summaryrefslogtreecommitdiff
path: root/src/subj.cil
diff options
context:
space:
mode:
authorDominick Grift <dominick.grift@defensec.nl>2023-08-20 15:44:41 +0200
committerDominick Grift <dominick.grift@defensec.nl>2023-08-20 15:46:23 +0200
commit0c187b6ff97f91c41dab65a6426dc61f77305cdf (patch)
tree1e35f5851154500a8a39428a45a5671f9488e1da /src/subj.cil
downloadselinux-policy-0c187b6ff97f91c41dab65a6426dc61f77305cdf.tar.gz
Import dssp5
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Diffstat (limited to 'src/subj.cil')
-rw-r--r--src/subj.cil240
1 files changed, 240 insertions, 0 deletions
diff --git a/src/subj.cil b/src/subj.cil
new file mode 100644
index 0000000..716d307
--- /dev/null
+++ b/src/subj.cil
@@ -0,0 +1,240 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(classmap state (ps read))
+(classmapping state read read_file)
+(classmapping state read read_lnk_file)
+(classmapping state read list_dir)
+(classmapping state ps (process (getattr)))
+(classmapping state ps (state (read)))
+
+(block subj
+
+ (macro type ((type ARG1))
+ (typeattributeset typeattr ARG1))
+
+ (blockinherit all_macro_template)
+
+ (typeattribute not_typeattr)
+ (typeattribute typeattr)
+
+ (typeattributeset not_typeattr (not typeattr))
+
+ (neverallow typeattr not_typeattr (process (dyntransition transition)))
+ (neverallow typeattr not_typeattr
+ (process2 (nnp_transition nosuid_transition)))
+
+ (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh)))
+
+ (block all_macro_template
+
+ (blockabstract all_macro_template)
+
+ (macro getrlimit_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (getrlimit))))
+
+ (macro getsched_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (getsched))))
+
+ (macro nnptransition_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process2 (nnp_transition))))
+
+ (macro noatsecure_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (noatsecure))))
+
+ (macro nosuidtransition_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process2 (nosuid_transition))))
+
+ (macro ps_all_states ((type ARG1))
+ (allow ARG1 typeattr (state (ps))))
+
+ (macro ptrace_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (ptrace))))
+
+ (macro read_all_states ((type ARG1))
+ (allow ARG1 typeattr (state (read))))
+
+ (macro readinherited_all_fifo_files ((type ARG1))
+ (allow ARG1 typeattr readinherited_fifo_file))
+
+ (macro readwriteinherited_all_fifo_files ((type ARG1))
+ (allow ARG1 typeattr readwriteinherited_fifo_file))
+
+ (macro rlimitinh_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (rlimitinh))))
+
+ (macro setrlimit_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (setrlimit))))
+
+ (macro setsched_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (setsched))))
+
+ (macro sigchld_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (sigchld))))
+
+ (macro sigkill_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (sigkill))))
+
+ (macro signal_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (signal))))
+
+ (macro signull_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (signull))))
+
+ (macro sigstop_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (sigstop))))
+
+ (macro transition_all_processes ((type ARG1))
+ (allow ARG1 typeattr (process (transition))))
+
+ (macro writeinherited_all_fifo_files ((type ARG1))
+ (allow ARG1 typeattr writeinherited_fifo_file)))
+
+ (block base_template
+
+ (blockabstract base_template)
+
+ (type subj)
+ (call .subj.type (subj)))
+
+ (block entry
+
+ (macro entrypoint_all_files ((type ARG1))
+ (allow ARG1 typeattr (file (entrypoint))))
+
+ (macro type ((type ARG1))
+ (typeattributeset typeattr ARG1))
+
+ (blockinherit .file.all_macro_template_files)
+
+ (typeattribute not_typeattr)
+ (typeattribute typeattr)
+
+ (typeattributeset not_typeattr (not typeattr))
+
+ (neverallow subj.typeattr not_typeattr (file (entrypoint))))
+
+ (block execheap
+
+ (macro type ((type ARG1))
+ (typeattributeset typeattr ARG1))
+
+ (typeattribute not_typeattr)
+ (typeattribute typeattr)
+
+ (typeattributeset not_typeattr (not typeattr))
+
+ (neverallow not_typeattr self (process (execheap))))
+
+ (block execstack
+
+ (macro type ((type ARG1))
+ (typeattributeset typeattr ARG1))
+
+ (typeattribute not_typeattr)
+ (typeattribute typeattr)
+
+ (typeattributeset not_typeattr (not typeattr))
+
+ (neverallow not_typeattr self (process (execstack))))
+
+ (block macro_template
+
+ (blockabstract macro_template)
+
+ (macro getrlimit_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (getrlimit))))
+
+ (macro getsched_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (getsched))))
+
+ (macro nnptransition_subj_processes ((type ARG1))
+ (allow ARG1 subj (process2 (nnp_transition))))
+
+ (macro noatsecure_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (noatsecure))))
+
+ (macro nosuidtransition_subj_processes ((type ARG1))
+ (allow ARG1 subj (process2 (nosuid_transition))))
+
+ (macro ps_subj_states ((type ARG1))
+ (allow ARG1 subj (state (ps))))
+
+ (macro ptrace_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (ptrace))))
+
+ (macro read_subj_states ((type ARG1))
+ (allow ARG1 subj (state (read))))
+
+ (macro readinherited_subj_fifo_files ((type ARG1))
+ (allow ARG1 subj readinherited_fifo_file))
+
+ (macro readwriteinherited_subj_fifo_files ((type ARG1))
+ (allow ARG1 subj readwriteinherited_fifo_file))
+
+ (macro rlimitinh_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (rlimitinh))))
+
+ (macro setrlimit_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (setrlimit))))
+
+ (macro setsched_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (setsched))))
+
+ (macro sigchld_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (sigchld))))
+
+ (macro sigkill_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (sigkill))))
+
+ (macro signal_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (signal))))
+
+ (macro signull_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (signull))))
+
+ (macro sigstop_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (sigstop))))
+
+ (macro transition_subj_processes ((type ARG1))
+ (allow ARG1 subj (process (transition))))
+
+ (macro writeinherited_subj_fifo_files ((type ARG1))
+ (allow ARG1 subj writeinherited_fifo_file)))
+
+ (block template
+
+ (blockabstract template)
+
+ (blockinherit .subj.base_template)
+ (blockinherit .subj.macro_template))
+
+ (block unconfined
+
+ (macro type ((type ARG1))
+ (typeattributeset typeattr ARG1))
+
+ (typeattribute typeattr)
+
+ (allow typeattr subj.entry.typeattr (file (entrypoint)))
+
+ (allow typeattr subj.typeattr (process (all)))
+ ;; nosuid_transition should not be needed and indicates
+ ;; misconfiguration. when used properly it is worth blocking this
+ ;; access to prevent domain transitions on untrusted removeable
+ ;; storage. just be sure to alway's mount untrusted remote storage
+ ;; with nosuid, because otherwise this does not work.
+ (allow typeattr subj.typeattr (process2 (not nosuid_transition)))
+
+ (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton))))
+ (allow typeattr subj.typeattr list_dir)
+ (allow typeattr subj.typeattr mounton_file)
+ (allow typeattr subj.typeattr read_lnk_file)
+ (allow typeattr subj.typeattr readwrite_file)
+
+ (call execheap.type (typeattr))
+ (call execstack.type (typeattr))))
+
+(in unconfined
+
+ (call .subj.unconfined.type (typeattr)))
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-20 23:16:37 +0000