a/src/misc/av/memprotectav.cil +++ b/src/misc/av/memprotectav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class memprotect (mmap_zero)) @@ -8,15 +8,15 @@ (block mmapzero - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (memprotect (mmap_zero))))) + (neverallow not_typeattr self (memprotect (mmap_zero))))) (in subj.unconfined diff --git a/src/misc/av/msgav.cil b/src/misc/av/msgav.cil index 44cd39f..7a16449 100644 --- a/src/misc/av/msgav.cil +++ b/src/misc/av/msgav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class msg (receive send)) @@ -13,18 +13,18 @@ (in mcs (mlsconstrain (msg (send)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (msg (send)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/perfeventav.cil b/src/misc/av/perfeventav.cil index 5b685bc..9547108 100644 --- a/src/misc/av/perfeventav.cil +++ b/src/misc/av/perfeventav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class perf_event (cpu kernel open read tracepoint write)) @@ -11,18 +11,18 @@ (in mcs (mlsconstrain (perf_event (read write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (perf_event (read write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil index 42f70ff..88b2b2f 100644 --- a/src/misc/av/socketav.cil +++ b/src/misc/av/socketav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class alg_socket ()) @@ -62,7 +62,7 @@ (classorder (unordered mctp_socket)) (class netlink_audit_socket - (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) + (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) (classorder (unordered netlink_audit_socket)) (class netlink_connector_socket ()) @@ -240,9 +240,9 @@ (classcommon xdp_socket common_socket) (common common_socket - (accept append bind connect create getattr getopt ioctl listen lock map - name_bind read recvfrom relabelfrom relabelto sendto setattr - setopt shutdown write)) + (accept append bind connect create getattr getopt ioctl listen lock map + name_bind read recvfrom relabelfrom relabelto sendto setattr + setopt shutdown write)) (classpermission create_alg_socket) (classpermission create_alg_stream_socket) @@ -333,325 +333,325 @@ (classpermission write_vsock_socket) (classpermissionset create_alg_socket - (alg_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (alg_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_alg_stream_socket - (alg_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (alg_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_appletalk_socket - (appletalk_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (appletalk_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_atmpvc_socket - (atmpvc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (atmpvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_atmsvc_socket - (atmsvc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (atmsvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_ax25_socket - (ax25_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (ax25_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_bluetooth_socket - (bluetooth_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (bluetooth_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_bluetooth_stream_socket - (bluetooth_socket (accept append bind connect create getattr - getopt ioctl listen read setattr - setopt shutdown write))) + (bluetooth_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) (classpermissionset create_caif_socket - (caif_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (caif_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_can_socket - (can_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (can_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_dccp_socket - (dccp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (dccp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_dccp_stream_socket - (dccp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (dccp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_decnet_socket - (decnet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (decnet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_icmp_socket - (icmp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (icmp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_ieee802154_socket - (ieee802154_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (ieee802154_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_ipx_socket - (ipx_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (ipx_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_irda_socket - (irda_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (irda_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_isdn_socket - (isdn_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (isdn_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_iucv_socket - (iucv_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (iucv_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_kcm_socket - (kcm_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (kcm_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_key_socket - (key_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (key_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_llc_socket - (llc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (llc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_mctp_socket - (mctp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (mctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_netlink_audit_socket - (netlink_audit_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_audit_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_connector_socket - (netlink_connector_socket (append bind connect create - getattr getopt ioctl read - setattr setopt shutdown - write))) + (netlink_connector_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) (classpermissionset create_netlink_crypto_socket - (netlink_crypto_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_crypto_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_dnrt_socket - (netlink_dnrt_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_dnrt_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_fib_lookup_socket - (netlink_fib_lookup_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_fib_lookup_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_generic_socket - (netlink_generic_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_generic_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_iscsi_socket - (netlink_iscsi_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_iscsi_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_kobject_uevent_socket - (netlink_kobject_uevent_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_kobject_uevent_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_netfilter_socket - (netlink_netfilter_socket (append bind connect create - getattr getopt ioctl read - setattr setopt shutdown - write))) + (netlink_netfilter_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) (classpermissionset create_netlink_nflog_socket - (netlink_nflog_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_nflog_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_rdma_socket - (netlink_rdma_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_rdma_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_route_socket - (netlink_route_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_route_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_scsitransport_socket - (netlink_scsitransport_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_scsitransport_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_selinux_socket - (netlink_selinux_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_selinux_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_socket - (netlink_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (netlink_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_netlink_tcpdiag_socket - (netlink_tcpdiag_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_tcpdiag_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_xfrm_socket - (netlink_xfrm_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_xfrm_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netrom_socket - (netrom_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (netrom_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_nfc_socket - (nfc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (nfc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_packet_socket - (packet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (packet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_phonet_socket - (phonet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (phonet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_pppox_socket - (pppox_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (pppox_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_qipcrtr_socket - (qipcrtr_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (qipcrtr_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rawip_socket - (rawip_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rawip_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rds_socket - (rds_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (rds_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_rose_socket - (rose_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rose_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rxrpc_socket - (rxrpc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rxrpc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_sctp_socket - (sctp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (sctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_sctp_stream_socket - (sctp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (sctp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_smc_socket - (smc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (smc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_socket - (socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_tcp_socket - (tcp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (tcp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_tcp_stream_socket - (tcp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (tcp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_tipc_socket - (tipc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (tipc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_tun_socket - (tun_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (tun_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_udp_socket - (udp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (udp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_unix_dgram_socket - (unix_dgram_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (unix_dgram_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_unix_stream_socket - (unix_stream_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (unix_stream_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_unix_stream_stream_socket - (unix_stream_socket (accept append bind connect create - getattr getopt ioctl listen read - setattr setopt shutdown write))) + (unix_stream_socket (accept append bind connect create + getattr getopt ioctl listen read + setattr setopt shutdown write))) (classpermissionset create_vsock_socket - (vsock_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (vsock_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_vsock_stream_socket - (vsock_socket (accept append bind connect create getattr - getopt ioctl listen read setattr - setopt shutdown write))) + (vsock_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) (classpermissionset create_x25_socket - (x25_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (x25_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_xdp_socket - (xdp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (xdp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset readwrite_alg_socket - (alg_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (alg_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_bluetooth_socket - (bluetooth_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (bluetooth_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset readwrite_dccp_socket - (dccp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (dccp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_netlink_audit_socket - (netlink_audit_socket (append bind connect getattr getopt - ioctl read setopt shutdown - write))) + (netlink_audit_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) (classpermissionset readwrite_sctp_socket - (sctp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (sctp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_tcp_socket - (tcp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (tcp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_tun_socket - (tun_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (tun_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_unix_dgram_socket - (unix_dgram_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (unix_dgram_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset readwrite_unix_stream_socket - (unix_stream_socket (append bind connect getattr getopt - ioctl read setopt shutdown - write))) + (unix_stream_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) (classpermissionset readwrite_vsock_socket - (vsock_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (vsock_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset write_alg_socket - (alg_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (alg_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_bluetooth_socket - (bluetooth_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (bluetooth_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_dccp_socket - (dccp_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (dccp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_sctp_socket - (sctp_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (sctp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_tcp_socket - (tcp_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (tcp_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_tun_socket - (tun_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (tun_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_unix_dgram_socket - (unix_dgram_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (unix_dgram_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_unix_stream_socket - (unix_stream_socket (append bind connect getattr getopt - ioctl setopt shutdown write))) + (unix_stream_socket (append bind connect getattr getopt + ioctl setopt shutdown write))) (classpermissionset write_vsock_socket - (vsock_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (vsock_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classmap constrainsocketobject (nameconnect nodebind)) (classmap constrainsocketsubject - (append association attachqueue connectto create getattr read - relabelto sendto setattr write)) + (append association attachqueue connectto create getattr read + relabelto sendto setattr write)) (classmap sockets (common getattr)) @@ -691,17 +691,17 @@ (classmapping constrainsocketsubject append (netlink_crypto_socket (append))) (classmapping constrainsocketsubject append (netlink_dnrt_socket (append))) (classmapping constrainsocketsubject append - (netlink_fib_lookup_socket (append))) + (netlink_fib_lookup_socket (append))) (classmapping constrainsocketsubject append (netlink_generic_socket (append))) (classmapping constrainsocketsubject append (netlink_iscsi_socket (append))) (classmapping constrainsocketsubject append - (netlink_kobject_uevent_socket (append))) + (netlink_kobject_uevent_socket (append))) (classmapping constrainsocketsubject append (netlink_netfilter_socket (append))) (classmapping constrainsocketsubject append (netlink_nflog_socket (append))) (classmapping constrainsocketsubject append (netlink_rdma_socket (append))) (classmapping constrainsocketsubject append (netlink_route_socket (append))) (classmapping constrainsocketsubject append - (netlink_scsitransport_socket (append))) + (netlink_scsitransport_socket (append))) (classmapping constrainsocketsubject append (netlink_selinux_socket (append))) (classmapping constrainsocketsubject append (netlink_socket (append))) (classmapping constrainsocketsubject append (netlink_tcpdiag_socket (append))) @@ -730,13 +730,13 @@ (classmapping constrainsocketsubject append (xdp_socket (append))) (classmapping constrainsocketsubject - association (sctp_socket (association))) + association (sctp_socket (association))) (classmapping constrainsocketsubject - attachqueue (tun_socket (attach_queue))) + attachqueue (tun_socket (attach_queue))) (classmapping constrainsocketsubject - connectto (unix_stream_socket (connectto))) + connectto (unix_stream_socket (connectto))) (classmapping constrainsocketsubject create (alg_socket (create))) (classmapping constrainsocketsubject create (appletalk_socket (create))) @@ -763,17 +763,17 @@ (classmapping constrainsocketsubject create (netlink_crypto_socket (create))) (classmapping constrainsocketsubject create (netlink_dnrt_socket (create))) (classmapping constrainsocketsubject create - (netlink_fib_lookup_socket (create))) + (netlink_fib_lookup_socket (create))) (classmapping constrainsocketsubject create (netlink_generic_socket (create))) (classmapping constrainsocketsubject create (netlink_iscsi_socket (create))) (classmapping constrainsocketsubject create - (netlink_kobject_uevent_socket (create))) + (netlink_kobject_uevent_socket (create))) (classmapping constrainsocketsubject create (netlink_netfilter_socket (create))) (classmapping constrainsocketsubject create (netlink_nflog_socket (create))) (classmapping constrainsocketsubject create (netlink_rdma_socket (create))) (classmapping constrainsocketsubject create (netlink_route_socket (create))) (classmapping constrainsocketsubject create - (netlink_scsitransport_socket (create))) + (netlink_scsitransport_socket (create))) (classmapping constrainsocketsubject create (netlink_selinux_socket (create))) (classmapping constrainsocketsubject create (netlink_socket (create))) (classmapping constrainsocketsubject create (netlink_tcpdiag_socket (create))) @@ -823,22 +823,22 @@ (classmapping constrainsocketsubject getattr (mctp_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_audit_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_connector_socket (getattr))) + (netlink_connector_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_crypto_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_dnrt_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_fib_lookup_socket (getattr))) + (netlink_fib_lookup_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_generic_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_iscsi_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_kobject_uevent_socket (getattr))) + (netlink_kobject_uevent_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_netfilter_socket (getattr))) + (netlink_netfilter_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_nflog_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_rdma_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_route_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_scsitransport_socket (getattr))) + (netlink_scsitransport_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_selinux_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_tcpdiag_socket (getattr))) @@ -895,7 +895,7 @@ (classmapping constrainsocketsubject read (netlink_generic_socket (read))) (classmapping constrainsocketsubject read (netlink_iscsi_socket (read))) (classmapping constrainsocketsubject read - (netlink_kobject_uevent_socket (read))) + (netlink_kobject_uevent_socket (read))) (classmapping constrainsocketsubject read (netlink_netfilter_socket (read))) (classmapping constrainsocketsubject read (netlink_nflog_socket (read))) (classmapping constrainsocketsubject read (netlink_rdma_socket (read))) @@ -949,38 +949,38 @@ (classmapping constrainsocketsubject relabelto (llc_socket (relabelto))) (classmapping constrainsocketsubject relabelto (mctp_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_audit_socket (relabelto))) + (netlink_audit_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_connector_socket (relabelto))) + (netlink_connector_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_crypto_socket (relabelto))) + (netlink_crypto_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_dnrt_socket (relabelto))) + (netlink_dnrt_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_fib_lookup_socket (relabelto))) + (netlink_fib_lookup_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_generic_socket (relabelto))) + (netlink_generic_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_iscsi_socket (relabelto))) + (netlink_iscsi_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_kobject_uevent_socket (relabelto))) + (netlink_kobject_uevent_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_netfilter_socket (relabelto))) + (netlink_netfilter_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_nflog_socket (relabelto))) + (netlink_nflog_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_rdma_socket (relabelto))) + (netlink_rdma_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_route_socket (relabelto))) + (netlink_route_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_scsitransport_socket (relabelto))) + (netlink_scsitransport_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_selinux_socket (relabelto))) + (netlink_selinux_socket (relabelto))) (classmapping constrainsocketsubject relabelto (netlink_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_tcpdiag_socket (relabelto))) + (netlink_tcpdiag_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_xfrm_socket (relabelto))) + (netlink_xfrm_socket (relabelto))) (classmapping constrainsocketsubject relabelto (netrom_socket (relabelto))) (classmapping constrainsocketsubject relabelto (nfc_socket (relabelto))) (classmapping constrainsocketsubject relabelto (packet_socket (relabelto))) @@ -1028,22 +1028,22 @@ (classmapping constrainsocketsubject setattr (mctp_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_audit_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_connector_socket (setattr))) + (netlink_connector_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_crypto_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_dnrt_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_fib_lookup_socket (setattr))) + (netlink_fib_lookup_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_generic_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_iscsi_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_kobject_uevent_socket (setattr))) + (netlink_kobject_uevent_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_netfilter_socket (setattr))) + (netlink_netfilter_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_nflog_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_rdma_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_route_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_scsitransport_socket (setattr))) + (netlink_scsitransport_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_selinux_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_tcpdiag_socket (setattr))) @@ -1099,13 +1099,13 @@ (classmapping constrainsocketsubject write (netlink_generic_socket (write))) (classmapping constrainsocketsubject write (netlink_iscsi_socket (write))) (classmapping constrainsocketsubject write - (netlink_kobject_uevent_socket (write))) + (netlink_kobject_uevent_socket (write))) (classmapping constrainsocketsubject write (netlink_netfilter_socket (write))) (classmapping constrainsocketsubject write (netlink_nflog_socket (write))) (classmapping constrainsocketsubject write (netlink_rdma_socket (write))) (classmapping constrainsocketsubject write (netlink_route_socket (write))) (classmapping constrainsocketsubject write - (netlink_scsitransport_socket (write))) + (netlink_scsitransport_socket (write))) (classmapping constrainsocketsubject write (netlink_selinux_socket (write))) (classmapping constrainsocketsubject write (netlink_socket (write))) (classmapping constrainsocketsubject write (netlink_tcpdiag_socket (write))) @@ -1134,207 +1134,207 @@ (classmapping constrainsocketsubject write (xdp_socket (write))) (classmapping sockets common - (alg_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (alg_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (appletalk_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (appletalk_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (atmpvc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (atmpvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (atmsvc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (atmsvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (ax25_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ax25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (bluetooth_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (bluetooth_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (caif_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (caif_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (can_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (can_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (dccp_socket (not (accept listen map name_connect name_bind - node_bind relabelfrom relabelto recvfrom - sendto)))) + (dccp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (decnet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (decnet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (icmp_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom - sendto)))) + (icmp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (ieee802154_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ieee802154_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (ipx_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ipx_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (irda_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (irda_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (isdn_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (isdn_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (iucv_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (iucv_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (kcm_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (kcm_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (key_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (key_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (llc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (llc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (mctp_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (mctp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_audit_socket (not (accept listen map name_bind nlmsg_read - nlmsg_readpriv nlmsg_relay - nlmsg_tty_audit nlmsg_write - relabelfrom relabelto recvfrom - sendto)))) + (netlink_audit_socket (not (accept listen map name_bind nlmsg_read + nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (netlink_connector_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_connector_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_crypto_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_crypto_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_dnrt_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_dnrt_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_fib_lookup_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_fib_lookup_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_generic_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_generic_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_iscsi_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_iscsi_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_kobject_uevent_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_kobject_uevent_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_netfilter_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_netfilter_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_nflog_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_nflog_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_rdma_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_rdma_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_route_socket (not (accept listen map name_bind nlmsg_read - nlmsg_write relabelfrom - relabelto recvfrom sendto)))) + (netlink_route_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_scsitransport_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_scsitransport_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_selinux_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_selinux_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (netlink_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_tcpdiag_socket (not (accept listen map name_bind - nlmsg_read nlmsg_write - relabelfrom relabelto - recvfrom sendto)))) + (netlink_tcpdiag_socket (not (accept listen map name_bind + nlmsg_read nlmsg_write + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read - nlmsg_write relabelfrom - relabelto recvfrom sendto)))) + (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netrom_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (netrom_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (nfc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (nfc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (packet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (packet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (phonet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (phonet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (pppox_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (pppox_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (qipcrtr_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (qipcrtr_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rawip_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom - sendto)))) + (rawip_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (rds_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rds_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rose_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rose_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rxrpc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rxrpc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (sctp_socket (not (accept association listen map name_connect - name_bind node_bind relabelfrom - relabelto recvfrom sendto)))) + (sctp_socket (not (accept association listen map name_connect + name_bind node_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (smc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (smc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (tcp_socket (not (accept listen map name_connect name_bind - node_bind relabelfrom relabelto recvfrom - sendto)))) + (tcp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (tipc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (tipc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (tun_socket (not (accept attach_queue listen map name_bind - relabelfrom relabelto recvfrom sendto)))) + (tun_socket (not (accept attach_queue listen map name_bind + relabelfrom relabelto recvfrom sendto)))) (classmapping sockets common - (udp_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom sendto)))) + (udp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom sendto)))) (classmapping sockets common - (unix_dgram_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (unix_dgram_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (unix_stream_socket (not (accept connectto listen map name_bind - relabelfrom relabelto recvfrom - sendto)))) + (unix_stream_socket (not (accept connectto listen map name_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (vsock_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (vsock_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (x25_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (x25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (xdp_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (xdp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets getattr (ax25_socket (getattr))) (classmapping sockets getattr (alg_socket (getattr))) @@ -1397,81 +1397,81 @@ (classmapping sockets getattr (xdp_socket (getattr))) (macro association_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (association)))) + (allow ARG1 invalid (sctp_socket (association)))) (macro connectto_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid (unix_stream_socket (connectto)))) + (allow ARG1 invalid (unix_stream_socket (connectto)))) (macro getattr_invalid_sockets ((type ARG1)) - (allow ARG1 invalid (sockets (getattr)))) + (allow ARG1 invalid (sockets (getattr)))) (macro namebind_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (name_bind)))) + (allow ARG1 invalid (dccp_socket (name_bind)))) (macro namebind_invalid_icmp_sockets ((type ARG1)) - (allow ARG1 invalid (icmp_socket (name_bind)))) + (allow ARG1 invalid (icmp_socket (name_bind)))) (macro namebind_invalid_rawip_sockets ((type ARG1)) - (allow ARG1 invalid (rawip_socket (name_bind)))) + (allow ARG1 invalid (rawip_socket (name_bind)))) (macro namebind_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (name_bind)))) + (allow ARG1 invalid (sctp_socket (name_bind)))) (macro namebind_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (name_bind)))) + (allow ARG1 invalid (tcp_socket (name_bind)))) (macro namebind_invalid_udp_sockets ((type ARG1)) - (allow ARG1 invalid (udp_socket (name_bind)))) + (allow ARG1 invalid (udp_socket (name_bind)))) (macro nameconnect_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (name_connect)))) + (allow ARG1 invalid (dccp_socket (name_connect)))) (macro nameconnect_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (name_connect)))) + (allow ARG1 invalid (sctp_socket (name_connect)))) (macro nameconnect_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (name_connect)))) + (allow ARG1 invalid (tcp_socket (name_connect)))) (macro nodebind_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (node_bind)))) + (allow ARG1 invalid (dccp_socket (node_bind)))) (macro nodebind_invalid_icmp_sockets ((type ARG1)) - (allow ARG1 invalid (icmp_socket (node_bind)))) + (allow ARG1 invalid (icmp_socket (node_bind)))) (macro nodebind_invalid_rawip_sockets ((type ARG1)) - (allow ARG1 invalid (rawip_socket (node_bind)))) + (allow ARG1 invalid (rawip_socket (node_bind)))) (macro nodebind_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (node_bind)))) + (allow ARG1 invalid (sctp_socket (node_bind)))) (macro nodebind_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (node_bind)))) + (allow ARG1 invalid (tcp_socket (node_bind)))) (macro nodebind_invalid_udp_sockets ((type ARG1)) - (allow ARG1 invalid (udp_socket (node_bind)))) + (allow ARG1 invalid (udp_socket (node_bind)))) (macro readwrite_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid readwrite_unix_dgram_socket)) + (allow ARG1 invalid readwrite_unix_dgram_socket)) (macro readwrite_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid readwrite_unix_stream_socket)) + (allow ARG1 invalid readwrite_unix_stream_socket)) (macro sendto_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid (unix_dgram_socket (sendto)))) + (allow ARG1 invalid (unix_dgram_socket (sendto)))) (macro write_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid write_unix_dgram_socket)) + (allow ARG1 invalid write_unix_dgram_socket)) (macro write_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid write_unix_stream_socket)) + (allow ARG1 invalid write_unix_stream_socket)) (in ibac (constrain (constrainsocketsubject (create relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -1479,15 +1479,15 @@ (allow typeattr .invalid (alg_socket (accept listen))) (allow typeattr .invalid (bluetooth_socket (accept listen))) (allow typeattr .invalid - (dccp_socket (accept listen name_bind name_connect node_bind))) + (dccp_socket (accept listen name_bind name_connect node_bind))) (allow typeattr .invalid (icmp_socket (name_bind node_bind))) (allow typeattr .invalid (rawip_socket (name_bind node_bind))) (allow typeattr .invalid - (sctp_socket (association accept listen name_bind name_connect - node_bind))) + (sctp_socket (association accept listen name_bind name_connect + node_bind))) (allow typeattr .invalid (udp_socket (name_bind node_bind))) (allow typeattr .invalid - (tcp_socket (accept listen name_bind name_connect node_bind))) + (tcp_socket (accept listen name_bind name_connect node_bind))) (allow typeattr .invalid (tun_socket (attach_queue))) (allow typeattr .invalid (unix_dgram_socket (sendto))) (allow typeattr .invalid (unix_stream_socket (accept connectto listen))) @@ -1496,92 +1496,92 @@ (in mcs (mlsconstrain (constrainsocketobject (nameconnect nodebind)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) (mlsconstrain - (constrainsocketsubject (append association attachqueue connectto create - getattr read relabelto sendto setattr - write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (constrainsocketsubject (append association attachqueue connectto create + getattr read relabelto sendto setattr + write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (constrainsocketsubject (create relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (constrainsocketsubject (append getattr read setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.all_macro_template (macro association_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (association)))) + (allow ARG1 typeattr (sctp_socket (association)))) (macro connectto_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr (unix_stream_socket (connectto)))) + (allow ARG1 typeattr (unix_stream_socket (connectto)))) (macro getattr_all_sockets ((type ARG1)) - (allow ARG1 typeattr (sockets (getattr)))) + (allow ARG1 typeattr (sockets (getattr)))) (macro readwrite_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr readwrite_unix_dgram_socket)) + (allow ARG1 typeattr readwrite_unix_dgram_socket)) (macro readwrite_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr readwrite_unix_stream_socket)) + (allow ARG1 typeattr readwrite_unix_stream_socket)) (macro sendto_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr (unix_dgram_socket (sendto)))) + (allow ARG1 typeattr (unix_dgram_socket (sendto)))) (macro write_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr write_unix_dgram_socket)) + (allow ARG1 typeattr write_unix_dgram_socket)) (macro write_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr write_unix_stream_socket))) + (allow ARG1 typeattr write_unix_stream_socket))) (in subj.macro_template (macro association_subj_sctp_sockets ((type ARG1)) - (allow ARG1 subj (sctp_socket (association)))) + (allow ARG1 subj (sctp_socket (association)))) (macro connectto_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj (unix_stream_socket (connectto)))) + (allow ARG1 subj (unix_stream_socket (connectto)))) (macro getattr_subj_sockets ((type ARG1)) - (allow ARG1 subj (sockets (getattr)))) + (allow ARG1 subj (sockets (getattr)))) (macro readwrite_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj readwrite_unix_dgram_socket)) + (allow ARG1 subj readwrite_unix_dgram_socket)) (macro readwrite_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj readwrite_unix_stream_socket)) + (allow ARG1 subj readwrite_unix_stream_socket)) (macro sendto_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj (unix_dgram_socket (sendto)))) + (allow ARG1 subj (unix_dgram_socket (sendto)))) (macro write_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj write_unix_dgram_socket)) + (allow ARG1 subj write_unix_dgram_socket)) (macro write_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj write_unix_stream_socket))) + (allow ARG1 subj write_unix_stream_socket))) (in subj.unconfined (allow typeattr self - (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay - nlmsg_tty_audit nlmsg_write))) + (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write))) (allow typeattr self (netlink_route_socket (nlmsg_read nlmsg_write))) (allow typeattr self (netlink_tcpdiag_socket (nlmsg_read nlmsg_write))) (allow typeattr self (netlink_xfrm_socket (nlmsg_read nlmsg_write))) @@ -1597,5 +1597,5 @@ (allow typeattr subj.typeattr (tun_socket (attach_queue relabelfrom))) (allow typeattr subj.typeattr (unix_dgram_socket (sendto))) (allow typeattr subj.typeattr - (unix_stream_socket (accept connectto listen))) + (unix_stream_socket (accept connectto listen))) (allow typeattr subj.typeattr (vsock_socket (accept listen)))) diff --git a/src/misc/av/systemav.cil b/src/misc/av/systemav.cil index be9cb11..61d8f8a 100644 --- a/src/misc/av/systemav.cil +++ b/src/misc/av/systemav.cil @@ -1,59 +1,59 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class system - (halt ipc_info module_load module_request reboot reload start status - stop syslog_console syslog_mod syslog_read)) + (halt ipc_info module_load module_request reboot reload start status + stop syslog_console syslog_mod syslog_read)) (classorder (unordered system)) (in sys (macro ipcinfo_system ((type ARG1)) - (allow ARG1 subj (system (ipc_info)))) + (allow ARG1 subj (system (ipc_info)))) (macro modulerequest_system ((type ARG1)) - (allow ARG1 subj (system (module_request)))) + (allow ARG1 subj (system (module_request)))) (macro syslogconsole_system ((type ARG1)) - (allow ARG1 subj (system (syslog_console)))) + (allow ARG1 subj (system (syslog_console)))) (macro syslogmod_system ((type ARG1)) - (allow ARG1 subj (system (syslog_mod)))) + (allow ARG1 subj (system (syslog_mod)))) (macro syslogread_system ((type ARG1)) - (allow ARG1 subj (system (syslog_read)))) + (allow ARG1 subj (system (syslog_read)))) (block moduleload - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (system (module_load)))) + (neverallow not_typeattr self (system (module_load)))) (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr self (system (module_load))) - (allow typeattr subj - (system (ipc_info module_request syslog_console syslog_mod - syslog_read))) + (allow typeattr self (system (module_load))) + (allow typeattr subj + (system (ipc_info module_request syslog_console syslog_mod + syslog_read))) - ;; potentially happens in autorelabel.target on policy model change - (allow typeattr .invalid (system (module_load))) + ;; potentially happens in autorelabel.target on policy model change + (allow typeattr .invalid (system (module_load))) - ;; potentially happens in autorelabel.target on fresh install - (allow typeattr .unlabeled (system (module_load))) + ;; potentially happens in autorelabel.target on fresh install + (allow typeattr .unlabeled (system (module_load))) - (call moduleload.type (typeattr)))) + (call moduleload.type (typeattr)))) (in unconfined diff --git a/src/misc/av/usernamespaceav.cil b/src/misc/av/usernamespaceav.cil index fe73e30..f5012f5 100644 --- a/src/misc/av/usernamespaceav.cil +++ b/src/misc/av/usernamespaceav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class user_namespace (create)) diff --git a/src/misc/conf.cil b/src/misc/conf.cil index 1a376dd..63549c9 100644 --- a/src/misc/conf.cil +++ b/src/misc/conf.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (handleunknown allow) diff --git a/src/misc/constrain/ibac.cil b/src/misc/constrain/ibac.cil index 38302ee..1ed7ee4 100644 --- a/src/misc/constrain/ibac.cil +++ b/src/misc/constrain/ibac.cil @@ -1,83 +1,83 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ibac - (constrain (constrainobject (create relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 objchangesys.typeattr) - (eq u2 .sys.id))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr))) + (constrain (constrainobject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) + (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) - (constrain (process (dyntransition transition)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchange.typeattr) - (eq t2 subjchangetarget.typeattr))) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 exempt.typeattr))) + (constrain (process (dyntransition transition)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 exempt.typeattr))) - (block change + (block change - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchange.type (typeattr)) - (call subjchange.type (typeattr))) + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) - (block changesys + (block changesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchangesys.type (typeattr)) - (call subjchangesys.type (typeattr))) + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) - (block exempt + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchange + (block objchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchangesys + (block objchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchange + (block subjchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangesys + (block subjchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangetarget + (block subjchangetarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj.unconfined diff --git a/src/misc/constrain/mcs.cil b/src/misc/constrain/mcs.cil index 925933a..aaf7dc0 100644 --- a/src/misc/constrain/mcs.cil +++ b/src/misc/constrain/mcs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (defaultrange blk_file source low) @@ -11,28 +11,28 @@ (block mcs - (mlsconstrain (constrainobject (create relabelto)) - (or (neq t1 constrained.typeattr) - (and (dom h1 h2) (eq l2 h2)))) + (mlsconstrain (constrainobject (create relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) - (mlsconstrain (constrainobject (append getattr read setattr write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain (constrainobject (append getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (mlsconstrain - (process (dyntransition getrlimit getsched ptrace setrlimit setsched - sigchld sigkill signal signull sigstop - transition)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain + (process (dyntransition getrlimit getsched ptrace setrlimit setsched + sigchld sigkill signal signull sigstop + transition)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (mlsconstrain (fifo_file (append getattr read write setattr)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain (fifo_file (append getattr read write setattr)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (block constrained + (block constrained - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) diff --git a/src/misc/constrain/rbac.cil b/src/misc/constrain/rbac.cil index 32b7350..3f836ab 100644 --- a/src/misc/constrain/rbac.cil +++ b/src/misc/constrain/rbac.cil @@ -1,83 +1,83 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rbac - (constrain (constrainobject (create relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 objchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr))) + (constrain (constrainobject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) - (constrain (process (dyntransition transition)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchange.typeattr) - (eq t2 subjchangetarget.typeattr))) - (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) - (eq t1 exempt.typeattr))) + (constrain (process (dyntransition transition)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) + (eq t1 exempt.typeattr))) - (block change + (block change - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchange.type (typeattr)) - (call subjchange.type (typeattr))) + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) - (block changesys + (block changesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchangesys.type (typeattr)) - (call subjchangesys.type (typeattr))) + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) - (block exempt + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchange + (block objchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchangesys + (block objchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchange + (block subjchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangesys + (block subjchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangetarget + (block subjchangetarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj.unconfined diff --git a/src/misc/constrain/rbacsep.cil b/src/misc/constrain/rbacsep.cil index 2e15592..27c4f00 100644 --- a/src/misc/constrain/rbacsep.cil +++ b/src/misc/constrain/rbacsep.cil @@ -1,103 +1,103 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rbacsep - (constrain (fifo_file (append getattr read setattr write)) - (or (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr)))) - - (constrain (constrainobject (append setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr))) - - (constrain (constrainobject (getattr read)) - (or (or (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr)) - (and (eq r2 exempt.roleattr) (eq t2 typeattr))) - (and - (eq t1 readstatesource.typeattr) - (eq t2 readstatetarget.typeattr)))) - - (constrain - (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill - signal signull sigstop)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) - - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) - - (typeattribute typeattr) - - (block constrained + (constrain (fifo_file (append getattr read setattr write)) + (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr)))) + + (constrain (constrainobject (append setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr))) + + (constrain (constrainobject (getattr read)) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and + (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr)))) + + (constrain + (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill + signal signull sigstop)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr) - (block exempt + (block constrained - (macro role ((role ARG1)) - (roleattributeset roleattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (roleattribute roleattr) + (typeattribute typeattr)) - (block obj + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) - (typeattribute typeattr)) + (roleattribute roleattr) - (block subj + (block obj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr)) - (block exemptsource + (block subj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr))) - (block exempttarget + (block exemptsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block readstatesource + (block exempttarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block readstatetarget + (block readstatesource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in obj diff --git a/src/misc/default.cil b/src/misc/default.cil index 2d47e70..727787a 100644 --- a/src/misc/default.cil +++ b/src/misc/default.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (defaultrole blk_file source) diff --git a/src/misc/isid.cil b/src/misc/isid.cil index 7b71a95..34b30f2 100644 --- a/src/misc/isid.cil +++ b/src/misc/isid.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sid devnull) @@ -31,7 +31,7 @@ (sid tcp_socket) (sidorder - (kernel security unlabeled fs file file_labels init any_socket port netif - netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl - sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev - kmod policy scmp_packet devnull)) + (kernel security unlabeled fs file file_labels init any_socket port netif + netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl + sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev + kmod policy scmp_packet devnull)) diff --git a/src/misc/map.cil b/src/misc/map.cil index 6a0bd4f..70c17ab 100644 --- a/src/misc/map.cil +++ b/src/misc/map.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classmap constrainobject (append create getattr read relabelto setattr write)) (classmap files - (create delete manage read readwrite relabel relabelfrom relabelto - rename watch write)) + (create delete manage read readwrite relabel relabelfrom relabelto + rename watch write)) (classmapping constrainobject append (blk_file (append))) (classmapping constrainobject append (chr_file (append))) diff --git a/src/misc/mls.cil b/src/misc/mls.cil index b54fe2a..66620e1 100644 --- a/src/misc/mls.cil +++ b/src/misc/mls.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (category c0) @@ -1027,74 +1027,74 @@ (category c1023) (categoryorder - (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 - c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 - c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 - c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 - c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 - c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 - c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 - c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 - c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 - c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 - c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 - c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 - c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 - c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 - c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 - c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 - c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 - c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 - c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 - c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 - c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 - c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 - c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 - c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 - c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 - c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 - c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 - c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 - c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 - c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 - c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 - c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 - c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 - c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 - c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 - c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 - c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 - c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 - c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 - c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 - c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 - c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 - c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 - c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 - c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 - c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 - c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 - c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 - c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 - c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 - c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 - c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 - c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 - c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 - c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 - c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 - c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 - c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 - c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 - c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 - c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 - c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 - c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 - c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 - c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 - c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 - c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 - c1023)) + (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 + c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 + c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 + c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 + c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 + c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 + c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 + c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 + c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 + c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 + c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 + c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 + c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 + c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 + c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 + c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 + c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 + c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 + c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 + c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 + c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 + c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 + c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 + c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 + c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 + c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 + c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 + c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 + c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 + c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 + c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 + c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 + c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 + c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 + c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 + c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 + c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 + c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 + c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 + c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 + c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 + c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 + c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 + c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 + c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 + c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 + c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 + c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 + c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 + c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 + c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 + c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 + c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 + c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 + c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 + c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 + c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 + c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 + c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 + c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 + c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 + c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 + c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 + c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 + c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 + c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 + c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 + c1023)) (categoryset catset (range c0 c1023)) diff --git a/src/misc/modular.cil b/src/misc/modular.cil index 667a179..2a1b79a 100644 --- a/src/misc/modular.cil +++ b/src/misc/modular.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (selinuxuserdefault sys.id sys.lowlow) diff --git a/src/misc/obj.cil b/src/misc/obj.cil index 812b50e..30f9acc 100644 --- a/src/misc/obj.cil +++ b/src/misc/obj.cil @@ -1,16 +1,16 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block obj - (macro role ((role ARG1)) - (roleattributeset roleattr ARG1)) + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (roleattribute roleattr) + (roleattribute roleattr) - (typeattribute typeattr) + (typeattribute typeattr) - (roletype roleattr typeattr)) + (roletype roleattr typeattr)) diff --git a/src/misc/perm.cil b/src/misc/perm.cil index 11cfb91..a770c0e 100644 --- a/src/misc/perm.cil +++ b/src/misc/perm.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classpermission addname_dir) @@ -129,20 +129,20 @@ (classpermission writeinherited_sock_file) (classpermissionset addname_dir - (dir (add_name getattr ioctl lock open read search write))) + (dir (add_name getattr ioctl lock open read search write))) (classpermissionset append_blk_file (blk_file (append getattr ioctl lock open))) (classpermissionset append_chr_file (chr_file (append getattr ioctl lock open))) (classpermissionset append_fifo_file - (fifo_file (append getattr ioctl lock open))) + (fifo_file (append getattr ioctl lock open))) (classpermissionset append_file (file (append getattr ioctl lock open))) (classpermissionset appendinherited_blk_file - (blk_file (append getattr ioctl lock))) + (blk_file (append getattr ioctl lock))) (classpermissionset appendinherited_chr_file - (chr_file (append getattr ioctl lock))) + (chr_file (append getattr ioctl lock))) (classpermissionset appendinherited_fifo_file - (fifo_file (append getattr ioctl lock))) + (fifo_file (append getattr ioctl lock))) (classpermissionset appendinherited_file (file (append getattr ioctl lock))) (classpermissionset create_blk_file (blk_file (create getattr))) @@ -162,39 +162,39 @@ (classpermissionset delete_sock_file (sock_file (getattr unlink))) (classpermissionset deletename_dir - (dir (getattr ioctl lock open read remove_name search - write))) + (dir (getattr ioctl lock open read remove_name search + write))) (classpermissionset execute_file - (file (execute execute_no_trans getattr ioctl map open - read))) + (file (execute execute_no_trans getattr ioctl map open + read))) (classpermissionset list_dir (dir (getattr ioctl lock open read search))) (classpermissionset listinherited_dir (dir (getattr ioctl lock read search))) (classpermissionset manage_blk_file - (blk_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (blk_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_chr_file - (chr_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (chr_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_dir - (dir (add_name create getattr ioctl link lock open read - setattr remove_name rename reparent rmdir - search write))) + (dir (add_name create getattr ioctl link lock open read + setattr remove_name rename reparent rmdir + search write))) (classpermissionset manage_fifo_file - (fifo_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (fifo_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_file - (file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_lnk_file - (lnk_file (append create getattr link lock read rename - setattr unlink write))) + (lnk_file (append create getattr link lock read rename + setattr unlink write))) (classpermissionset manage_sock_file - (sock_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (sock_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset mapexecute_chr_file (chr_file (execute map))) (classpermissionset mapexecute_file (file (execute map))) @@ -213,50 +213,50 @@ (classpermissionset readinherited_blk_file (blk_file (getattr ioctl lock read))) (classpermissionset readinherited_chr_file (chr_file (getattr ioctl lock read))) (classpermissionset readinherited_fifo_file - (fifo_file (getattr ioctl lock read))) + (fifo_file (getattr ioctl lock read))) (classpermissionset readinherited_file (file (getattr ioctl lock read))) (classpermissionset readinherited_sock_file - (sock_file (getattr ioctl lock read))) + (sock_file (getattr ioctl lock read))) (classpermissionset readwrite_blk_file - (blk_file (append getattr ioctl lock open read write))) + (blk_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_chr_file - (chr_file (append getattr ioctl lock open read write))) + (chr_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_dir - (dir (add_name getattr ioctl lock open read remove_name - search write))) + (dir (add_name getattr ioctl lock open read remove_name + search write))) (classpermissionset readwrite_fifo_file - (fifo_file (append getattr ioctl lock open read write))) + (fifo_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_file - (file (append getattr ioctl lock open read write))) + (file (append getattr ioctl lock open read write))) (classpermissionset readwrite_lnk_file - (lnk_file (append getattr lock read write))) + (lnk_file (append getattr lock read write))) (classpermissionset readwrite_sock_file - (sock_file (append getattr ioctl lock open read write))) + (sock_file (append getattr ioctl lock open read write))) (classpermissionset readwriteinherited_blk_file - (blk_file (append getattr ioctl lock read write))) + (blk_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_chr_file - (chr_file (append getattr ioctl lock read write))) + (chr_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_dir - (dir (add_name getattr ioctl lock read remove_name search - write))) + (dir (add_name getattr ioctl lock read remove_name search + write))) (classpermissionset readwriteinherited_fifo_file - (fifo_file (append getattr ioctl lock read write))) + (fifo_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_file - (file (append getattr ioctl lock read write))) + (file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_sock_file - (sock_file (append getattr ioctl lock read write))) + (sock_file (append getattr ioctl lock read write))) (classpermissionset relabel_blk_file (blk_file (getattr relabelfrom relabelto))) (classpermissionset relabel_chr_file (chr_file (getattr relabelfrom relabelto))) (classpermissionset relabel_dir (dir (getattr relabelfrom relabelto))) (classpermissionset relabel_fifo_file - (fifo_file (getattr relabelfrom relabelto))) + (fifo_file (getattr relabelfrom relabelto))) (classpermissionset relabel_file (file (getattr relabelfrom relabelto))) (classpermissionset relabel_lnk_file (lnk_file (getattr relabelfrom relabelto))) (classpermissionset relabel_sock_file - (sock_file (getattr relabelfrom relabelto))) + (sock_file (getattr relabelfrom relabelto))) (classpermissionset relabelfrom_blk_file (blk_file (getattr relabelfrom))) (classpermissionset relabelfrom_chr_file (chr_file (getattr relabelfrom))) @@ -285,30 +285,30 @@ (classpermissionset search_dir (dir (getattr search))) (classpermissionset write_blk_file - (blk_file (append getattr ioctl lock open write))) + (blk_file (append getattr ioctl lock open write))) (classpermissionset write_chr_file - (chr_file (append getattr ioctl lock open write))) + (chr_file (append getattr ioctl lock open write))) (classpermissionset write_dir - (dir (add_name getattr ioctl lock open remove_name search - write))) + (dir (add_name getattr ioctl lock open remove_name search + write))) (classpermissionset write_fifo_file - (fifo_file (append getattr ioctl lock open write))) + (fifo_file (append getattr ioctl lock open write))) (classpermissionset write_file - (file (append getattr ioctl lock open write))) + (file (append getattr ioctl lock open write))) (classpermissionset write_lnk_file (lnk_file (append getattr lock write))) (classpermissionset write_sock_file - (sock_file (append getattr ioctl lock open write))) + (sock_file (append getattr ioctl lock open write))) (classpermissionset writeinherited_blk_file - (blk_file (append getattr ioctl lock write))) + (blk_file (append getattr ioctl lock write))) (classpermissionset writeinherited_chr_file - (chr_file (append getattr ioctl lock write))) + (chr_file (append getattr ioctl lock write))) (classpermissionset writeinherited_dir - (dir (add_name getattr ioctl lock remove_name search - write))) + (dir (add_name getattr ioctl lock remove_name search + write))) (classpermissionset writeinherited_fifo_file - (fifo_file (append getattr ioctl lock write))) + (fifo_file (append getattr ioctl lock write))) (classpermissionset writeinherited_file - (file (append getattr ioctl lock write))) + (file (append getattr ioctl lock write))) (classpermissionset writeinherited_sock_file - (sock_file (append getattr ioctl lock write))) + (sock_file (append getattr ioctl lock write))) diff --git a/src/misc/unconfined.cil b/src/misc/unconfined.cil index 1a5b0cc..f8d9730 100644 --- a/src/misc/unconfined.cil +++ b/src/misc/unconfined.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) diff --git a/src/misc/xperm/consolexperm.cil b/src/misc/xperm/consolexperm.cil index 3b49284..7480653 100644 --- a/src/misc/xperm/consolexperm.cil +++ b/src/misc/xperm/consolexperm.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLCONSOLE_NOT_TIOCLINUX - (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 - 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 - 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 - 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a - 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 - 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a - 0x4b4c 0x4b4d 0x4b4e 0x4bfa 0x4bfb))) + (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 + 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 + 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 + 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a + 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 + 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a + 0x4b4c 0x4b4d 0x4b4e 0x4bfa 0x4bfb))) ;; Font handling (permissionx KDFONTOP (ioctl chr_file (0x4b72))) diff --git a/src/misc/xperm/ttyxperm.cil b/src/misc/xperm/ttyxperm.cil index 15a4241..17d3f6e 100644 --- a/src/misc/xperm/ttyxperm.cil +++ b/src/misc/xperm/ttyxperm.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLTTY_NOT_TIOCSTI - (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 - 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 - 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 - 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f - 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 - 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c - 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 - 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 - 0x545c 0x545d 0x5419 0x541a 0x541e - 0x5459))) + (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 + 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 + 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 + 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f + 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 + 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c + 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 + 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 + 0x545c 0x545d 0x5419 0x541a 0x541e + 0x5459))) ;; Get the current serial port settings (permissionx TCGETS (ioctl chr_file (0x5405 0x542a 0x540d 0x5401))) diff --git a/src/misc/xperm/vtxperm.cil b/src/misc/xperm/vtxperm.cil index b13cea9..794976b 100644 --- a/src/misc/xperm/vtxperm.cil +++ b/src/misc/xperm/vtxperm.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLVT - (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 - 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 - 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E - 0x560F))) + (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 + 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 + 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E + 0x560F))) ;; Console switch (permissionx VT_EVENT_SWITCH (ioctl chr_file (0x0001))) |