diff options
| author | Dominick Grift <dominick.grift@defensec.nl> | 2023-08-20 15:44:41 +0200 |
|---|---|---|
| committer | Dominick Grift <dominick.grift@defensec.nl> | 2023-08-20 15:46:23 +0200 |
| commit | 0c187b6ff97f91c41dab65a6426dc61f77305cdf (patch) | |
| tree | 1e35f5851154500a8a39428a45a5671f9488e1da /src/sys | |
| download | selinux-policy-0c187b6ff97f91c41dab65a6426dc61f77305cdf.tar.gz | |
Import dssp5
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Diffstat (limited to 'src/sys')
134 files changed, 3136 insertions, 0 deletions
diff --git a/src/sys/bpffile.cil b/src/sys/bpffile.cil new file mode 100644 index 0000000..7c1bbcf --- /dev/null +++ b/src/sys/bpffile.cil @@ -0,0 +1,144 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bpffile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .bpf.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context bpffile_context (.sys.id .sys.role bpffile lowlevelrange)) + + (type bpffile) + (call .bpffile.type (bpffile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile addname_dir)) + + (macro create_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile create_dir)) + + (macro delete_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile delete_dir)) + + (macro deletename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile deletename_dir)) + + (macro list_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile list_dir)) + + (macro listinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile listinherited_dir)) + + (macro manage_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile manage_dir)) + + (macro mounton_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile mounton_dir)) + + (macro readwrite_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwrite_dir)) + + (macro readwriteinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_dir)) + + (macro rename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile rename_dir)) + + (macro search_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile search_dir)) + + (macro write_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile write_dir)) + + (macro writeinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_bpffile_files ((type ARG1)) + (allow ARG1 bpffile append_file)) + + (macro appendinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile appendinherited_file)) + + (macro create_bpffile_files ((type ARG1)) + (allow ARG1 bpffile create_file)) + + (macro delete_bpffile_files ((type ARG1)) + (allow ARG1 bpffile delete_file)) + + (macro execute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile execute_file)) + + (macro manage_bpffile_files ((type ARG1)) + (allow ARG1 bpffile manage_file)) + + (macro mapexecute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mapexecute_file)) + + (macro mounton_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mounton_file)) + + (macro read_bpffile_files ((type ARG1)) + (allow ARG1 bpffile read_file)) + + (macro readinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readinherited_file)) + + (macro readwrite_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwrite_file)) + + (macro readwriteinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_file)) + + (macro rename_bpffile_files ((type ARG1)) + (allow ARG1 bpffile rename_file)) + + (macro write_bpffile_files ((type ARG1)) + (allow ARG1 bpffile write_file)) + + (macro writeinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .bpffile.base_template) + (blockinherit .bpffile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr bpffile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr bpffile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .bpffile.unconfined.type (typeattr))) diff --git a/src/sys/cgroupfile.cil b/src/sys/cgroupfile.cil new file mode 100644 index 0000000..cedbf4c --- /dev/null +++ b/src/sys/cgroupfile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cgroupfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .cgroup.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context cgroupfile_context (.sys.id .sys.role cgroupfile lowlevelrange)) + + (type cgroupfile) + (call .cgroupfile.type (cgroupfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile addname_dir)) + + (macro create_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile create_dir)) + + (macro delete_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile delete_dir)) + + (macro deletename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile deletename_dir)) + + (macro list_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile list_dir)) + + (macro listinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile listinherited_dir)) + + (macro manage_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile manage_dir)) + + (macro mounton_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile mounton_dir)) + + (macro readwrite_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwrite_dir)) + + (macro readwriteinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_dir)) + + (macro rename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile rename_dir)) + + (macro search_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile search_dir)) + + (macro write_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile write_dir)) + + (macro writeinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile append_file)) + + (macro appendinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile appendinherited_file)) + + (macro create_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile create_file)) + + (macro delete_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile delete_file)) + + (macro execute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile execute_file)) + + (macro manage_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile manage_file)) + + (macro mapexecute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mapexecute_file)) + + (macro mounton_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mounton_file)) + + (macro read_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile read_file)) + + (macro readinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readinherited_file)) + + (macro readwrite_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwrite_file)) + + (macro readwriteinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_file)) + + (macro rename_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile rename_file)) + + (macro write_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile write_file)) + + (macro writeinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .cgroupfile.base_template) + (blockinherit .cgroupfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr cgroupfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr cgroupfile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .cgroupfile.unconfined.type (typeattr))) diff --git a/src/sys/debugfile.cil b/src/sys/debugfile.cil new file mode 100644 index 0000000..cfd15a5 --- /dev/null +++ b/src/sys/debugfile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block debugfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .debug.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context debugfile_context (.sys.id .sys.role debugfile lowlevelrange)) + + (type debugfile) + (call .debugfile.type (debugfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile addname_dir)) + + (macro create_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile create_dir)) + + (macro delete_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile delete_dir)) + + (macro deletename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile deletename_dir)) + + (macro list_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile list_dir)) + + (macro listinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile listinherited_dir)) + + (macro manage_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile manage_dir)) + + (macro mounton_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile mounton_dir)) + + (macro readwrite_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwrite_dir)) + + (macro readwriteinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_dir)) + + (macro rename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile rename_dir)) + + (macro search_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile search_dir)) + + (macro write_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile write_dir)) + + (macro writeinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_debugfile_files ((type ARG1)) + (allow ARG1 debugfile append_file)) + + (macro appendinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile appendinherited_file)) + + (macro create_debugfile_files ((type ARG1)) + (allow ARG1 debugfile create_file)) + + (macro delete_debugfile_files ((type ARG1)) + (allow ARG1 debugfile delete_file)) + + (macro execute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile execute_file)) + + (macro manage_debugfile_files ((type ARG1)) + (allow ARG1 debugfile manage_file)) + + (macro mapexecute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mapexecute_file)) + + (macro mounton_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mounton_file)) + + (macro read_debugfile_files ((type ARG1)) + (allow ARG1 debugfile read_file)) + + (macro readinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readinherited_file)) + + (macro readwrite_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwrite_file)) + + (macro readwriteinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_file)) + + (macro rename_debugfile_files ((type ARG1)) + (allow ARG1 debugfile rename_file)) + + (macro write_debugfile_files ((type ARG1)) + (allow ARG1 debugfile write_file)) + + (macro writeinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .debugfile.base_template) + (blockinherit .debugfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr debugfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr debugfile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .debugfile.unconfined.type (typeattr))) diff --git a/src/sys/procfile.cil b/src/sys/procfile.cil new file mode 100644 index 0000000..2b81c2e --- /dev/null +++ b/src/sys/procfile.cil @@ -0,0 +1,193 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block procfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context procfile_context (.sys.id .sys.role procfile lowlevelrange)) + + (type procfile) + (call .procfile.type (procfile))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and procfile.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call procfile.type (typeattr))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_procfile_dirs ((type ARG1)) + (allow ARG1 procfile addname_dir)) + + (macro create_procfile_dirs ((type ARG1)) + (allow ARG1 procfile create_dir)) + + (macro delete_procfile_dirs ((type ARG1)) + (allow ARG1 procfile delete_dir)) + + (macro deletename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile deletename_dir)) + + (macro list_procfile_dirs ((type ARG1)) + (allow ARG1 procfile list_dir)) + + (macro listinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile listinherited_dir)) + + (macro manage_procfile_dirs ((type ARG1)) + (allow ARG1 procfile manage_dir)) + + (macro mounton_procfile_dirs ((type ARG1)) + (allow ARG1 procfile mounton_dir)) + + (macro readwrite_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwrite_dir)) + + (macro readwriteinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwriteinherited_dir)) + + (macro rename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile rename_dir)) + + (macro search_procfile_dirs ((type ARG1)) + (allow ARG1 procfile search_dir)) + + (macro write_procfile_dirs ((type ARG1)) + (allow ARG1 procfile write_dir)) + + (macro writeinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_procfile_files ((type ARG1)) + (allow ARG1 procfile append_file)) + + (macro appendinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile appendinherited_file)) + + (macro create_procfile_files ((type ARG1)) + (allow ARG1 procfile create_file)) + + (macro delete_procfile_files ((type ARG1)) + (allow ARG1 procfile delete_file)) + + (macro execute_procfile_files ((type ARG1)) + (allow ARG1 procfile execute_file)) + + (macro manage_procfile_files ((type ARG1)) + (allow ARG1 procfile manage_file)) + + (macro mapexecute_procfile_files ((type ARG1)) + (allow ARG1 procfile mapexecute_file)) + + (macro mounton_procfile_files ((type ARG1)) + (allow ARG1 procfile mounton_file)) + + (macro read_procfile_files ((type ARG1)) + (allow ARG1 procfile read_file)) + + (macro readinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readinherited_file)) + + (macro readwrite_procfile_files ((type ARG1)) + (allow ARG1 procfile readwrite_file)) + + (macro readwriteinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readwriteinherited_file)) + + (macro rename_procfile_files ((type ARG1)) + (allow ARG1 procfile rename_file)) + + (macro write_procfile_files ((type ARG1)) + (allow ARG1 procfile write_file)) + + (macro writeinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile create_lnk_file)) + + (macro delete_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile delete_lnk_file)) + + (macro manage_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile manage_lnk_file)) + + (macro read_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile read_lnk_file)) + + (macro readwrite_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile readwrite_lnk_file)) + + (macro rename_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile rename_lnk_file)) + + (macro write_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr procfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .procfile.unconfined.type (typeattr))) diff --git a/src/sys/procfile/acpiprocfile.cil b/src/sys/procfile/acpiprocfile.cil new file mode 100644 index 0000000..ce00061 --- /dev/null +++ b/src/sys/procfile/acpiprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block acpi + + (genfscon "proc" "/acpi" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/asoundprocfile.cil b/src/sys/procfile/asoundprocfile.cil new file mode 100644 index 0000000..1b6342b --- /dev/null +++ b/src/sys/procfile/asoundprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block asound + + (genfscon "proc" "/asound" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/bootconfigprocfile.cil b/src/sys/procfile/bootconfigprocfile.cil new file mode 100644 index 0000000..695b76f --- /dev/null +++ b/src/sys/procfile/bootconfigprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bootconfig + + (genfscon "proc" "/bootconfig" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/buddyinfoprocfile.cil b/src/sys/procfile/buddyinfoprocfile.cil new file mode 100644 index 0000000..0cdf4f9 --- /dev/null +++ b/src/sys/procfile/buddyinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block buddyinfo + + (genfscon "proc" "/buddyinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/busprocfile.cil b/src/sys/procfile/busprocfile.cil new file mode 100644 index 0000000..04a16b9 --- /dev/null +++ b/src/sys/procfile/busprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in bus + + (genfscon "proc" "/bus" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cgroupsprocfile.cil b/src/sys/procfile/cgroupsprocfile.cil new file mode 100644 index 0000000..71a8153 --- /dev/null +++ b/src/sys/procfile/cgroupsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cgroups + + (genfscon "proc" "/cgroups" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cmdlineprocfile.cil b/src/sys/procfile/cmdlineprocfile.cil new file mode 100644 index 0000000..92e7081 --- /dev/null +++ b/src/sys/procfile/cmdlineprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cmdline + + (genfscon "proc" "/cmdline" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/consolesprocfile.cil b/src/sys/procfile/consolesprocfile.cil new file mode 100644 index 0000000..61d9689 --- /dev/null +++ b/src/sys/procfile/consolesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block consoles + + (genfscon "proc" "/consoles" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuinfoprocfile.cil b/src/sys/procfile/cpuinfoprocfile.cil new file mode 100644 index 0000000..1afb35d --- /dev/null +++ b/src/sys/procfile/cpuinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpuinfo + + (genfscon "proc" "/cpuinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuprocfile.cil b/src/sys/procfile/cpuprocfile.cil new file mode 100644 index 0000000..96b54e5 --- /dev/null +++ b/src/sys/procfile/cpuprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in cpu + + (genfscon "proc" "/cpu" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cryptoprocfile.cil b/src/sys/procfile/cryptoprocfile.cil new file mode 100644 index 0000000..711842a --- /dev/null +++ b/src/sys/procfile/cryptoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in crypto + + (genfscon "proc" "/crypto" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/devicesprocfile.cil b/src/sys/procfile/devicesprocfile.cil new file mode 100644 index 0000000..83d417f --- /dev/null +++ b/src/sys/procfile/devicesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in devices + + (genfscon "proc" "/devices" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/diskstatsprocfile.cil b/src/sys/procfile/diskstatsprocfile.cil new file mode 100644 index 0000000..91e750b --- /dev/null +++ b/src/sys/procfile/diskstatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block diskstats + + (genfscon "proc" "/diskstats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dmaprocfile.cil b/src/sys/procfile/dmaprocfile.cil new file mode 100644 index 0000000..3403e9b --- /dev/null +++ b/src/sys/procfile/dmaprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dma + + (genfscon "proc" "/dma" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/driverprocfile.cil b/src/sys/procfile/driverprocfile.cil new file mode 100644 index 0000000..532d389 --- /dev/null +++ b/src/sys/procfile/driverprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block driver + + (genfscon "proc" "/driver" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dynamicdebugprocfile.cil b/src/sys/procfile/dynamicdebugprocfile.cil new file mode 100644 index 0000000..a811c2d --- /dev/null +++ b/src/sys/procfile/dynamicdebugprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dynamicdebug + + (genfscon "proc" "/dynamic_debug" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.base_template)) diff --git a/src/sys/procfile/execdomainsprocfile.cil b/src/sys/procfile/execdomainsprocfile.cil new file mode 100644 index 0000000..177f33a --- /dev/null +++ b/src/sys/procfile/execdomainsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block execdomains + + (genfscon "proc" "/execdomains" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fbprocfile.cil b/src/sys/procfile/fbprocfile.cil new file mode 100644 index 0000000..9f7e75b --- /dev/null +++ b/src/sys/procfile/fbprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fb + + (genfscon "proc" "/fb" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/filesystemsprocfile.cil b/src/sys/procfile/filesystemsprocfile.cil new file mode 100644 index 0000000..b39c3ed --- /dev/null +++ b/src/sys/procfile/filesystemsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block filesystems + + (genfscon "proc" "/filesystems" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fsprocfile.cil b/src/sys/procfile/fsprocfile.cil new file mode 100644 index 0000000..5b46976 --- /dev/null +++ b/src/sys/procfile/fsprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "proc" "/fs" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/interruptsprocfile.cil b/src/sys/procfile/interruptsprocfile.cil new file mode 100644 index 0000000..31eccc3 --- /dev/null +++ b/src/sys/procfile/interruptsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block interrupts + + (genfscon "proc" "/interrupts" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/iomemprocfile.cil b/src/sys/procfile/iomemprocfile.cil new file mode 100644 index 0000000..cc16761 --- /dev/null +++ b/src/sys/procfile/iomemprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iomem + + (genfscon "proc" "/iomem" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ioportsprocfile.cil b/src/sys/procfile/ioportsprocfile.cil new file mode 100644 index 0000000..03852ce --- /dev/null +++ b/src/sys/procfile/ioportsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ioports + + (genfscon "proc" "/ioports" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/irqprocfile.cil b/src/sys/procfile/irqprocfile.cil new file mode 100644 index 0000000..fdd4e92 --- /dev/null +++ b/src/sys/procfile/irqprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block irq + + (genfscon "proc" "/irq" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/jffs2bbcprocfile.cil b/src/sys/procfile/jffs2bbcprocfile.cil new file mode 100644 index 0000000..7b8d78c --- /dev/null +++ b/src/sys/procfile/jffs2bbcprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block jffs2bbc + + (genfscon "proc" "/jffs2_bbc" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kallsymsprocfile.cil b/src/sys/procfile/kallsymsprocfile.cil new file mode 100644 index 0000000..33e3ee1 --- /dev/null +++ b/src/sys/procfile/kallsymsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kallsyms + + (genfscon "proc" "/kallsyms" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kcoreprocfile.cil b/src/sys/procfile/kcoreprocfile.cil new file mode 100644 index 0000000..c367f51 --- /dev/null +++ b/src/sys/procfile/kcoreprocfile.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kcore + + (genfscon "proc" "/kcore" procfile_context) + + (blockinherit .procfile.template) + + (call .procfile.exception.type (procfile)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr procfile (file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr procfile (file (append write))))) + +(in procfile.unconfined + + (call .kcore.readwrite.type (typeattr))) diff --git a/src/sys/procfile/keysprocfile.cil b/src/sys/procfile/keysprocfile.cil new file mode 100644 index 0000000..a41791c --- /dev/null +++ b/src/sys/procfile/keysprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block keys + + (genfscon "proc" "/keys" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/keyusersprocfile.cil b/src/sys/procfile/keyusersprocfile.cil new file mode 100644 index 0000000..4c7617b --- /dev/null +++ b/src/sys/procfile/keyusersprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block keyusers + + (genfscon "proc" "/key-users" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kmsgprocfile.cil b/src/sys/procfile/kmsgprocfile.cil new file mode 100644 index 0000000..bb5f80e --- /dev/null +++ b/src/sys/procfile/kmsgprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kmsg + + (genfscon "proc" "/kmsg" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpagecgroupprocfile.cil b/src/sys/procfile/kpagecgroupprocfile.cil new file mode 100644 index 0000000..45ed0cf --- /dev/null +++ b/src/sys/procfile/kpagecgroupprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpagecgroup + + (genfscon "proc" "/kpagecgroup" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpagecountprocfile.cil b/src/sys/procfile/kpagecountprocfile.cil new file mode 100644 index 0000000..cfdfe4b --- /dev/null +++ b/src/sys/procfile/kpagecountprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpagecount + + (genfscon "proc" "/kpagecount" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpageflagsprocfile.cil b/src/sys/procfile/kpageflagsprocfile.cil new file mode 100644 index 0000000..10cf173 --- /dev/null +++ b/src/sys/procfile/kpageflagsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpageflags + + (genfscon "proc" "/kpageflags" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/latencystatsprocfile.cil b/src/sys/procfile/latencystatsprocfile.cil new file mode 100644 index 0000000..f195b17 --- /dev/null +++ b/src/sys/procfile/latencystatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block latencystats + + (genfscon "proc" "/latency_stats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/loadavgprocfile.cil b/src/sys/procfile/loadavgprocfile.cil new file mode 100644 index 0000000..9ac128e --- /dev/null +++ b/src/sys/procfile/loadavgprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loadavg + + (genfscon "proc" "/loadavg" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepchainsprocfile.cil b/src/sys/procfile/lockdepchainsprocfile.cil new file mode 100644 index 0000000..6a1def1 --- /dev/null +++ b/src/sys/procfile/lockdepchainsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdepchains + + (genfscon "proc" "/lockdep_chains" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepprocfile.cil b/src/sys/procfile/lockdepprocfile.cil new file mode 100644 index 0000000..f40bda0 --- /dev/null +++ b/src/sys/procfile/lockdepprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdep + + (genfscon "proc" "/lockdep" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepstatsprocfile.cil b/src/sys/procfile/lockdepstatsprocfile.cil new file mode 100644 index 0000000..4be05b3 --- /dev/null +++ b/src/sys/procfile/lockdepstatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdepstats + + (genfscon "proc" "/lockdep_stats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/locksprocfile.cil b/src/sys/procfile/locksprocfile.cil new file mode 100644 index 0000000..05d40af --- /dev/null +++ b/src/sys/procfile/locksprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block locks + + (genfscon "proc" "/locks" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockstatprocfile.cil b/src/sys/procfile/lockstatprocfile.cil new file mode 100644 index 0000000..18dc93f --- /dev/null +++ b/src/sys/procfile/lockstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockstat + + (genfscon "proc" "/lock_stat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mdstatprocfile.cil b/src/sys/procfile/mdstatprocfile.cil new file mode 100644 index 0000000..46b78ea --- /dev/null +++ b/src/sys/procfile/mdstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mdstat + + (genfscon "proc" "/mdstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/meminfoprocfile.cil b/src/sys/procfile/meminfoprocfile.cil new file mode 100644 index 0000000..9136178 --- /dev/null +++ b/src/sys/procfile/meminfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block meminfo + + (genfscon "proc" "/meminfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/miscprocfile.cil b/src/sys/procfile/miscprocfile.cil new file mode 100644 index 0000000..497c140 --- /dev/null +++ b/src/sys/procfile/miscprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block misc + + (genfscon "proc" "/misc" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/modulesprocfile.cil b/src/sys/procfile/modulesprocfile.cil new file mode 100644 index 0000000..542ae2a --- /dev/null +++ b/src/sys/procfile/modulesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modules + + (genfscon "proc" "/modules" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mptprocfile.cil b/src/sys/procfile/mptprocfile.cil new file mode 100644 index 0000000..c471afb --- /dev/null +++ b/src/sys/procfile/mptprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mpt + + (genfscon "proc" "/mpt" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mtdprocfile.cil b/src/sys/procfile/mtdprocfile.cil new file mode 100644 index 0000000..83b3e57 --- /dev/null +++ b/src/sys/procfile/mtdprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in mtd + + (genfscon "proc" "/mtd" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mtrrprocfile.cil b/src/sys/procfile/mtrrprocfile.cil new file mode 100644 index 0000000..40dd60f --- /dev/null +++ b/src/sys/procfile/mtrrprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mtrr + + (genfscon "proc" "/mtrr" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/netprocfile.cil b/src/sys/procfile/netprocfile.cil new file mode 100644 index 0000000..0cf3d3d --- /dev/null +++ b/src/sys/procfile/netprocfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in net + + (genfscon "proc" "/net" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.macro_template_lnk_files) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/pagetypeinfoprocfile.cil b/src/sys/procfile/pagetypeinfoprocfile.cil new file mode 100644 index 0000000..1ffef39 --- /dev/null +++ b/src/sys/procfile/pagetypeinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pagetypeinfo + + (genfscon "proc" "/pagetypeinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/partitionsprocfile.cil b/src/sys/procfile/partitionsprocfile.cil new file mode 100644 index 0000000..32d7878 --- /dev/null +++ b/src/sys/procfile/partitionsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block partitions + + (genfscon "proc" "/partitions" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/pressureprocfile.cil b/src/sys/procfile/pressureprocfile.cil new file mode 100644 index 0000000..bc62a65 --- /dev/null +++ b/src/sys/procfile/pressureprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pressure + + (genfscon "proc" "/pressure" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scheddebugprocfile.cil b/src/sys/procfile/scheddebugprocfile.cil new file mode 100644 index 0000000..d56d8ea --- /dev/null +++ b/src/sys/procfile/scheddebugprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block scheddebug + + (genfscon "proc" "/sched_debug" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/schedstatprocfile.cil b/src/sys/procfile/schedstatprocfile.cil new file mode 100644 index 0000000..1849ea8 --- /dev/null +++ b/src/sys/procfile/schedstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block schedstat + + (genfscon "proc" "/schedstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scsiprocfile.cil b/src/sys/procfile/scsiprocfile.cil new file mode 100644 index 0000000..c27e5e6 --- /dev/null +++ b/src/sys/procfile/scsiprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block scsi + + (genfscon "proc" "/scsi" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/slabinfoprocfile.cil b/src/sys/procfile/slabinfoprocfile.cil new file mode 100644 index 0000000..39991de --- /dev/null +++ b/src/sys/procfile/slabinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block slabinfo + + (genfscon "proc" "/slabinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/softirqsprocfile.cil b/src/sys/procfile/softirqsprocfile.cil new file mode 100644 index 0000000..72ded46 --- /dev/null +++ b/src/sys/procfile/softirqsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block softirqs + + (genfscon "proc" "/softirqs" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/statprocfile.cil b/src/sys/procfile/statprocfile.cil new file mode 100644 index 0000000..75ce983 --- /dev/null +++ b/src/sys/procfile/statprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block stat + + (genfscon "proc" "/stat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/swapsprocfile.cil b/src/sys/procfile/swapsprocfile.cil new file mode 100644 index 0000000..3a7cabf --- /dev/null +++ b/src/sys/procfile/swapsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block swaps + + (genfscon "proc" "/swaps" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysctlfile.cil b/src/sys/procfile/sysctlfile.cil new file mode 100644 index 0000000..b0e9787 --- /dev/null +++ b/src/sys/procfile/sysctlfile.cil @@ -0,0 +1,138 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysctlfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .procfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context sysctlfile_context (.sys.id .sys.role sysctlfile lowlevelrange)) + + (type sysctlfile) + (call .sysctlfile.type (sysctlfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile addname_dir)) + + (macro create_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile create_dir)) + + (macro delete_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile delete_dir)) + + (macro deletename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile deletename_dir)) + + (macro list_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile list_dir)) + + (macro listinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile listinherited_dir)) + + (macro manage_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile manage_dir)) + + (macro mounton_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile mounton_dir)) + + (macro readwrite_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwrite_dir)) + + (macro readwriteinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_dir)) + + (macro rename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile rename_dir)) + + (macro search_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile search_dir)) + + (macro write_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile write_dir)) + + (macro writeinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile append_file)) + + (macro appendinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile appendinherited_file)) + + (macro create_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile create_file)) + + (macro delete_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile delete_file)) + + (macro execute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile execute_file)) + + (macro manage_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile manage_file)) + + (macro mapexecute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mapexecute_file)) + + (macro mounton_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mounton_file)) + + (macro read_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile read_file)) + + (macro readinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readinherited_file)) + + (macro readwrite_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwrite_file)) + + (macro readwriteinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_file)) + + (macro rename_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile rename_file)) + + (macro write_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile write_file)) + + (macro writeinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr sysctlfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr sysctlfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) diff --git a/src/sys/procfile/sysctlfile/abisysctlfile.cil b/src/sys/procfile/sysctlfile/abisysctlfile.cil new file mode 100644 index 0000000..0bf5be5 --- /dev/null +++ b/src/sys/procfile/sysctlfile/abisysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block abi + + (genfscon "proc" "/sys/abi" sysctlfile_context) + + (blockinherit .sysctlfile.abi.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block abi + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.abi.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.abi.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/cryptosysctlfile.cil b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil new file mode 100644 index 0000000..d56af1f --- /dev/null +++ b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block crypto + + (genfscon "proc" "/sys/crypto" sysctlfile_context) + + (blockinherit .sysctlfile.crypto.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block crypto + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.crypto.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.crypto.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/debugsysctlfile.cil b/src/sys/procfile/sysctlfile/debugsysctlfile.cil new file mode 100644 index 0000000..8d23149 --- /dev/null +++ b/src/sys/procfile/sysctlfile/debugsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block debug + + (genfscon "proc" "/sys/debug" sysctlfile_context) + + (blockinherit .sysctlfile.debug.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block debug + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.debug.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.debug.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/devsysctlfile.cil b/src/sys/procfile/sysctlfile/devsysctlfile.cil new file mode 100644 index 0000000..87edae1 --- /dev/null +++ b/src/sys/procfile/sysctlfile/devsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev + + (genfscon "proc" "/sys/dev" sysctlfile_context) + + (blockinherit .sysctlfile.dev.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.dev.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.dev.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/fssysctlfile.cil b/src/sys/procfile/sysctlfile/fssysctlfile.cil new file mode 100644 index 0000000..878092f --- /dev/null +++ b/src/sys/procfile/sysctlfile/fssysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "proc" "/sys/fs" sysctlfile_context) + + (blockinherit .sysctlfile.fs.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block fs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.fs.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.fs.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil new file mode 100644 index 0000000..ad66127 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kernel + + (genfscon "proc" "/sys/kernel" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block kernel + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.kernel.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.kernel.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil new file mode 100644 index 0000000..b27163e --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block caplastcap + + (genfscon "proc" "/sys/kernel/cap_last_cap" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil new file mode 100644 index 0000000..7ef9105 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block corepattern + + (genfscon "proc" "/sys/kernel/core_pattern" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil new file mode 100644 index 0000000..8f95bf8 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block corepipelimit + + (genfscon "proc" "/sys/kernel/core_pipe_limit" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil new file mode 100644 index 0000000..9bcd7cd --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block firmwareconfig + + (genfscon "proc" "/sys/kernel/firmware_config" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil new file mode 100644 index 0000000..d4a8ca6 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hostname + + (genfscon "proc" "/sys/kernel/hostname" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil new file mode 100644 index 0000000..f65c9db --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in keys + + (genfscon "proc" "/sys/kernel/keys" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil new file mode 100644 index 0000000..7928e56 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modprobe + + (genfscon "proc" "/sys/kernel/modprobe" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil new file mode 100644 index 0000000..b39aa80 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nslastpid + + (genfscon "proc" "/sys/kernel/ns_last_pid" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil new file mode 100644 index 0000000..9eab507 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block osrelease + + (genfscon "proc" "/sys/kernel/osrelease" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil new file mode 100644 index 0000000..4517c76 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block overflowuid + + (genfscon "proc" "/sys/kernel/overflowgid" sysctlfile_context) + (genfscon "proc" "/sys/kernel/overflowuid" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil new file mode 100644 index 0000000..168e06a --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pidmax + + (genfscon "proc" "/sys/kernel/pid_max" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil new file mode 100644 index 0000000..bf5e36b --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block poweroffcmd + + (genfscon "proc" "/sys/kernel/poweroff_cmd" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil new file mode 100644 index 0000000..bc96692 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pty + + (genfscon "proc" "/sys/kernel/pty" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil new file mode 100644 index 0000000..493ed6f --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kernel + + (genfscon "proc" "/sys/kernel/randomize_va_space" sysctlfile_context)) + +(in random + + (genfscon "proc" "/sys/kernel/random" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil new file mode 100644 index 0000000..b9f2878 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block seccomp + + (genfscon "proc" "/sys/kernel/seccomp" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil new file mode 100644 index 0000000..5d31bf8 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block threadsmax + + (genfscon "proc" "/sys/kernel/threads-max" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil new file mode 100644 index 0000000..e848922 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usermodehelper + + (genfscon "proc" "/sys/kernel/usermodehelper" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil new file mode 100644 index 0000000..a958a40 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block yama + + (genfscon "proc" "/sys/kernel/yama" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile.cil new file mode 100644 index 0000000..1917846 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in net + + (genfscon "proc" "/sys/net" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) + +(in sysctlfile + + (block net + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.net.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.net.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil new file mode 100644 index 0000000..432152a --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block core + + (genfscon "proc" "/sys/net/core" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil new file mode 100644 index 0000000..02cc2de --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipv4 + + (genfscon "proc" "/sys/net/ipv4" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil new file mode 100644 index 0000000..3aae3b9 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipv6 + + (genfscon "proc" "/sys/net/ipv6" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil new file mode 100644 index 0000000..0668458 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mptcp + + (genfscon "proc" "/sys/net/mptcp" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil new file mode 100644 index 0000000..d4ba916 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block netfilter + + (genfscon "proc" "/sys/net/netfilter" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil new file mode 100644 index 0000000..bd60a46 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block unix + + (genfscon "proc" "/sys/net/unix" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil new file mode 100644 index 0000000..1b297b7 --- /dev/null +++ b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sunrpc + + (genfscon "proc" "/sys/sunrpc" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.sunrpc.template)) + +(in sysctlfile + + (block sunrpc + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.sunrpc.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.macro_template_files) + (blockinherit .sysctlfile.sunrpc.base_template)))) diff --git a/src/sys/procfile/sysctlfile/usersysctlfile.cil b/src/sys/procfile/sysctlfile/usersysctlfile.cil new file mode 100644 index 0000000..4b04c86 --- /dev/null +++ b/src/sys/procfile/sysctlfile/usersysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block user + + (genfscon "proc" "/sys/user" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.user.template)) + +(in sysctlfile + + (block user + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.user.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.user.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile.cil new file mode 100644 index 0000000..b88afd2 --- /dev/null +++ b/src/sys/procfile/sysctlfile/vmsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vm + + (genfscon "proc" "/sys/vm" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.vm.template)) + +(in sysctlfile + + (block vm + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.vm.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.vm.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil new file mode 100644 index 0000000..2ecb737 --- /dev/null +++ b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block overcommitmemory + + (genfscon "proc" "/sys/vm/overcommit_memory" sysctlfile_context) + + (blockinherit .sysctlfile.vm.template)) diff --git a/src/sys/procfile/sysctlprocfile.cil b/src/sys/procfile/sysctlprocfile.cil new file mode 100644 index 0000000..79507b3 --- /dev/null +++ b/src/sys/procfile/sysctlprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysctl + + (genfscon "proc" "/sys" procfile_context) + + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysrqtriggerprocfile.cil b/src/sys/procfile/sysrqtriggerprocfile.cil new file mode 100644 index 0000000..2950729 --- /dev/null +++ b/src/sys/procfile/sysrqtriggerprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysrqtrigger + + (genfscon "proc" "/sysrq-trigger" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysvipcprocfile.cil b/src/sys/procfile/sysvipcprocfile.cil new file mode 100644 index 0000000..838e9eb --- /dev/null +++ b/src/sys/procfile/sysvipcprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysvipc + + (genfscon "proc" "/sysvipc" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/timerlistprocfile.cil b/src/sys/procfile/timerlistprocfile.cil new file mode 100644 index 0000000..5f4819c --- /dev/null +++ b/src/sys/procfile/timerlistprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block timerlist + + (genfscon "proc" "/timer_list" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ttyprocfile.cil b/src/sys/procfile/ttyprocfile.cil new file mode 100644 index 0000000..33372b5 --- /dev/null +++ b/src/sys/procfile/ttyprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in tty + + (genfscon "proc" "/tty" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/uptimeprocfile.cil b/src/sys/procfile/uptimeprocfile.cil new file mode 100644 index 0000000..c7eb400 --- /dev/null +++ b/src/sys/procfile/uptimeprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uptime + + (genfscon "proc" "/uptime" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/versionprocfile.cil b/src/sys/procfile/versionprocfile.cil new file mode 100644 index 0000000..3d89ba6 --- /dev/null +++ b/src/sys/procfile/versionprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block version + + (genfscon "proc" "/version" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmallocprocfile.cil b/src/sys/procfile/vmallocprocfile.cil new file mode 100644 index 0000000..581a4eb --- /dev/null +++ b/src/sys/procfile/vmallocprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmallocinfo + + (genfscon "proc" "/vmallocinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmstatprocfile.cil b/src/sys/procfile/vmstatprocfile.cil new file mode 100644 index 0000000..b72e9a6 --- /dev/null +++ b/src/sys/procfile/vmstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmstat + + (genfscon "proc" "/vmstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/zoneinfoprocfile.cil b/src/sys/procfile/zoneinfoprocfile.cil new file mode 100644 index 0000000..48cf543 --- /dev/null +++ b/src/sys/procfile/zoneinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zoneinfo + + (genfscon "proc" "/zoneinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/pstorefile.cil b/src/sys/pstorefile.cil new file mode 100644 index 0000000..b987c04 --- /dev/null +++ b/src/sys/pstorefile.cil @@ -0,0 +1,141 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pstorefile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .pstore.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context pstorefile_context (.sys.id .sys.role pstorefile lowlevelrange)) + + (type pstorefile) + (call .pstorefile.type (pstorefile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile addname_dir)) + + (macro create_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile create_dir)) + + (macro delete_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile delete_dir)) + + (macro deletename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile deletename_dir)) + + (macro list_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile list_dir)) + + (macro listinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile listinherited_dir)) + + (macro manage_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile manage_dir)) + + (macro mounton_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile mounton_dir)) + + (macro readwrite_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwrite_dir)) + + (macro readwriteinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_dir)) + + (macro rename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile rename_dir)) + + (macro search_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile search_dir)) + + (macro write_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile write_dir)) + + (macro writeinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile append_file)) + + (macro appendinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile appendinherited_file)) + + (macro create_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile create_file)) + + (macro delete_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile delete_file)) + + (macro execute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile execute_file)) + + (macro manage_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile manage_file)) + + (macro mapexecute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mapexecute_file)) + + (macro mounton_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mounton_file)) + + (macro read_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile read_file)) + + (macro readinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readinherited_file)) + + (macro readwrite_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwrite_file)) + + (macro readwriteinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_file)) + + (macro rename_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile rename_file)) + + (macro write_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile write_file)) + + (macro writeinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .pstorefile.base_template) + (blockinherit .pstorefile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr pstorefile.typeattr (dir (not execmod))) + (allow typeattr pstorefile.typeattr (file (not (entrypoint execmod)))))) + +(in sys.unconfined + + (call .pstorefile.unconfined.type (typeattr))) diff --git a/src/sys/securityfile.cil b/src/sys/securityfile.cil new file mode 100644 index 0000000..1924a9a --- /dev/null +++ b/src/sys/securityfile.cil @@ -0,0 +1,182 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block securityfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (call .security.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context securityfile_context + (.sys.id .sys.role securityfile lowlevelrange)) + + (type securityfile) + (call .securityfile.type (securityfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile addname_dir)) + + (macro create_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile create_dir)) + + (macro delete_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile delete_dir)) + + (macro deletename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile deletename_dir)) + + (macro list_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile list_dir)) + + (macro listinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile listinherited_dir)) + + (macro manage_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile manage_dir)) + + (macro mounton_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile mounton_dir)) + + (macro readwrite_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwrite_dir)) + + (macro readwriteinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_dir)) + + (macro rename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile rename_dir)) + + (macro search_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile search_dir)) + + (macro write_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile write_dir)) + + (macro writeinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_securityfile_files ((type ARG1)) + (allow ARG1 securityfile append_file)) + + (macro appendinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile appendinherited_file)) + + (macro create_securityfile_files ((type ARG1)) + (allow ARG1 securityfile create_file)) + + (macro delete_securityfile_files ((type ARG1)) + (allow ARG1 securityfile delete_file)) + + (macro execute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile execute_file)) + + (macro manage_securityfile_files ((type ARG1)) + (allow ARG1 securityfile manage_file)) + + (macro mapexecute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mapexecute_file)) + + (macro mounton_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mounton_file)) + + (macro read_securityfile_files ((type ARG1)) + (allow ARG1 securityfile read_file)) + + (macro readinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readinherited_file)) + + (macro readwrite_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwrite_file)) + + (macro readwriteinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_file)) + + (macro rename_securityfile_files ((type ARG1)) + (allow ARG1 securityfile rename_file)) + + (macro write_securityfile_files ((type ARG1)) + (allow ARG1 securityfile write_file)) + + (macro writeinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile create_lnk_file)) + + (macro delete_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile delete_lnk_file)) + + (macro manage_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile manage_lnk_file)) + + (macro read_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile read_lnk_file)) + + (macro readwrite_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile readwrite_lnk_file)) + + (macro relabel_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabel_lnk_file)) + + (macro relabelfrom_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelfrom_lnk_file)) + + (macro relabelto_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelto_lnk_file)) + + (macro rename_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile rename_lnk_file)) + + (macro write_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .securityfile.base_template) + (blockinherit .securityfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr securityfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .securityfile.unconfined.type (typeattr))) diff --git a/src/sys/sysfile.cil b/src/sys/sysfile.cil new file mode 100644 index 0000000..b7f93cf --- /dev/null +++ b/src/sys/sysfile.cil @@ -0,0 +1,172 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (call .sys.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context sysfile_context (.sys.id .sys.role sysfile lowlevelrange)) + + (type sysfile) + (call .sysfile.type (sysfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile addname_dir)) + + (macro create_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile create_dir)) + + (macro delete_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile delete_dir)) + + (macro deletename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile deletename_dir)) + + (macro list_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile list_dir)) + + (macro listinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile listinherited_dir)) + + (macro manage_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile manage_dir)) + + (macro mounton_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile mounton_dir)) + + (macro readwrite_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwrite_dir)) + + (macro readwriteinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_dir)) + + (macro rename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile rename_dir)) + + (macro search_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile search_dir)) + + (macro write_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile write_dir)) + + (macro writeinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_sysfile_files ((type ARG1)) + (allow ARG1 sysfile append_file)) + + (macro appendinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile appendinherited_file)) + + (macro create_sysfile_files ((type ARG1)) + (allow ARG1 sysfile create_file)) + + (macro delete_sysfile_files ((type ARG1)) + (allow ARG1 sysfile delete_file)) + + (macro execute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile execute_file)) + + (macro manage_sysfile_files ((type ARG1)) + (allow ARG1 sysfile manage_file)) + + (macro mapexecute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mapexecute_file)) + + (macro mounton_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mounton_file)) + + (macro read_sysfile_files ((type ARG1)) + (allow ARG1 sysfile read_file)) + + (macro readinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readinherited_file)) + + (macro readwrite_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwrite_file)) + + (macro readwriteinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_file)) + + (macro rename_sysfile_files ((type ARG1)) + (allow ARG1 sysfile rename_file)) + + (macro write_sysfile_files ((type ARG1)) + (allow ARG1 sysfile write_file)) + + (macro writeinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile create_lnk_file)) + + (macro delete_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile delete_lnk_file)) + + (macro manage_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile manage_lnk_file)) + + (macro read_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile read_lnk_file)) + + (macro readwrite_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile readwrite_lnk_file)) + + (macro rename_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile rename_lnk_file)) + + (macro write_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.base_template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_files) + (blockinherit .sysfile.macro_template_lnk_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr sysfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr sysfile.typeattr + (file (not (audit_access entrypoint execmod)))) + (allow typeattr sysfile.typeattr + (lnk_file (not (audit_access execmod map mounton)))))) + +(in sys.unconfined + + (call .sysfile.unconfined.type (typeattr))) diff --git a/src/sys/sysfile/blocksysfile.cil b/src/sys/sysfile/blocksysfile.cil new file mode 100644 index 0000000..b7c154e --- /dev/null +++ b/src/sys/sysfile/blocksysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block block + + (genfscon "sysfs" "/block" sysfile_context) + + (blockinherit .sysfile.block.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block block + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.block.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.block.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/bussysfile.cil b/src/sys/sysfile/bussysfile.cil new file mode 100644 index 0000000..241d233 --- /dev/null +++ b/src/sys/sysfile/bussysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bus + + (genfscon "sysfs" "/bus" sysfile_context) + + (blockinherit .sysfile.bus.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block bus + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.bus.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.bus.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile.cil b/src/sys/sysfile/classsysfile.cil new file mode 100644 index 0000000..888006b --- /dev/null +++ b/src/sys/sysfile/classsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block class + + (genfscon "sysfs" "/class" sysfile_context) + + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block class + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.class.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.class.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil new file mode 100644 index 0000000..ad852db --- /dev/null +++ b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zramcontrol + + (genfscon "sysfs" "/class/zram-control" sysfile_context) + + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/devicessysfile.cil b/src/sys/sysfile/devicessysfile.cil new file mode 100644 index 0000000..45f1f3a --- /dev/null +++ b/src/sys/sysfile/devicessysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block devices + + (genfscon "sysfs" "/devices" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block devices + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.devices.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.devices.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil new file mode 100644 index 0000000..107d0a4 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in cpu + + (genfscon "sysfs" "/devices/system/cpu" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil new file mode 100644 index 0000000..b25eb11 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block memory + + (genfscon "sysfs" "/devices/system/memory" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil new file mode 100644 index 0000000..9ff1dd4 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block node + + (genfscon "sysfs" "/devices/system/node" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil new file mode 100644 index 0000000..a99223f --- /dev/null +++ b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in zram + + (genfscon "sysfs" "/devices/virtual/block/zram" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devsysfile.cil b/src/sys/sysfile/devsysfile.cil new file mode 100644 index 0000000..7c3e609 --- /dev/null +++ b/src/sys/sysfile/devsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev + + (genfscon "sysfs" "/dev" sysfile_context) + + (blockinherit .sysfile.dev.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.dev.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.dev.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/firmwaresysfile.cil b/src/sys/sysfile/firmwaresysfile.cil new file mode 100644 index 0000000..e5241b4 --- /dev/null +++ b/src/sys/sysfile/firmwaresysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block firmware + + (genfscon "sysfs" "/firmware" sysfile_context) + + (blockinherit .sysfile.firmware.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block firmware + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.firmware.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.firmware.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile.cil b/src/sys/sysfile/fssysfile.cil new file mode 100644 index 0000000..ee4f259 --- /dev/null +++ b/src/sys/sysfile/fssysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "sysfs" "/fs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block fs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.fs.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.fs.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile/btrfssysfile.cil b/src/sys/sysfile/fssysfile/btrfssysfile.cil new file mode 100644 index 0000000..536e355 --- /dev/null +++ b/src/sys/sysfile/fssysfile/btrfssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block btrfs + + (genfscon "sysfs" "/fs/btrfs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/ext4fssysfile.cil b/src/sys/sysfile/fssysfile/ext4fssysfile.cil new file mode 100644 index 0000000..c79e258 --- /dev/null +++ b/src/sys/sysfile/fssysfile/ext4fssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ext4 + + (genfscon "sysfs" "/fs/ext4" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/f2fssysfile.cil b/src/sys/sysfile/fssysfile/f2fssysfile.cil new file mode 100644 index 0000000..f95f2c9 --- /dev/null +++ b/src/sys/sysfile/fssysfile/f2fssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block f2fs + + (genfscon "sysfs" "/fs/f2fs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/fusefssysfile.cil b/src/sys/sysfile/fssysfile/fusefssysfile.cil new file mode 100644 index 0000000..9fc7381 --- /dev/null +++ b/src/sys/sysfile/fssysfile/fusefssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fuse + + (genfscon "sysfs" "/fs/fuse" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/xfssysfile.cil b/src/sys/sysfile/fssysfile/xfssysfile.cil new file mode 100644 index 0000000..ac0986f --- /dev/null +++ b/src/sys/sysfile/fssysfile/xfssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block xfs + + (genfscon "sysfs" "/fs/xfs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/hypervisorsysfile.cil b/src/sys/sysfile/hypervisorsysfile.cil new file mode 100644 index 0000000..750559f --- /dev/null +++ b/src/sys/sysfile/hypervisorsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hypervisor + + (genfscon "sysfs" "/hypervisor" sysfile_context) + + (blockinherit .sysfile.hypervisor.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block hypervisor + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.hypervisor.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.hypervisor.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile.cil b/src/sys/sysfile/kernelsysfile.cil new file mode 100644 index 0000000..e719923 --- /dev/null +++ b/src/sys/sysfile/kernelsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kernel + + (genfscon "sysfs" "/kernel" sysfile_context) + + (blockinherit .sysfile.kernel.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block kernel + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.kernel.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.kernel.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil new file mode 100644 index 0000000..a37ac55 --- /dev/null +++ b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in ksm + + (genfscon "sysfs" "/kernel/mm/ksm" sysfile_context) + + (blockinherit .sysfile.kernel.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/modulesysfile.cil b/src/sys/sysfile/modulesysfile.cil new file mode 100644 index 0000000..6a2f95d --- /dev/null +++ b/src/sys/sysfile/modulesysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block module + + (genfscon "sysfs" "/module" sysfile_context) + + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.module.template)) + +(in sysfile + + (block module + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.module.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.module.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/powersysfile.cil b/src/sys/sysfile/powersysfile.cil new file mode 100644 index 0000000..47bb32a --- /dev/null +++ b/src/sys/sysfile/powersysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block power + + (genfscon "sysfs" "/power" sysfile_context) + + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.power.template)) + +(in sysfile + + (block power + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.power.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.power.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/tracefile.cil b/src/sys/tracefile.cil new file mode 100644 index 0000000..4c7c94c --- /dev/null +++ b/src/sys/tracefile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tracefile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .trace.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context tracefile_context (.sys.id .sys.role tracefile lowlevelrange)) + + (type tracefile) + (call .tracefile.type (tracefile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile addname_dir)) + + (macro create_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile create_dir)) + + (macro delete_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile delete_dir)) + + (macro deletename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile deletename_dir)) + + (macro list_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile list_dir)) + + (macro listinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile listinherited_dir)) + + (macro manage_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile manage_dir)) + + (macro mounton_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile mounton_dir)) + + (macro readwrite_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwrite_dir)) + + (macro readwriteinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_dir)) + + (macro rename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile rename_dir)) + + (macro search_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile search_dir)) + + (macro write_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile write_dir)) + + (macro writeinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_tracefile_files ((type ARG1)) + (allow ARG1 tracefile append_file)) + + (macro appendinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile appendinherited_file)) + + (macro create_tracefile_files ((type ARG1)) + (allow ARG1 tracefile create_file)) + + (macro delete_tracefile_files ((type ARG1)) + (allow ARG1 tracefile delete_file)) + + (macro execute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile execute_file)) + + (macro manage_tracefile_files ((type ARG1)) + (allow ARG1 tracefile manage_file)) + + (macro mapexecute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mapexecute_file)) + + (macro mounton_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mounton_file)) + + (macro read_tracefile_files ((type ARG1)) + (allow ARG1 tracefile read_file)) + + (macro readinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readinherited_file)) + + (macro readwrite_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwrite_file)) + + (macro readwriteinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_file)) + + (macro rename_tracefile_files ((type ARG1)) + (allow ARG1 tracefile rename_file)) + + (macro write_tracefile_files ((type ARG1)) + (allow ARG1 tracefile write_file)) + + (macro writeinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .tracefile.base_template) + (blockinherit .tracefile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr tracefile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr tracefile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .tracefile.unconfined.type (typeattr))) |