diff options
| author | Dominick Grift <dominick.grift@defensec.nl> | 2023-08-20 15:44:41 +0200 |
|---|---|---|
| committer | Dominick Grift <dominick.grift@defensec.nl> | 2023-08-20 15:46:23 +0200 |
| commit | 0c187b6ff97f91c41dab65a6426dc61f77305cdf (patch) | |
| tree | 1e35f5851154500a8a39428a45a5671f9488e1da /src | |
| download | selinux-policy-0c187b6ff97f91c41dab65a6426dc61f77305cdf.tar.gz | |
Import dssp5
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Diffstat (limited to 'src')
365 files changed, 16210 insertions, 0 deletions
diff --git a/src/anoninode.cil b/src/anoninode.cil new file mode 100644 index 0000000..229b3ea --- /dev/null +++ b/src/anoninode.cil @@ -0,0 +1,250 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class anon_inode ()) +(classorder (unordered anon_inode)) + +(classcommon anon_inode common_file) + +(classmapping constrainobject append (anon_inode (append))) +(classmapping constrainobject create (anon_inode (create))) +(classmapping constrainobject getattr (anon_inode (getattr))) +(classmapping constrainobject read (anon_inode (read))) +(classmapping constrainobject relabelto (anon_inode (relabelto))) +(classmapping constrainobject setattr (anon_inode (setattr))) +(classmapping constrainobject write (anon_inode (write))) + +(classpermission append_anon_inode) +(classpermission create_anon_inode) +(classpermission delete_anon_inode) +(classpermission manage_anon_inode) +(classpermission mapexecute_anon_inode) +(classpermission mounton_anon_inode) +(classpermission read_anon_inode) +(classpermission readwrite_anon_inode) +(classpermission relabel_anon_inode) +(classpermission relabelfrom_anon_inode) +(classpermission relabelto_anon_inode) +(classpermission rename_anon_inode) +(classpermission write_anon_inode) + +(classpermissionset append_anon_inode + (anon_inode (append getattr ioctl lock open))) +(classpermissionset create_anon_inode (anon_inode (create getattr))) +(classpermissionset delete_anon_inode (anon_inode (getattr unlink))) +(classpermissionset manage_anon_inode + (anon_inode (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset mapexecute_anon_inode (anon_inode (execute map))) +(classpermissionset mounton_anon_inode (anon_inode (getattr mounton))) +(classpermissionset read_anon_inode (anon_inode (getattr ioctl lock open read))) +(classpermissionset readwrite_anon_inode + (anon_inode (append getattr ioctl lock open read write))) +(classpermissionset relabel_anon_inode + (anon_inode (getattr relabelfrom relabelto))) +(classpermissionset relabelfrom_anon_inode (anon_inode (getattr relabelfrom))) +(classpermissionset relabelto_anon_inode (anon_inode (getattr relabelto))) +(classpermissionset rename_anon_inode (anon_inode (getattr rename))) +(classpermissionset write_anon_inode + (anon_inode (append getattr ioctl lock open write))) + +(defaultrole anon_inode source) + +(macro append_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid append_anon_inode)) + +(macro create_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid create_anon_inode)) + +(macro delete_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid delete_anon_inode)) + +(macro manage_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid manage_anon_inode)) + +(macro mapexecute_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid mapexecute_anon_inode)) + +(macro mounton_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid mounton_anon_inode)) + +(macro read_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid read_anon_inode)) + +(macro readwrite_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid readwrite_anon_inode)) + +(macro relabel_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid relabel_anon_inode)) + +(macro relabelfrom_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid relabelfrom_anon_inode)) + +(macro relabelto_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid relabelto_anon_inode)) + +(macro rename_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid rename_anon_inode)) + +(macro write_invalid_anon_inodes ((type ARG1)) + (allow ARG1 .invalid write_anon_inode)) + +(block anon_inode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template_anon_inodes) + + (call .obj.type (typeattr)) + + (block all_macro_template_anon_inodes + + (blockabstract all_macro_template_anon_inodes) + + (macro append_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr append_anon_inode)) + + (macro create_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr create_anon_inode)) + + (macro delete_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr delete_anon_inode)) + + (macro manage_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr manage_anon_inode)) + + (macro mapexecute_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr mapexecute_anon_inode)) + + (macro mounton_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr mounton_anon_inode)) + + (macro read_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr read_anon_inode)) + + (macro readwrite_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr readwrite_anon_inode)) + + (macro relabel_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabel_anon_inode)) + + (macro relabelfrom_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabelfrom_anon_inode)) + + (macro relabelto_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabelto_anon_inode)) + + (macro rename_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr rename_anon_inode)) + + (macro write_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr write_anon_inode))) + + (block base_template + + (blockabstract base_template) + + (type anon_inode) + (call .anon_inode.type (anon_inode))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit anon_inode.all_macro_template_anon_inodes) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and anon_inode.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call anon_inode.type (typeattr))) + + (block macro_template_anon_inodes + + (blockabstract macro_template_anon_inodes) + + (macro append_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode append_anon_inode)) + + (macro create_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode create_anon_inode)) + + (macro delete_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode delete_anon_inode)) + + (macro manage_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode manage_anon_inode)) + + (macro mapexecute_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode mapexecute_anon_inode)) + + (macro mounton_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode mounton_anon_inode)) + + (macro read_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode read_anon_inode)) + + (macro readwrite_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode readwrite_anon_inode)) + + (macro relabel_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabel_anon_inode)) + + (macro relabelfrom_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabelfrom_anon_inode)) + + (macro relabelto_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabelto_anon_inode)) + + (macro rename_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode rename_anon_inode)) + + (macro self_type_transition ((type ARG1)(type ARG2)(name ARG3)) + (typetransition ARG1 ARG1 anon_inode ARG3 ARG2)) + + (macro write_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode write_anon_inode))) + + (block template + + (blockabstract template) + + (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.macro_template_anon_inodes)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr anon_inode.typeattr + (anon_inode (not (audit_access execmod mounton)))))) + +(in invalid.unconfined + + (allow typeattr .invalid + (anon_inode (not (audit_access create execmod mounton))))) + +(in subj.unconfined + + (allow typeattr self (anon_inode (create))) + (allow typeattr subj.typeattr + (anon_inode (not (audit_access create execmod mounton))))) + +(in unconfined + + (call .anon_inode.unconfined.type (typeattr))) diff --git a/src/anoninode/iouringanoninode.cil b/src/anoninode/iouringanoninode.cil new file mode 100644 index 0000000..1477ff0 --- /dev/null +++ b/src/anoninode/iouringanoninode.cil @@ -0,0 +1,44 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iouring + + (blockinherit anon_inode.template) + + (block anon_inode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .anon_inode.all_macro_template_anon_inodes) + + (call .anon_inode.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .anon_inode.base_template) + + (call .iouring.anon_inode.type (anon_inode))) + + (block template + + (macro map_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode (anon_inode (map)))) + + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[io_uring]"))) + + (blockabstract template) + + (blockinherit .anon_inode.macro_template_anon_inodes) + + (blockinherit .iouring.anon_inode.base_template)))) + +(in anon_inode.unconfined + + (call .iouring.self_type_transition_anon_inode (typeattr))) diff --git a/src/anoninode/perfeventanoninode.cil b/src/anoninode/perfeventanoninode.cil new file mode 100644 index 0000000..926d0dc --- /dev/null +++ b/src/anoninode/perfeventanoninode.cil @@ -0,0 +1,41 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block perfevent + + (blockinherit anon_inode.template) + + (block anon_inode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .anon_inode.all_macro_template_anon_inodes) + + (call .anon_inode.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .anon_inode.base_template) + + (call .perfevent.anon_inode.type (anon_inode))) + + (block template + + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[perf_event]"))) + + (blockabstract template) + + (blockinherit .anon_inode.macro_template_anon_inodes) + + (blockinherit .perfevent.anon_inode.base_template)))) + +(in anon_inode.unconfined + + (call .perfevent.self_type_transition_anon_inode (typeattr))) diff --git a/src/anoninode/secretmemanoninode.cil b/src/anoninode/secretmemanoninode.cil new file mode 100644 index 0000000..57b45bf --- /dev/null +++ b/src/anoninode/secretmemanoninode.cil @@ -0,0 +1,41 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block secretmem + + (blockinherit anon_inode.template) + + (block anon_inode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .anon_inode.all_macro_template_anon_inodes) + + (call .anon_inode.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .anon_inode.base_template) + + (call .secretmem.anon_inode.type (anon_inode))) + + (block template + + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[secretmem]"))) + + (blockabstract template) + + (blockinherit .anon_inode.macro_template_anon_inodes) + + (blockinherit .secretmem.anon_inode.base_template)))) + +(in anon_inode.unconfined + + (call .secretmem.self_type_transition_anon_inode (typeattr))) diff --git a/src/anoninode/uffdanoninode.cil b/src/anoninode/uffdanoninode.cil new file mode 100644 index 0000000..d4dffc6 --- /dev/null +++ b/src/anoninode/uffdanoninode.cil @@ -0,0 +1,41 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uffd + + (blockinherit anon_inode.template) + + (block anon_inode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .anon_inode.all_macro_template_anon_inodes) + + (call .anon_inode.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .anon_inode.base_template) + + (call .uffd.anon_inode.type (anon_inode))) + + (block template + + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[userfaultfd]"))) + + (blockabstract template) + + (blockinherit .anon_inode.macro_template_anon_inodes) + + (blockinherit .uffd.anon_inode.base_template)))) + +(in anon_inode.unconfined + + (call .uffd.self_type_transition_anon_inode (typeattr))) diff --git a/src/dev.cil b/src/dev.cil new file mode 100644 index 0000000..a0283e8 --- /dev/null +++ b/src/dev.cil @@ -0,0 +1,51 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + + (call .obj.type (typeattr)) + + (call .devtmp.associate_fs (typeattr)) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + + (typeattribute typeattr) + + (typeattributeset typeattr (and dev.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call dev.type (typeattr))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr dev.typeattr (blk_file (not (audit_access execmod map)))) + (allow typeattr dev.typeattr (chr_file (not (audit_access execmod)))))) + +(in unconfined + + (call .dev.unconfined.type (typeattr))) diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil new file mode 100644 index 0000000..b681759 --- /dev/null +++ b/src/dev/nodedev.cil @@ -0,0 +1,116 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nodedev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context nodedev_context (.sys.id .sys.role nodedev lowlevelrange)) + + (type nodedev) + (call .nodedev.type (nodedev))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_chr_files) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and nodedev.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call nodedev.type (typeattr)) + + (call .dev.exception.type (typeattr))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev append_chr_file)) + + (macro appendinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev appendinherited_chr_file)) + + (macro create_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev create_chr_file)) + + (macro delete_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev delete_chr_file)) + + (macro manage_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev manage_chr_file)) + + (macro mapexecute_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev mapexecute_chr_file)) + + (macro read_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev read_chr_file)) + + (macro readinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readinherited_chr_file)) + + (macro readwrite_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwrite_chr_file)) + + (macro readwriteinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwriteinherited_chr_file)) + + (macro relabel_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabel_chr_file)) + + (macro relabelfrom_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelfrom_chr_file)) + + (macro relabelto_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelto_chr_file)) + + (macro rename_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev rename_chr_file)) + + (macro write_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev write_chr_file)) + + (macro writeinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev writeinherited_chr_file))) + + (block template + + (blockabstract template) + + (blockinherit .nodedev.base_template) + (blockinherit .nodedev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr nodedev.typeattr (chr_file (not (audit_access execmod)))))) diff --git a/src/dev/nodedev/apmnodedev.cil b/src/dev/nodedev/apmnodedev.cil new file mode 100644 index 0000000..d13ee45 --- /dev/null +++ b/src/dev/nodedev/apmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block apm + + (filecon "/dev/snapshot" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/autofsnodedev.cil b/src/dev/nodedev/autofsnodedev.cil new file mode 100644 index 0000000..1aea912 --- /dev/null +++ b/src/dev/nodedev/autofsnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block autofs + + (filecon "/dev/autofs" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/btrfscontrolnodedev.cil b/src/dev/nodedev/btrfscontrolnodedev.cil new file mode 100644 index 0000000..e390955 --- /dev/null +++ b/src/dev/nodedev/btrfscontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block btrfscontrol + + (filecon "/dev/btrfs-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cachefilesnodedev.cil b/src/dev/nodedev/cachefilesnodedev.cil new file mode 100644 index 0000000..8b3aba2 --- /dev/null +++ b/src/dev/nodedev/cachefilesnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cachefiles + + (filecon "/dev/cachefiles" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cdcwdmnodedev.cil b/src/dev/nodedev/cdcwdmnodedev.cil new file mode 100644 index 0000000..1c03f7f --- /dev/null +++ b/src/dev/nodedev/cdcwdmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cdcwdm + + (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/clocknodedev.cil b/src/dev/nodedev/clocknodedev.cil new file mode 100644 index 0000000..97a67f7 --- /dev/null +++ b/src/dev/nodedev/clocknodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block clock + + (filecon "/dev/hpet" char nodedev_context) + (filecon "/dev/ptp([0-9]+)?" char nodedev_context) + (filecon "/dev/rtc([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cpunodedev.cil b/src/dev/nodedev/cpunodedev.cil new file mode 100644 index 0000000..07fc918 --- /dev/null +++ b/src/dev/nodedev/cpunodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpu + + (filecon "/dev/cpu/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/crashnodedev.cil b/src/dev/nodedev/crashnodedev.cil new file mode 100644 index 0000000..db1abe9 --- /dev/null +++ b/src/dev/nodedev/crashnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block crash + + (filecon "/dev/crash" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cusenodedev.cil b/src/dev/nodedev/cusenodedev.cil new file mode 100644 index 0000000..ab303b0 --- /dev/null +++ b/src/dev/nodedev/cusenodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cuse + + (filecon "/dev/cuse" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmaheapnodedev.cil b/src/dev/nodedev/dmaheapnodedev.cil new file mode 100644 index 0000000..acaa5e8 --- /dev/null +++ b/src/dev/nodedev/dmaheapnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmaheap + + (filecon "/dev/dma_heap/.*" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmcontrolnodedev.cil b/src/dev/nodedev/dmcontrolnodedev.cil new file mode 100644 index 0000000..687e1e4 --- /dev/null +++ b/src/dev/nodedev/dmcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmcontrol + + (filecon "/dev/mapper/control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/drinodedev.cil b/src/dev/nodedev/drinodedev.cil new file mode 100644 index 0000000..d215a46 --- /dev/null +++ b/src/dev/nodedev/drinodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dri + + (filecon "/dev/dri/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/drmdpauxnodedev.cil b/src/dev/nodedev/drmdpauxnodedev.cil new file mode 100644 index 0000000..59c5257 --- /dev/null +++ b/src/dev/nodedev/drmdpauxnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block drmdpaux + + (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/eventnodedev.cil b/src/dev/nodedev/eventnodedev.cil new file mode 100644 index 0000000..a8e3ee5 --- /dev/null +++ b/src/dev/nodedev/eventnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block event + + (filecon "/dev/input/event([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil new file mode 100644 index 0000000..47d670c --- /dev/null +++ b/src/dev/nodedev/fbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block fb + + (filecon "/dev/fb([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/gpionodedev.cil b/src/dev/nodedev/gpionodedev.cil new file mode 100644 index 0000000..466fbdb --- /dev/null +++ b/src/dev/nodedev/gpionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block gpio + + (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hiddevnodedev.cil b/src/dev/nodedev/hiddevnodedev.cil new file mode 100644 index 0000000..202a000 --- /dev/null +++ b/src/dev/nodedev/hiddevnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hiddev + + (filecon "/dev/hiddev[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil new file mode 100644 index 0000000..3ca398f --- /dev/null +++ b/src/dev/nodedev/hidrawnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hidraw + + (filecon "/dev/hidraw[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hwrngnodedev.cil b/src/dev/nodedev/hwrngnodedev.cil new file mode 100644 index 0000000..76a14bf --- /dev/null +++ b/src/dev/nodedev/hwrngnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hwrng + + (filecon "/dev/hwrng" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/i2cnodedev.cil b/src/dev/nodedev/i2cnodedev.cil new file mode 100644 index 0000000..e6bd3d0 --- /dev/null +++ b/src/dev/nodedev/i2cnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block i2c + + (filecon "/dev/i2c([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/iionodedev.cil b/src/dev/nodedev/iionodedev.cil new file mode 100644 index 0000000..40e9d4b --- /dev/null +++ b/src/dev/nodedev/iionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iio + + (filecon "/dev/iio:device([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/infinibandnodedev.cil b/src/dev/nodedev/infinibandnodedev.cil new file mode 100644 index 0000000..4b15207 --- /dev/null +++ b/src/dev/nodedev/infinibandnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block infiniband + + (filecon "/dev/infiniband/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil new file mode 100644 index 0000000..c68115a --- /dev/null +++ b/src/dev/nodedev/inputnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block input + + (filecon "/dev/input/js([0-9]+)?" char nodedev_context) + (filecon "/dev/input/mice" char nodedev_context) + (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ipminodedev.cil b/src/dev/nodedev/ipminodedev.cil new file mode 100644 index 0000000..21b4c66 --- /dev/null +++ b/src/dev/nodedev/ipminodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipmi + + (filecon "/dev/ipmi[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kfdnodedev.cil b/src/dev/nodedev/kfdnodedev.cil new file mode 100644 index 0000000..1b90a69 --- /dev/null +++ b/src/dev/nodedev/kfdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kfd + + (filecon "/dev/kfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kmsgnodedev.cil b/src/dev/nodedev/kmsgnodedev.cil new file mode 100644 index 0000000..3417a9e --- /dev/null +++ b/src/dev/nodedev/kmsgnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kmsg + + (filecon "/dev/kmsg" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ksmnodedev.cil b/src/dev/nodedev/ksmnodedev.cil new file mode 100644 index 0000000..b979ca9 --- /dev/null +++ b/src/dev/nodedev/ksmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ksm + + (filecon "/dev/ksm" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kvmnodedev.cil b/src/dev/nodedev/kvmnodedev.cil new file mode 100644 index 0000000..8b13d49 --- /dev/null +++ b/src/dev/nodedev/kvmnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kvm + + (filecon "/dev/kvm" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/lircnodedev.cil b/src/dev/nodedev/lircnodedev.cil new file mode 100644 index 0000000..4a96ea0 --- /dev/null +++ b/src/dev/nodedev/lircnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lirc + + (filecon "/dev/lirc[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/loopcontrolnodedev.cil b/src/dev/nodedev/loopcontrolnodedev.cil new file mode 100644 index 0000000..e594763 --- /dev/null +++ b/src/dev/nodedev/loopcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loopcontrol + + (filecon "/dev/loop-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/mcelognodedev.cil b/src/dev/nodedev/mcelognodedev.cil new file mode 100644 index 0000000..98ddaf7 --- /dev/null +++ b/src/dev/nodedev/mcelognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mcelog + + (filecon "/dev/mcelog" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/meinodedev.cil b/src/dev/nodedev/meinodedev.cil new file mode 100644 index 0000000..41f9f8d --- /dev/null +++ b/src/dev/nodedev/meinodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mei + + (filecon "/dev/mei([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/memnodedev.cil b/src/dev/nodedev/memnodedev.cil new file mode 100644 index 0000000..cfef06e --- /dev/null +++ b/src/dev/nodedev/memnodedev.cil @@ -0,0 +1,53 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mem + + (filecon "/dev/mem" char nodedev_context) + (filecon "/dev/port" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .nodedev.exception.type (nodedev)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (append write))))) + +(in dev.unconfined + + (call .mem.readwrite.type (typeattr))) + +(in nodedev.unconfined + + (call .mem.readwrite.type (typeattr))) diff --git a/src/dev/nodedev/modemnodedev.cil b/src/dev/nodedev/modemnodedev.cil new file mode 100644 index 0000000..8fce849 --- /dev/null +++ b/src/dev/nodedev/modemnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modem + + (filecon "/dev/modem" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ndctlnodedev.cil b/src/dev/nodedev/ndctlnodedev.cil new file mode 100644 index 0000000..b55df2c --- /dev/null +++ b/src/dev/nodedev/ndctlnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ndctl + + (filecon "/dev/ndctl([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil new file mode 100644 index 0000000..e6340a3 --- /dev/null +++ b/src/dev/nodedev/nullnodedev.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange)) + +(block null + + (filecon "/dev/full" char nodedev_context) + (filecon "/dev/null" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/nvramnodedev.cil b/src/dev/nodedev/nvramnodedev.cil new file mode 100644 index 0000000..5a1b581 --- /dev/null +++ b/src/dev/nodedev/nvramnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nvram + + (filecon "/dev/nvram" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pmunodedev.cil b/src/dev/nodedev/pmunodedev.cil new file mode 100644 index 0000000..d27d04d --- /dev/null +++ b/src/dev/nodedev/pmunodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pmu + + (filecon "/dev/pmu" char nodedev_context) + (filecon "/dev/smu" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pppnodedev.cil b/src/dev/nodedev/pppnodedev.cil new file mode 100644 index 0000000..2a551c2 --- /dev/null +++ b/src/dev/nodedev/pppnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ppp + + (filecon "/dev/ppp" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/printernodedev.cil b/src/dev/nodedev/printernodedev.cil new file mode 100644 index 0000000..2766e4a --- /dev/null +++ b/src/dev/nodedev/printernodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block printer + + (filecon "/dev/lp([0-9]+)?" char nodedev_context) + (filecon "/dev/parport([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ptmxnodedev.cil b/src/dev/nodedev/ptmxnodedev.cil new file mode 100644 index 0000000..8d26226 --- /dev/null +++ b/src/dev/nodedev/ptmxnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ptmx + + (filecon "/dev/ptmx" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/qosnodedev.cil b/src/dev/nodedev/qosnodedev.cil new file mode 100644 index 0000000..b64d46d --- /dev/null +++ b/src/dev/nodedev/qosnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block qos + + (filecon "/dev/cpu_dma_latency" char nodedev_context) + (filecon "/dev/memory_bandwidth" char nodedev_context) + (filecon "/dev/network_latency" char nodedev_context) + (filecon "/dev/network_throughput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/randomnodedev.cil b/src/dev/nodedev/randomnodedev.cil new file mode 100644 index 0000000..c3b1cd6 --- /dev/null +++ b/src/dev/nodedev/randomnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block random + + (filecon "/dev/random" char nodedev_context) + (filecon "/dev/urandom" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil new file mode 100644 index 0000000..712cb21 --- /dev/null +++ b/src/dev/nodedev/rfkillnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rfkill + + (filecon "/dev/rfkill" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/sndnodedev.cil b/src/dev/nodedev/sndnodedev.cil new file mode 100644 index 0000000..85569c3 --- /dev/null +++ b/src/dev/nodedev/sndnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block snd + + (filecon "/dev/snd/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tpmnodedev.cil b/src/dev/nodedev/tpmnodedev.cil new file mode 100644 index 0000000..98b44a3 --- /dev/null +++ b/src/dev/nodedev/tpmnodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tpm + + (filecon "/dev/tpm([0-9]+)?" char nodedev_context) + (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil new file mode 100644 index 0000000..0380fde --- /dev/null +++ b/src/dev/nodedev/ttynodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tty + + (filecon "/dev/tty" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tuntapnodedev.cil b/src/dev/nodedev/tuntapnodedev.cil new file mode 100644 index 0000000..8e4d249 --- /dev/null +++ b/src/dev/nodedev/tuntapnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tuntap + + (filecon "/dev/net/tun" char nodedev_context) + (filecon "/dev/tap([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/udmabufnodedev.cil b/src/dev/nodedev/udmabufnodedev.cil new file mode 100644 index 0000000..0404a83 --- /dev/null +++ b/src/dev/nodedev/udmabufnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block udmabuf + + (filecon "/dev/udmabuf" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uffdnodedev.cil b/src/dev/nodedev/uffdnodedev.cil new file mode 100644 index 0000000..c5ec44b --- /dev/null +++ b/src/dev/nodedev/uffdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in uffd + + (filecon "/dev/userfaultfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uhidnodedev.cil b/src/dev/nodedev/uhidnodedev.cil new file mode 100644 index 0000000..d92b7d4 --- /dev/null +++ b/src/dev/nodedev/uhidnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uhid + + (filecon "/dev/uhid" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uinputnodedev.cil b/src/dev/nodedev/uinputnodedev.cil new file mode 100644 index 0000000..194b632 --- /dev/null +++ b/src/dev/nodedev/uinputnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uinput + + (filecon "/dev/uinput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uionodedev.cil b/src/dev/nodedev/uionodedev.cil new file mode 100644 index 0000000..533bb05 --- /dev/null +++ b/src/dev/nodedev/uionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uio + + (filecon "/dev/uio[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbmonnodedev.cil b/src/dev/nodedev/usbmonnodedev.cil new file mode 100644 index 0000000..b11881c --- /dev/null +++ b/src/dev/nodedev/usbmonnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usbmon + + (filecon "/dev/usbmon[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil new file mode 100644 index 0000000..2432b6a --- /dev/null +++ b/src/dev/nodedev/usbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usb + + (filecon "/dev/bus/usb/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/v4lnodedev.cil b/src/dev/nodedev/v4lnodedev.cil new file mode 100644 index 0000000..b2fe91f --- /dev/null +++ b/src/dev/nodedev/v4lnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block v4l + + (filecon "/dev/media([0-9]+)?" char nodedev_context) + (filecon "/dev/video([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vfionodedev.cil b/src/dev/nodedev/vfionodedev.cil new file mode 100644 index 0000000..8644d8e --- /dev/null +++ b/src/dev/nodedev/vfionodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vfio + + (filecon "/dev/vfio/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vgaarbiternodedev.cil b/src/dev/nodedev/vgaarbiternodedev.cil new file mode 100644 index 0000000..bbe5fe6 --- /dev/null +++ b/src/dev/nodedev/vgaarbiternodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vgaarbiter + + (filecon "/dev/vga_arbiter" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vhostnodedev.cil b/src/dev/nodedev/vhostnodedev.cil new file mode 100644 index 0000000..305e2be --- /dev/null +++ b/src/dev/nodedev/vhostnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vhost + + (filecon "/dev/vhci" char nodedev_context) + (filecon "/dev/vhost-net" char nodedev_context) + (filecon "/dev/vhost-scsi" char nodedev_context) + (filecon "/dev/vhost-vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vmcinodedev.cil b/src/dev/nodedev/vmcinodedev.cil new file mode 100644 index 0000000..d19746b --- /dev/null +++ b/src/dev/nodedev/vmcinodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmci + + (filecon "/dev/vmci" char nodedev_context) + (filecon "/dev/vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/watchdognodedev.cil b/src/dev/nodedev/watchdognodedev.cil new file mode 100644 index 0000000..120da11 --- /dev/null +++ b/src/dev/nodedev/watchdognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block watchdog + + (filecon "/dev/watchdog([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/zeronodedev.cil b/src/dev/nodedev/zeronodedev.cil new file mode 100644 index 0000000..386966a --- /dev/null +++ b/src/dev/nodedev/zeronodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zero + + (filecon "/dev/zero" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil new file mode 100644 index 0000000..8611ec6 --- /dev/null +++ b/src/dev/stordev.cil @@ -0,0 +1,188 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block stordev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.exception.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context stordev_context (.sys.id .sys.role stordev lowlevelrange)) + + (type stordev) + (call .stordev.type (stordev))) + + (block macro_template_blk_files + + (blockabstract macro_template_blk_files) + + (macro append_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev append_blk_file)) + + (macro appendinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev appendinherited_blk_file)) + + (macro create_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev create_blk_file)) + + (macro delete_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev delete_blk_file)) + + (macro manage_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev manage_blk_file)) + + (macro read_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev read_blk_file)) + + (macro readinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readinherited_blk_file)) + + (macro readwrite_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwrite_blk_file)) + + (macro readwriteinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_blk_file)) + + (macro relabel_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabel_blk_file)) + + (macro relabelfrom_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_blk_file)) + + (macro relabelto_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelto_blk_file)) + + (macro rename_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev rename_blk_file)) + + (macro write_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev write_blk_file)) + + (macro writeinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev writeinherited_blk_file))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev append_chr_file)) + + (macro appendinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev appendinherited_chr_file)) + + (macro create_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev create_chr_file)) + + (macro delete_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev delete_chr_file)) + + (macro manage_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev manage_chr_file)) + + (macro mapexecute_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev mapexecute_chr_file)) + + (macro read_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev read_chr_file)) + + (macro readinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readinherited_chr_file)) + + (macro readwrite_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwrite_chr_file)) + + (macro readwriteinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_chr_file)) + + (macro relabel_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabel_chr_file)) + + (macro relabelfrom_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_chr_file)) + + (macro relabelto_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelto_chr_file)) + + (macro rename_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev rename_chr_file)) + + (macro write_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev write_chr_file)) + + (macro writeinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev writeinherited_chr_file))) + + (block template + + (blockabstract template) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files) + (blockinherit .stordev.macro_template_chr_files)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr stordev.typeattr (blk_file (read))) + (neverallow not_typeattr stordev.typeattr (chr_file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr stordev.typeattr + (blk_file (not (audit_access execmod map)))) + (allow typeattr stordev.typeattr (chr_file (not (audit_access execmod)))) + + (call readwrite.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr stordev.typeattr (blk_file (append write))) + (neverallow not_typeattr stordev.typeattr (chr_file (append write))))) + +(in dev.unconfined + + (call .stordev.readwrite.type (typeattr))) diff --git a/src/dev/stordev/dmstordev.cil b/src/dev/stordev/dmstordev.cil new file mode 100644 index 0000000..4a0d4d9 --- /dev/null +++ b/src/dev/stordev/dmstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dm + + (filecon "/dev/dm-[0-9]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/fusestordev.cil b/src/dev/stordev/fusestordev.cil new file mode 100644 index 0000000..da05a57 --- /dev/null +++ b/src/dev/stordev/fusestordev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block fuse + + (filecon "/dev/fuse" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files) + + (call .rbacsep.exempt.obj.type (stordev))) diff --git a/src/dev/stordev/hdstordev.cil b/src/dev/stordev/hdstordev.cil new file mode 100644 index 0000000..c912513 --- /dev/null +++ b/src/dev/stordev/hdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hd + + (filecon "/dev/hd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/loopstordev.cil b/src/dev/stordev/loopstordev.cil new file mode 100644 index 0000000..d683738 --- /dev/null +++ b/src/dev/stordev/loopstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loop + + (filecon "/dev/loop.+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mdstordev.cil b/src/dev/stordev/mdstordev.cil new file mode 100644 index 0000000..1aa7d84 --- /dev/null +++ b/src/dev/stordev/mdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block md + + (filecon "/dev/md[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mtdstordev.cil b/src/dev/stordev/mtdstordev.cil new file mode 100644 index 0000000..f8338b8 --- /dev/null +++ b/src/dev/stordev/mtdstordev.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mtd + + (filecon "/dev/mtd[0-9]+" char stordev_context) + (filecon "/dev/mtd[0-9]+ro" char stordev_context) + (filecon "/dev/mtdblock[0-9]+" block stordev_context) + + (filecon "/dev/ubi[0-9]+_[0-9]+" char stordev_context) + (filecon "/dev/ubi_ctrl" char stordev_context) + (filecon "/dev/ubiblock[0-9]+_[0-9]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/nvmestordev.cil b/src/dev/stordev/nvmestordev.cil new file mode 100644 index 0000000..ce30812 --- /dev/null +++ b/src/dev/stordev/nvmestordev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nvme + + (filecon "/dev/ng[0-9]n[^/]+" char stordev_context) + (filecon "/dev/nvme[0-9]+" char stordev_context) + (filecon "/dev/nvme[0-9]n[^/]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/rawstordev.cil b/src/dev/stordev/rawstordev.cil new file mode 100644 index 0000000..f04b019 --- /dev/null +++ b/src/dev/stordev/rawstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block raw + + (filecon "/dev/raw/.+" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/removablestordev.cil b/src/dev/stordev/removablestordev.cil new file mode 100644 index 0000000..36e8a93 --- /dev/null +++ b/src/dev/stordev/removablestordev.cil @@ -0,0 +1,17 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block removable + + (filecon "/dev/fd[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]rpmb" char stordev_context) + (filecon "/dev/mspblk[0-9]+" block stordev_context) + (filecon "/dev/mspblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]rpmb" char stordev_context) + (filecon "/dev/sr[0-9]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/sdstordev.cil b/src/dev/stordev/sdstordev.cil new file mode 100644 index 0000000..822d45e --- /dev/null +++ b/src/dev/stordev/sdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sd + + (filecon "/dev/sd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/sgstordev.cil b/src/dev/stordev/sgstordev.cil new file mode 100644 index 0000000..3592bc3 --- /dev/null +++ b/src/dev/stordev/sgstordev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sg + + (filecon "/dev/bsg/.+" char stordev_context) + (filecon "/dev/sg[0-9]+" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/vdstordev.cil b/src/dev/stordev/vdstordev.cil new file mode 100644 index 0000000..6dd0904 --- /dev/null +++ b/src/dev/stordev/vdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vd + + (filecon "/dev/vd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/xdstordev.cil b/src/dev/stordev/xdstordev.cil new file mode 100644 index 0000000..43edd14 --- /dev/null +++ b/src/dev/stordev/xdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block xd + + (filecon "/dev/xd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/zramstordev.cil b/src/dev/stordev/zramstordev.cil new file mode 100644 index 0000000..6478289 --- /dev/null +++ b/src/dev/stordev/zramstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zram + + (filecon "/dev/zram[0-9]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/termdev.cil b/src/dev/termdev.cil new file mode 100644 index 0000000..93655b3 --- /dev/null +++ b/src/dev/termdev.cil @@ -0,0 +1,43 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block termdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.type (typeattr)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr termdev.typeattr (chr_file (not (audit_access execmod)))))) diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil new file mode 100644 index 0000000..4349a93 --- /dev/null +++ b/src/dev/termdev/ptytermdev.cil @@ -0,0 +1,125 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ptytermdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .devpts.associate_fs (typeattr)) + + (call .termdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context ptytermdev_context (.sys.id .sys.role ptytermdev lowlevelrange)) + + (type ptytermdev) + (call .ptytermdev.type (ptytermdev))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev append_chr_file)) + + (macro appendinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev appendinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) + + (macro create_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev create_chr_file)) + + (macro delete_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev delete_chr_file)) + + (macro manage_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev manage_chr_file)) + + (macro mapexecute_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev mapexecute_chr_file)) + + (macro read_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev read_chr_file)) + + (macro readinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readinherited_chr_file)) + + (macro readwrite_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwrite_chr_file)) + + (macro readwriteinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwriteinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) + + (macro relabel_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabel_chr_file)) + + (macro relabelfrom_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelfrom_chr_file)) + + (macro relabelto_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelto_chr_file)) + + (macro rename_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev rename_chr_file)) + + (macro write_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev write_chr_file)) + + (macro writeinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev writeinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT))) + + (block template + + (blockabstract template) + + (blockinherit .ptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr ptytermdev.typeattr (chr_file (not (execmod mounton)))))) diff --git a/src/dev/termdev/ptytermdev/loginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev.cil new file mode 100644 index 0000000..b9019d4 --- /dev/null +++ b/src/dev/termdev/ptytermdev/loginptytermdev.cil @@ -0,0 +1,55 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loginptytermdev + + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .ptytermdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .ptytermdev.base_template) + + (call .loginptytermdev.type (ptytermdev))) + + (block template + + (blockabstract template) + + (macro ptytermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 ptytermdev chr_file ARG2)) + + (blockinherit .loginptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files))) diff --git a/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil new file mode 100644 index 0000000..598a925 --- /dev/null +++ b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil @@ -0,0 +1,29 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) + +(in ptytermdev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) + +(in sys + + (macro devpts_fs_type_transition_ptytermdev ((type ARG1)) + (call .devpts.fs_type_transition + (ARG1 ptytermdev chr_file "*"))) + + (macro loginptytermdev_all_type_change_ptytermdev ((type ARG1)) + (call .loginptytermdev.all_type_change + (ARG1 ptytermdev))) + + ;; support for unknown login services + (blockinherit .loginptytermdev.template) + + (call devpts_fs_type_transition_ptytermdev (subj))) + +(in termdev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil new file mode 100644 index 0000000..7400737 --- /dev/null +++ b/src/dev/termdev/serialtermdev.cil @@ -0,0 +1,124 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block serialtermdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .termdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context serialtermdev_context + (.sys.id .sys.role serialtermdev lowlevelrange)) + + (type serialtermdev) + (call .serialtermdev.type (serialtermdev))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev append_chr_file)) + + (macro appendinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev appendinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) + + (macro create_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev create_chr_file)) + + (macro delete_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev delete_chr_file)) + + (macro manage_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev manage_chr_file)) + + (macro mapexecute_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev mapexecute_chr_file)) + + (macro read_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev read_chr_file)) + + (macro readinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readinherited_chr_file)) + + (macro readwrite_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwrite_chr_file)) + + (macro readwriteinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwriteinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) + + (macro relabel_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabel_chr_file)) + + (macro relabelfrom_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelfrom_chr_file)) + + (macro relabelto_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelto_chr_file)) + + (macro rename_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev rename_chr_file)) + + (macro write_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev write_chr_file)) + + (macro writeinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev writeinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT))) + + (block template + + (blockabstract template) + + (blockinherit .serialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr serialtermdev.typeattr (chr_file (not (execmod mounton)))))) diff --git a/src/dev/termdev/serialtermdev/acmserialtermdev.cil b/src/dev/termdev/serialtermdev/acmserialtermdev.cil new file mode 100644 index 0000000..ca8a1cb --- /dev/null +++ b/src/dev/termdev/serialtermdev/acmserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block acm + + (filecon "/dev/ttyACM[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/consoleserialtermdev.cil b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil new file mode 100644 index 0000000..08b2736 --- /dev/null +++ b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block console + + (filecon "/dev/console" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev.cil new file mode 100644 index 0000000..2580dbe --- /dev/null +++ b/src/dev/termdev/serialtermdev/loginserialtermdev.cil @@ -0,0 +1,55 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loginserialtermdev + + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .serialtermdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .serialtermdev.base_template) + + (call .loginserialtermdev.type (serialtermdev))) + + (block template + + (blockabstract template) + + (macro serialtermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 serialtermdev chr_file ARG2)) + + (blockinherit .loginserialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files))) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil new file mode 100644 index 0000000..5919dbe --- /dev/null +++ b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in tty + + (filecon "/dev/tty.+" char serialtermdev_context) + + (blockinherit .loginserialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/msmserialtermdev.cil b/src/dev/termdev/serialtermdev/msmserialtermdev.cil new file mode 100644 index 0000000..1f97fbf --- /dev/null +++ b/src/dev/termdev/serialtermdev/msmserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block msm + + (filecon "/dev/ttyMSM[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/sysserialtermdev.cil b/src/dev/termdev/serialtermdev/sysserialtermdev.cil new file mode 100644 index 0000000..751f057 --- /dev/null +++ b/src/dev/termdev/serialtermdev/sysserialtermdev.cil @@ -0,0 +1,22 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) + +(in serialtermdev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) + +(in sys + + (macro loginserialtermdev_all_type_change_serialtermdev ((type ARG1)) + (call .loginserialtermdev.all_type_change + (ARG1 serialtermdev))) + + (blockinherit .serialtermdev.template)) + +(in termdev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) diff --git a/src/dev/termdev/serialtermdev/usbserialtermdev.cil b/src/dev/termdev/serialtermdev/usbserialtermdev.cil new file mode 100644 index 0000000..e11591e --- /dev/null +++ b/src/dev/termdev/serialtermdev/usbserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in usb + + (filecon "/dev/ttyUSB[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/vcsserialtermdev.cil b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil new file mode 100644 index 0000000..5534907 --- /dev/null +++ b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vcs + + (filecon "/dev/vcs[^/]*" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/vportserialtermdev.cil b/src/dev/termdev/serialtermdev/vportserialtermdev.cil new file mode 100644 index 0000000..c998b56 --- /dev/null +++ b/src/dev/termdev/serialtermdev/vportserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vport + + (filecon "/dev/vport[0-9]p[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/file.cil b/src/file.cil new file mode 100644 index 0000000..69e92d8 --- /dev/null +++ b/src/file.cil @@ -0,0 +1,846 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block file + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template_all_files) + (blockinherit all_macro_template_blk_files) + (blockinherit all_macro_template_chr_files) + (blockinherit all_macro_template_dirs) + (blockinherit all_macro_template_fifo_files) + (blockinherit all_macro_template_files) + (blockinherit all_macro_template_lnk_files) + (blockinherit all_macro_template_sock_files) + + (call .obj.type (typeattr)) + + (block all_macro_template_all_files + + (blockabstract all_macro_template_all_files) + + (macro create_all_file ((type ARG1)) + (allow ARG1 typeattr (files (create)))) + + (macro delete_all_file ((type ARG1)) + (allow ARG1 typeattr (files (delete)))) + + (macro manage_all_file ((type ARG1)) + (allow ARG1 typeattr (files (manage)))) + + (macro read_all_file ((type ARG1)) + (allow ARG1 typeattr (files (read)))) + + (macro readwrite_all_file ((type ARG1)) + (allow ARG1 typeattr (files (readwrite)))) + + (macro relabel_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabel)))) + + (macro relabelfrom_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabelfrom)))) + + (macro relabelto_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabelto)))) + + (macro rename_all_file ((type ARG1)) + (allow ARG1 typeattr (files (rename)))) + + (macro write_all_file ((type ARG1)) + (allow ARG1 typeattr (files (write))))) + + (block all_macro_template_blk_files + + (blockabstract all_macro_template_blk_files) + + (macro append_all_blk_files ((type ARG1)) + (allow ARG1 typeattr append_blk_file)) + + (macro appendinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_blk_file)) + + (macro create_all_blk_files ((type ARG1)) + (allow ARG1 typeattr create_blk_file)) + + (macro delete_all_blk_files ((type ARG1)) + (allow ARG1 typeattr delete_blk_file)) + + (macro manage_all_blk_files ((type ARG1)) + (allow ARG1 typeattr manage_blk_file)) + + (macro read_all_blk_files ((type ARG1)) + (allow ARG1 typeattr read_blk_file)) + + (macro readinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readinherited_blk_file)) + + (macro readwrite_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readwrite_blk_file)) + + (macro readwriteinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_blk_file)) + + (macro relabel_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabel_blk_file)) + + (macro relabelfrom_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_blk_file)) + + (macro relabelto_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabelto_blk_file)) + + (macro rename_all_blk_files ((type ARG1)) + (allow ARG1 typeattr rename_blk_file)) + + (macro write_all_blk_files ((type ARG1)) + (allow ARG1 typeattr write_blk_file)) + + (macro writeinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_blk_file))) + + (block all_macro_template_chr_files + + (blockabstract all_macro_template_chr_files) + + (macro append_all_chr_files ((type ARG1)) + (allow ARG1 typeattr append_chr_file)) + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file)) + + (macro create_all_chr_files ((type ARG1)) + (allow ARG1 typeattr create_chr_file)) + + (macro delete_all_chr_files ((type ARG1)) + (allow ARG1 typeattr delete_chr_file)) + + (macro manage_all_chr_files ((type ARG1)) + (allow ARG1 typeattr manage_chr_file)) + + (macro mapexecute_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mapexecute_chr_file)) + + (macro read_all_chr_files ((type ARG1)) + (allow ARG1 typeattr read_chr_file)) + + (macro readinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readinherited_chr_file)) + + (macro readwrite_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwrite_chr_file)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file)) + + (macro relabel_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabel_chr_file)) + + (macro relabelfrom_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_chr_file)) + + (macro relabelto_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabelto_chr_file)) + + (macro rename_all_chr_files ((type ARG1)) + (allow ARG1 typeattr rename_chr_file)) + + (macro write_all_chr_files ((type ARG1)) + (allow ARG1 typeattr write_chr_file)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file))) + + (block all_macro_template_dirs + + (blockabstract all_macro_template_dirs) + + (macro addname_all_dirs ((type ARG1)) + (allow ARG1 typeattr addname_dir)) + + (macro create_all_dirs ((type ARG1)) + (allow ARG1 typeattr create_dir)) + + (macro delete_all_dirs ((type ARG1)) + (allow ARG1 typeattr delete_dir)) + + (macro deletename_all_dirs ((type ARG1)) + (allow ARG1 typeattr deletename_dir)) + + (macro list_all_dirs ((type ARG1)) + (allow ARG1 typeattr list_dir)) + + (macro listinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr listinherited_dir)) + + (macro manage_all_dirs ((type ARG1)) + (allow ARG1 typeattr manage_dir)) + + (macro mounton_all_dirs ((type ARG1)) + (allow ARG1 typeattr mounton_dir)) + + (macro all_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 typeattr ARG3 ARG4 ARG2) + (call addname_all_dirs (ARG1))) + + (macro readwrite_all_dirs ((type ARG1)) + (allow ARG1 typeattr readwrite_dir)) + + (macro readwriteinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_dir)) + + (macro relabel_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabel_dir)) + + (macro relabelfrom_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabelfrom_dir)) + + (macro relabelto_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabelto_dir)) + + (macro rename_all_dirs ((type ARG1)) + (allow ARG1 typeattr rename_dir)) + + (macro search_all_dirs ((type ARG1)) + (allow ARG1 typeattr search_dir)) + + (macro write_all_dirs ((type ARG1)) + (allow ARG1 typeattr write_dir)) + + (macro writeinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr writeinherited_dir))) + + (block all_macro_template_fifo_files + + (blockabstract all_macro_template_fifo_files) + + (macro append_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr append_fifo_file)) + + (macro appendinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_fifo_file)) + + (macro create_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr create_fifo_file)) + + (macro delete_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr delete_fifo_file)) + + (macro manage_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr manage_fifo_file)) + + (macro read_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr read_fifo_file)) + + (macro readinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readinherited_fifo_file)) + + (macro readwrite_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwrite_fifo_file)) + + (macro readwriteinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_fifo_file)) + + (macro relabel_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabel_fifo_file)) + + (macro relabelfrom_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_fifo_file)) + + (macro relabelto_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabelto_fifo_file)) + + (macro rename_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr rename_fifo_file)) + + (macro write_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr write_fifo_file)) + + (macro writeinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_fifo_file))) + + (block all_macro_template_files + + (blockabstract all_macro_template_files) + + (macro append_all_files ((type ARG1)) + (allow ARG1 typeattr append_file)) + + (macro appendinherited_all_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_file)) + + (macro create_all_files ((type ARG1)) + (allow ARG1 typeattr create_file)) + + (macro delete_all_files ((type ARG1)) + (allow ARG1 typeattr delete_file)) + + (macro execute_all_files ((type ARG1)) + (allow ARG1 typeattr execute_file)) + + (macro manage_all_files ((type ARG1)) + (allow ARG1 typeattr manage_file)) + + (macro mapexecute_all_files ((type ARG1)) + (allow ARG1 typeattr mapexecute_file)) + + (macro mounton_all_files ((type ARG1)) + (allow ARG1 typeattr mounton_file)) + + (macro read_all_files ((type ARG1)) + (allow ARG1 typeattr read_file)) + + (macro readinherited_all_files ((type ARG1)) + (allow ARG1 typeattr readinherited_file)) + + (macro readwrite_all_files ((type ARG1)) + (allow ARG1 typeattr readwrite_file)) + + (macro readwriteinherited_all_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_file)) + + (macro relabel_all_files ((type ARG1)) + (allow ARG1 typeattr relabel_file)) + + (macro relabelfrom_all_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_file)) + + (macro relabelto_all_files ((type ARG1)) + (allow ARG1 typeattr relabelto_file)) + + (macro rename_all_files ((type ARG1)) + (allow ARG1 typeattr rename_file)) + + (macro write_all_files ((type ARG1)) + (allow ARG1 typeattr write_file)) + + (macro writeinherited_all_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_file))) + + (block all_macro_template_lnk_files + + (blockabstract all_macro_template_lnk_files) + + (macro create_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr create_lnk_file)) + + (macro delete_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr delete_lnk_file)) + + (macro manage_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr manage_lnk_file)) + + (macro read_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr read_lnk_file)) + + (macro readwrite_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr readwrite_lnk_file)) + + (macro relabel_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabel_lnk_file)) + + (macro relabelfrom_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_lnk_file)) + + (macro relabelto_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabelto_lnk_file)) + + (macro rename_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr rename_lnk_file)) + + (macro write_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr write_lnk_file))) + + (block all_macro_template_sock_files + + (blockabstract all_macro_template_sock_files) + + (macro create_all_sock_files ((type ARG1)) + (allow ARG1 typeattr create_sock_file)) + + (macro delete_all_sock_files ((type ARG1)) + (allow ARG1 typeattr delete_sock_file)) + + (macro manage_all_sock_files ((type ARG1)) + (allow ARG1 typeattr manage_sock_file)) + + (macro read_all_sock_files ((type ARG1)) + (allow ARG1 typeattr read_sock_file)) + + (macro readinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readinherited_sock_file)) + + (macro readwrite_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readwrite_sock_file)) + + (macro readwriteinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_sock_file)) + + (macro relabel_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabel_sock_file)) + + (macro relabelfrom_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_sock_file)) + + (macro relabelto_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabelto_sock_file)) + + (macro rename_all_sock_files ((type ARG1)) + (allow ARG1 typeattr rename_sock_file)) + + (macro write_all_sock_files ((type ARG1)) + (allow ARG1 typeattr write_sock_file)) + + (macro writeinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_sock_file))) + + (block base_template + + (blockabstract base_template) + + (context file_context (.sys.id .sys.role file lowlevelrange)) + + (type file) + (call .file.type (file))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (typeattributeset typeattr (and file.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call file.type (typeattr))) + + (block macro_template_all_files + + (blockabstract macro_template_all_files) + + (macro create_file ((type ARG1)) + (allow ARG1 file (files (create)))) + + (macro delete_file ((type ARG1)) + (allow ARG1 file (files (delete)))) + + (macro manage_file ((type ARG1)) + (allow ARG1 file (files (manage)))) + + (macro read_file ((type ARG1)) + (allow ARG1 file (files (read)))) + + (macro readwrite_file ((type ARG1)) + (allow ARG1 file (files (readwrite)))) + + (macro relabel_file ((type ARG1)) + (allow ARG1 file (files (relabel)))) + + (macro relabelfrom_file ((type ARG1)) + (allow ARG1 file (files (relabelfrom)))) + + (macro relabelto_file ((type ARG1)) + (allow ARG1 file (files (relabelto)))) + + (macro rename_file ((type ARG1)) + (allow ARG1 file (files (rename)))) + + (macro write_file ((type ARG1)) + (allow ARG1 file (files (write))))) + + (block macro_template_blk_files + + (blockabstract macro_template_blk_files) + + (macro append_file_blk_files ((type ARG1)) + (allow ARG1 file append_blk_file)) + + (macro appendinherited_file_blk_files ((type ARG1)) + (allow ARG1 file appendinherited_blk_file)) + + (macro create_file_blk_files ((type ARG1)) + (allow ARG1 file create_blk_file)) + + (macro delete_file_blk_files ((type ARG1)) + (allow ARG1 file delete_blk_file)) + + (macro manage_file_blk_files ((type ARG1)) + (allow ARG1 file manage_blk_file)) + + (macro read_file_blk_files ((type ARG1)) + (allow ARG1 file read_blk_file)) + + (macro readinherited_file_blk_files ((type ARG1)) + (allow ARG1 file readinherited_blk_file)) + + (macro readwrite_file_blk_files ((type ARG1)) + (allow ARG1 file readwrite_blk_file)) + + (macro readwriteinherited_file_blk_files ((type ARG1)) + (allow ARG1 file readwriteinherited_blk_file)) + + (macro relabel_file_blk_files ((type ARG1)) + (allow ARG1 file relabel_blk_file)) + + (macro relabelfrom_file_blk_files ((type ARG1)) + (allow ARG1 file relabelfrom_blk_file)) + + (macro relabelto_file_blk_files ((type ARG1)) + (allow ARG1 file relabelto_blk_file)) + + (macro rename_file_blk_files ((type ARG1)) + (allow ARG1 file rename_blk_file)) + + (macro write_file_blk_files ((type ARG1)) + (allow ARG1 file write_blk_file)) + + (macro writeinherited_file_blk_files ((type ARG1)) + (allow ARG1 file writeinherited_blk_file))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_file_chr_files ((type ARG1)) + (allow ARG1 file append_chr_file)) + + (macro appendinherited_file_chr_files ((type ARG1)) + (allow ARG1 file appendinherited_chr_file)) + + (macro create_file_chr_files ((type ARG1)) + (allow ARG1 file create_chr_file)) + + (macro delete_file_chr_files ((type ARG1)) + (allow ARG1 file delete_chr_file)) + + (macro manage_file_chr_files ((type ARG1)) + (allow ARG1 file manage_chr_file)) + + (macro mapexecute_file_chr_files ((type ARG1)) + (allow ARG1 file mapexecute_chr_file)) + + (macro read_file_chr_files ((type ARG1)) + (allow ARG1 file read_chr_file)) + + (macro readinherited_file_chr_files ((type ARG1)) + (allow ARG1 file readinherited_chr_file)) + + (macro readwrite_file_chr_files ((type ARG1)) + (allow ARG1 file readwrite_chr_file)) + + (macro readwriteinherited_file_chr_files ((type ARG1)) + (allow ARG1 file readwriteinherited_chr_file)) + + (macro relabel_file_chr_files ((type ARG1)) + (allow ARG1 file relabel_chr_file)) + + (macro relabelfrom_file_chr_files ((type ARG1)) + (allow ARG1 file relabelfrom_chr_file)) + + (macro relabelto_file_chr_files ((type ARG1)) + (allow ARG1 file relabelto_chr_file)) + + (macro rename_file_chr_files ((type ARG1)) + (allow ARG1 file rename_chr_file)) + + (macro write_file_chr_files ((type ARG1)) + (allow ARG1 file write_chr_file)) + + (macro writeinherited_file_chr_files ((type ARG1)) + (allow ARG1 file writeinherited_chr_file))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_file_dirs ((type ARG1)) + (allow ARG1 file addname_dir)) + + (macro create_file_dirs ((type ARG1)) + (allow ARG1 file create_dir)) + + (macro delete_file_dirs ((type ARG1)) + (allow ARG1 file delete_dir)) + + (macro deletename_file_dirs ((type ARG1)) + (allow ARG1 file deletename_dir)) + + (macro list_file_dirs ((type ARG1)) + (allow ARG1 file list_dir)) + + (macro listinherited_file_dirs ((type ARG1)) + (allow ARG1 file listinherited_dir)) + + (macro manage_file_dirs ((type ARG1)) + (allow ARG1 file manage_dir)) + + (macro mounton_file_dirs ((type ARG1)) + (allow ARG1 file mounton_dir)) + + (macro file_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 file ARG3 ARG4 ARG2) + (call addname_file_dirs (ARG1))) + + (macro readwrite_file_dirs ((type ARG1)) + (allow ARG1 file readwrite_dir)) + + (macro readwriteinherited_file_dirs ((type ARG1)) + (allow ARG1 file readwriteinherited_dir)) + + (macro relabel_file_dirs ((type ARG1)) + (allow ARG1 file relabel_dir)) + + (macro relabelfrom_file_dirs ((type ARG1)) + (allow ARG1 file relabelfrom_dir)) + + (macro relabelto_file_dirs ((type ARG1)) + (allow ARG1 file relabelto_dir)) + + (macro rename_file_dirs ((type ARG1)) + (allow ARG1 file rename_dir)) + + (macro search_file_dirs ((type ARG1)) + (allow ARG1 file search_dir)) + + (macro write_file_dirs ((type ARG1)) + (allow ARG1 file write_dir)) + + (macro writeinherited_file_dirs ((type ARG1)) + (allow ARG1 file writeinherited_dir))) + + (block macro_template_fifo_files + + (blockabstract macro_template_fifo_files) + + (macro append_file_fifo_files ((type ARG1)) + (allow ARG1 file append_fifo_file)) + + (macro appendinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file appendinherited_fifo_file)) + + (macro create_file_fifo_files ((type ARG1)) + (allow ARG1 file create_fifo_file)) + + (macro delete_file_fifo_files ((type ARG1)) + (allow ARG1 file delete_fifo_file)) + + (macro manage_file_fifo_files ((type ARG1)) + (allow ARG1 file manage_fifo_file)) + + (macro read_file_fifo_files ((type ARG1)) + (allow ARG1 file read_fifo_file)) + + (macro readinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file readinherited_fifo_file)) + + (macro readwrite_file_fifo_files ((type ARG1)) + (allow ARG1 file readwrite_fifo_file)) + + (macro readwriteinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file readwriteinherited_fifo_file)) + + (macro relabel_file_fifo_files ((type ARG1)) + (allow ARG1 file relabel_fifo_file)) + + (macro relabelfrom_file_fifo_files ((type ARG1)) + (allow ARG1 file relabelfrom_fifo_file)) + + (macro relabelto_file_fifo_files ((type ARG1)) + (allow ARG1 file relabelto_fifo_file)) + + (macro rename_file_fifo_files ((type ARG1)) + (allow ARG1 file rename_fifo_file)) + + (macro write_file_fifo_files ((type ARG1)) + (allow ARG1 file write_fifo_file)) + + (macro writeinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file writeinherited_fifo_file))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_file_files ((type ARG1)) + (allow ARG1 file append_file)) + + (macro appendinherited_file_files ((type ARG1)) + (allow ARG1 file appendinherited_file)) + + (macro create_file_files ((type ARG1)) + (allow ARG1 file create_file)) + + (macro delete_file_files ((type ARG1)) + (allow ARG1 file delete_file)) + + (macro execute_file_files ((type ARG1)) + (allow ARG1 file execute_file)) + + (macro manage_file_files ((type ARG1)) + (allow ARG1 file manage_file)) + + (macro mapexecute_file_files ((type ARG1)) + (allow ARG1 file mapexecute_file)) + + (macro mounton_file_files ((type ARG1)) + (allow ARG1 file mounton_file)) + + (macro read_file_files ((type ARG1)) + (allow ARG1 file read_file)) + + (macro readinherited_file_files ((type ARG1)) + (allow ARG1 file readinherited_file)) + + (macro readwrite_file_files ((type ARG1)) + (allow ARG1 file readwrite_file)) + + (macro readwriteinherited_file_files ((type ARG1)) + (allow ARG1 file readwriteinherited_file)) + + (macro relabel_file_files ((type ARG1)) + (allow ARG1 file relabel_file)) + + (macro relabelfrom_file_files ((type ARG1)) + (allow ARG1 file relabelfrom_file)) + + (macro relabelto_file_files ((type ARG1)) + (allow ARG1 file relabelto_file)) + + (macro rename_file_files ((type ARG1)) + (allow ARG1 file rename_file)) + + (macro write_file_files ((type ARG1)) + (allow ARG1 file write_file)) + + (macro writeinherited_file_files ((type ARG1)) + (allow ARG1 file writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_file_lnk_files ((type ARG1)) + (allow ARG1 file create_lnk_file)) + + (macro delete_file_lnk_files ((type ARG1)) + (allow ARG1 file delete_lnk_file)) + + (macro manage_file_lnk_files ((type ARG1)) + (allow ARG1 file manage_lnk_file)) + + (macro read_file_lnk_files ((type ARG1)) + (allow ARG1 file read_lnk_file)) + + (macro readwrite_file_lnk_files ((type ARG1)) + (allow ARG1 file readwrite_lnk_file)) + + (macro relabel_file_lnk_files ((type ARG1)) + (allow ARG1 file relabel_lnk_file)) + + (macro relabelfrom_file_lnk_files ((type ARG1)) + (allow ARG1 file relabelfrom_lnk_file)) + + (macro relabelto_file_lnk_files ((type ARG1)) + (allow ARG1 file relabelto_lnk_file)) + + (macro rename_file_lnk_files ((type ARG1)) + (allow ARG1 file rename_lnk_file)) + + (macro write_file_lnk_files ((type ARG1)) + (allow ARG1 file write_lnk_file))) + + (block macro_template_sock_files + + (blockabstract macro_template_sock_files) + + (macro create_file_sock_files ((type ARG1)) + (allow ARG1 file create_sock_file)) + + (macro delete_file_sock_files ((type ARG1)) + (allow ARG1 file delete_sock_file)) + + (macro manage_file_sock_files ((type ARG1)) + (allow ARG1 file manage_sock_file)) + + (macro read_file_sock_files ((type ARG1)) + (allow ARG1 file read_sock_file)) + + (macro readinherited_file_sock_files ((type ARG1)) + (allow ARG1 file readinherited_sock_file)) + + (macro readwrite_file_sock_files ((type ARG1)) + (allow ARG1 file readwrite_sock_file)) + + (macro readwriteinherited_file_sock_files ((type ARG1)) + (allow ARG1 file readwriteinherited_sock_file)) + + (macro relabel_file_sock_files ((type ARG1)) + (allow ARG1 file relabel_sock_file)) + + (macro relabelfrom_file_sock_files ((type ARG1)) + (allow ARG1 file relabelfrom_sock_file)) + + (macro relabelto_file_sock_files ((type ARG1)) + (allow ARG1 file relabelto_sock_file)) + + (macro rename_file_sock_files ((type ARG1)) + (allow ARG1 file rename_sock_file)) + + (macro write_file_sock_files ((type ARG1)) + (allow ARG1 file write_sock_file)) + + (macro writeinherited_file_sock_files ((type ARG1)) + (allow ARG1 file writeinherited_sock_file))) + + (block template + + (blockabstract template) + + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr file.typeattr + (blk_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (chr_file (not (audit_access execmod mounton)))) + (allow typeattr file.typeattr (dir (not (audit_access execmod)))) + (allow typeattr file.typeattr + (fifo_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (file (not (audit_access entrypoint execmod)))) + (allow typeattr file.typeattr + (lnk_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (sock_file (not (audit_access execmod map)))))) + +(in unconfined + + (call .file.unconfined.type (typeattr))) diff --git a/src/file/authfile.cil b/src/file/authfile.cil new file mode 100644 index 0000000..a458691 --- /dev/null +++ b/src/file/authfile.cil @@ -0,0 +1,67 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (call auth.relabelto.type (unconfined.typeattr)) + (call auth.write.type (unconfined.typeattr)) + + (block auth + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call exception.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.auth.type (file))) + + (block relabelto + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr auth.typeattr (file (relabelto)))) + + (block template + + (blockabstract template) + + (blockinherit .file.auth.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr auth.typeattr (file (append write)))))) diff --git a/src/file/bootfile.cil b/src/file/bootfile.cil new file mode 100644 index 0000000..fa4f003 --- /dev/null +++ b/src/file/bootfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block boot + + (blockinherit .file.boot.template)) + +(in file + + (block boot + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.boot.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.boot.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/bootflagfile.cil b/src/file/bootflagfile.cil new file mode 100644 index 0000000..eb6c82b --- /dev/null +++ b/src/file/bootflagfile.cil @@ -0,0 +1,32 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (block bootflag + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.bootflag.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.bootflag.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/certfile.cil b/src/file/certfile.cil new file mode 100644 index 0000000..0fb5797 --- /dev/null +++ b/src/file/certfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cert + + (blockinherit .file.cert.template)) + +(in file + + (block cert + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.cert.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.cert.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/conffile.cil b/src/file/conffile.cil new file mode 100644 index 0000000..09dce6c --- /dev/null +++ b/src/file/conffile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block conf + + (blockinherit .file.conf.template)) + +(in file + + (block conf + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.conf.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.conf.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/datafile.cil b/src/file/datafile.cil new file mode 100644 index 0000000..758fe12 --- /dev/null +++ b/src/file/datafile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block data + + (blockinherit .file.data.template)) + +(in file + + (block data + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.data.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.data.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/datafile/execfile.cil b/src/file/datafile/execfile.cil new file mode 100644 index 0000000..e7926a2 --- /dev/null +++ b/src/file/datafile/execfile.cil @@ -0,0 +1,59 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block exec + + (blockinherit .file.exec.template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files)) + +(in file + + (block exec + + (macro entrypoint_all_files ((type ARG1)) + (allow ARG1 typeattr (file (entrypoint)))) + + (macro getattr_all_files ((type ARG1)) + (allow ARG1 typeattr (file (getattr)))) + + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call data.type (typeattr)) + + (call .subj.entry.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.exec.type (file))) + + (block template + + (blockabstract template) + + (macro entrypoint_file_files ((type ARG1)) + (allow ARG1 file (file (entrypoint)))) + + (macro getattr_file_files ((type ARG1)) + (allow ARG1 file (file (getattr)))) + + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) + + (macro subj_type_transition ((type ARG1)(type ARG2)) + (typetransition ARG1 file process ARG2)) + + (blockinherit .file.exec.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/datafile/libfile.cil b/src/file/datafile/libfile.cil new file mode 100644 index 0000000..4730264 --- /dev/null +++ b/src/file/datafile/libfile.cil @@ -0,0 +1,51 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lib + + (blockinherit .file.lib.template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files)) + +(block textrel + + (block lib + + (macro execmod_file_files ((type ARG1)) + (allow ARG1 file (file (execmod)))) + + (blockinherit .file.lib.template))) + +(in file + + (block lib + + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call data.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.lib.type (file))) + + (block template + + (blockabstract template) + + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) + + (blockinherit .file.lib.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/datafile/modfile.cil b/src/file/datafile/modfile.cil new file mode 100644 index 0000000..76f4fd7 --- /dev/null +++ b/src/file/datafile/modfile.cil @@ -0,0 +1,56 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mod + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.mod.template)) + +(in file + + (block mod + + (macro load_all_files ((type ARG1)) + (allow ARG1 typeattr (system (module_load)))) + + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call data.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.mod.type (file))) + + (block template + + (blockabstract template) + + (macro load_file_files ((type ARG1)) + (allow ARG1 file (system (module_load)))) + + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) + + (blockinherit .file.macro_template_files) + (blockinherit .file.mod.base_template)))) + +(in sys + + (call .file.mod.load_all_files (unconfined.typeattr))) + +(in sys.moduleload + + (neverallow not_typeattr .file.mod.typeattr (system (module_load)))) diff --git a/src/file/datafile/srcfile.cil b/src/file/datafile/srcfile.cil new file mode 100644 index 0000000..c18a4d5 --- /dev/null +++ b/src/file/datafile/srcfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block src + + (blockinherit .file.data.template) + + (call .xattr.associate_fs (file))) diff --git a/src/file/devfile.cil b/src/file/devfile.cil new file mode 100644 index 0000000..7c8863a --- /dev/null +++ b/src/file/devfile.cil @@ -0,0 +1,50 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev + + (blockinherit .file.dev.template) + (blockinherit .file.macro_template_all_files) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files)) + +(in file + + (block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .devtmp.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.dev.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.dev.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)))) diff --git a/src/file/homefile.cil b/src/file/homefile.cil new file mode 100644 index 0000000..2480957 --- /dev/null +++ b/src/file/homefile.cil @@ -0,0 +1,47 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block home + + (blockinherit .file.home.template) + (blockinherit .file.macro_template_all_files) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files)) + +(in file + + (block home + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.home.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.home.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)))) diff --git a/src/file/homefile/syshomefile.cil b/src/file/homefile/syshomefile.cil new file mode 100644 index 0000000..6af11bd --- /dev/null +++ b/src/file/homefile/syshomefile.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (block home + + (blockinherit .file.home.template) + (blockinherit .file.macro_template_all_files) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files))) diff --git a/src/file/hugetlbfsfile.cil b/src/file/hugetlbfsfile.cil new file mode 100644 index 0000000..37f91d3 --- /dev/null +++ b/src/file/hugetlbfsfile.cil @@ -0,0 +1,34 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (block hugetlbfs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .hugetlb.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.hugetlbfs.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.hugetlbfs.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/hugetlbfsfile/syshugetlbfsfile.cil b/src/file/hugetlbfsfile/syshugetlbfsfile.cil new file mode 100644 index 0000000..cb975c0 --- /dev/null +++ b/src/file/hugetlbfsfile/syshugetlbfsfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (block hugetlbfs + + (blockinherit .file.hugetlbfs.template))) diff --git a/src/file/misc/lostfoundfile.cil b/src/file/misc/lostfoundfile.cil new file mode 100644 index 0000000..cb1d82a --- /dev/null +++ b/src/file/misc/lostfoundfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lostfound + + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/mediafile.cil b/src/file/misc/mediafile.cil new file mode 100644 index 0000000..60b31a8 --- /dev/null +++ b/src/file/misc/mediafile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block media + + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/rootfile.cil b/src/file/misc/rootfile.cil new file mode 100644 index 0000000..3e0799c --- /dev/null +++ b/src/file/misc/rootfile.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block root + + (filecon "/" dir file_context) + (filecon "/[^/]+" symlink file_context) + + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/unknownfile.cil b/src/file/misc/unknownfile.cil new file mode 100644 index 0000000..f6fb47c --- /dev/null +++ b/src/file/misc/unknownfile.cil @@ -0,0 +1,30 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block unknown + + (filecon "/.*" any file_context) + + (macro root_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) + (call .root.file_type_transition + (ARG1 file ARG2 ARG3))) + + (blockinherit .file.base_template) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + + (call .xattr.associate_fs (file))) + +(in file.unconfined + + (call .unknown.root_file_type_transition_file (typeattr blk_file "*")) + (call .unknown.root_file_type_transition_file (typeattr chr_file "*")) + (call .unknown.root_file_type_transition_file (typeattr dir "*")) + (call .unknown.root_file_type_transition_file (typeattr fifo_file "*")) + (call .unknown.root_file_type_transition_file (typeattr file "*")) + (call .unknown.root_file_type_transition_file (typeattr sock_file "*"))) diff --git a/src/file/mqueuefsfile.cil b/src/file/mqueuefsfile.cil new file mode 100644 index 0000000..f4ce2b4 --- /dev/null +++ b/src/file/mqueuefsfile.cil @@ -0,0 +1,33 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (block mqueuefs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .mqueue.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.mqueuefs.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_files) + (blockinherit .file.mqueuefs.base_template)))) diff --git a/src/file/mqueuefsfile/sysmqueuefsfile.cil b/src/file/mqueuefsfile/sysmqueuefsfile.cil new file mode 100644 index 0000000..cbd4f3c --- /dev/null +++ b/src/file/mqueuefsfile/sysmqueuefsfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (block mqueuefs + + (blockinherit .file.mqueuefs.template))) diff --git a/src/file/runfile.cil b/src/file/runfile.cil new file mode 100644 index 0000000..02bce18 --- /dev/null +++ b/src/file/runfile.cil @@ -0,0 +1,47 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block run + + (blockinherit .file.run.template)) + +(in file + + (block run + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .tmp.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.run.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.run.base_template)))) diff --git a/src/file/runfile/runlockfile.cil b/src/file/runfile/runlockfile.cil new file mode 100644 index 0000000..1ce70f9 --- /dev/null +++ b/src/file/runfile/runlockfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block runlock + + (blockinherit .file.runlock.template)) + +(in file + + (block runlock + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call run.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.run.base_template) + + (call .file.runlock.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.runlock.base_template)))) diff --git a/src/file/runfile/runuserfile.cil b/src/file/runfile/runuserfile.cil new file mode 100644 index 0000000..e65dc66 --- /dev/null +++ b/src/file/runfile/runuserfile.cil @@ -0,0 +1,47 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block runuser + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.runuser.base_template)) + +(in file + + (block runuser + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call run.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.run.base_template) + + (call .file.runuser.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.runuser.base_template)))) diff --git a/src/file/secfile.cil b/src/file/secfile.cil new file mode 100644 index 0000000..199ded5 --- /dev/null +++ b/src/file/secfile.cil @@ -0,0 +1,67 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (call sec.relabelto.type (unconfined.typeattr)) + (call sec.write.type (unconfined.typeattr)) + + (block sec + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call exception.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.sec.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.sec.base_template)) + + (block relabelto + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr sec.typeattr (file (relabelto)))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr sec.typeattr (file (append write)))))) diff --git a/src/file/tmpfile.cil b/src/file/tmpfile.cil new file mode 100644 index 0000000..1d84880 --- /dev/null +++ b/src/file/tmpfile.cil @@ -0,0 +1,47 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in tmp + + (blockinherit .file.tmp.template)) + +(in file + + (block tmp + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .tmp.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.tmp.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.tmp.base_template)))) diff --git a/src/file/tmpfile/systmpfile.cil b/src/file/tmpfile/systmpfile.cil new file mode 100644 index 0000000..2b02bff --- /dev/null +++ b/src/file/tmpfile/systmpfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (block tmp + + (blockinherit .file.tmp.template))) diff --git a/src/file/tmpfsfile.cil b/src/file/tmpfsfile.cil new file mode 100644 index 0000000..c52892a --- /dev/null +++ b/src/file/tmpfsfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in file + + (block tmpfs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .tmp.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.tmpfs.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.tmpfs.base_template)))) diff --git a/src/file/tmpfsfile/systmpfsfile.cil b/src/file/tmpfsfile/systmpfsfile.cil new file mode 100644 index 0000000..4ebdb16 --- /dev/null +++ b/src/file/tmpfsfile/systmpfsfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (block tmpfs + + (blockinherit .file.tmpfs.template))) diff --git a/src/file/varfile.cil b/src/file/varfile.cil new file mode 100644 index 0000000..f458d50 --- /dev/null +++ b/src/file/varfile.cil @@ -0,0 +1,44 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block var + + (blockinherit .file.var.template)) + +(in file + + (block var + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call file.type (typeattr)) + + (call .xattr.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.base_template) + + (call .file.var.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.var.base_template)))) diff --git a/src/file/varfile/cachefile.cil b/src/file/varfile/cachefile.cil new file mode 100644 index 0000000..19c2a5a --- /dev/null +++ b/src/file/varfile/cachefile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cache + + (blockinherit .file.cache.template)) + +(in file + + (block cache + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call var.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.var.base_template) + + (call .file.cache.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.cache.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/dbfile.cil b/src/file/varfile/dbfile.cil new file mode 100644 index 0000000..c54c75a --- /dev/null +++ b/src/file/varfile/dbfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block db + + (blockinherit .file.db.template)) + +(in file + + (block db + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call var.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.var.base_template) + + (call .file.db.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.db.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/logfile.cil b/src/file/varfile/logfile.cil new file mode 100644 index 0000000..0c62240 --- /dev/null +++ b/src/file/varfile/logfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block log + + (blockinherit .file.log.template)) + +(in file + + (block log + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call var.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.var.base_template) + + (call .file.log.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.log.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/spoolfile.cil b/src/file/varfile/spoolfile.cil new file mode 100644 index 0000000..311ed1a --- /dev/null +++ b/src/file/varfile/spoolfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block spool + + (blockinherit .file.spool.template)) + +(in file + + (block spool + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call var.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.var.base_template) + + (call .file.spool.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.spool.base_template)))) diff --git a/src/file/varfile/spoolfile/mailspoolfile.cil b/src/file/varfile/spoolfile/mailspoolfile.cil new file mode 100644 index 0000000..5216423 --- /dev/null +++ b/src/file/varfile/spoolfile/mailspoolfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mail + + (block spool + + (blockinherit .file.spool.mail.template))) + +(in file.spool + + (block mail + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (call .file.spool.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.spool.base_template) + + (call .file.spool.mail.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.spool.mail.base_template)))) diff --git a/src/file/varfile/statefile.cil b/src/file/varfile/statefile.cil new file mode 100644 index 0000000..bb74d43 --- /dev/null +++ b/src/file/varfile/statefile.cil @@ -0,0 +1,42 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block state + + (blockinherit .file.state.template)) + +(in file + + (block state + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) + + (typeattribute typeattr) + + (call var.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .file.var.base_template) + + (call .file.state.type (file))) + + (block template + + (blockabstract template) + + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.state.base_template)))) diff --git a/src/fs.cil b/src/fs.cil new file mode 100644 index 0000000..3ea719b --- /dev/null +++ b/src/fs.cil @@ -0,0 +1,597 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class filesystem + (associate getattr mount quotaget quotamod relabelfrom relabelto remount + unmount watch)) +(classorder (unordered filesystem)) + +(in ibac + + (constrain (filesystem (relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in mcs + + (mlsconstrain (filesystem (relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) + + (mlsconstrain (filesystem (associate getattr mount remount)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (filesystem (relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (filesystem (getattr)) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr))))) + +(macro associate_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (associate)))) + +(macro getattr_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (getattr)))) + +(macro mount_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (mount)))) + +(macro quotaget_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (quotaget)))) + +(macro quotamod_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (quotamod)))) + +(macro relabel_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (relabelfrom relabelto)))) + +(macro relabelfrom_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (relabelfrom)))) + +(macro relabelto_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (relabelto)))) + +(macro remount_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (remount)))) + +(macro unmount_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (unmount)))) + +(macro watch_invalid_fs ((type ARG1)) + (allow ARG1 invalid (filesystem (watch)))) + +(allow invalid self (filesystem (associate))) + +(block fs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template_fs) + + (blockinherit .file.all_macro_template_all_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) + + (call .obj.type (typeattr)) + + (block all_macro_template_fs + + (blockabstract all_macro_template_fs) + + (macro associate_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (associate)))) + + (macro getattr_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (getattr)))) + + (macro mount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (mount)))) + + (macro quotaget_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (quotaget)))) + + (macro quotamod_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (quotamod)))) + + (macro relabel_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelfrom relabelto)))) + + (macro relabelfrom_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelfrom)))) + + (macro relabelto_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelto)))) + + (macro remount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (remount)))) + + (macro unmount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (unmount)))) + + (macro watch_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (watch))))) + + (block base_template + + (blockabstract base_template) + + (context fs_context (.sys.id .sys.role fs lowlevelrange)) + + (type fs) + (call .fs.type (fs))) + + (block macro_template_all_files + + (blockabstract macro_template_all_files) + + (macro create_fs_file ((type ARG1)) + (allow ARG1 fs (files (create)))) + + (macro delete_fs_file ((type ARG1)) + (allow ARG1 fs (files (delete)))) + + (macro manage_fs_file ((type ARG1)) + (allow ARG1 fs (files (manage)))) + + (macro read_fs_file ((type ARG1)) + (allow ARG1 fs (files (read)))) + + (macro readwrite_fs_file ((type ARG1)) + (allow ARG1 fs (files (readwrite)))) + + (macro relabel_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabel)))) + + (macro relabelfrom_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabelfrom)))) + + (macro relabelto_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabelto)))) + + (macro rename_fs_file ((type ARG1)) + (allow ARG1 fs (files (rename)))) + + (macro write_fs_file ((type ARG1)) + (allow ARG1 fs (files (write))))) + + (block macro_template_blk_files + + (blockabstract macro_template_blk_files) + + (macro append_blk_fs_files ((type ARG1)) + (allow ARG1 fs append_blk_file)) + + (macro appendinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs appendinherited_blk_file)) + + (macro create_fs_blk_files ((type ARG1)) + (allow ARG1 fs create_blk_file)) + + (macro delete_fs_blk_files ((type ARG1)) + (allow ARG1 fs delete_blk_file)) + + (macro manage_fs_blk_files ((type ARG1)) + (allow ARG1 fs manage_blk_file)) + + (macro read_fs_blk_files ((type ARG1)) + (allow ARG1 fs read_blk_file)) + + (macro readinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs readinherited_blk_file)) + + (macro readwrite_fs_blk_files ((type ARG1)) + (allow ARG1 fs readwrite_blk_file)) + + (macro readwriteinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_blk_file)) + + (macro relabel_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabel_blk_file)) + + (macro relabelfrom_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabelfrom_blk_file)) + + (macro relabelto_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabelto_blk_file)) + + (macro rename_fs_blk_files ((type ARG1)) + (allow ARG1 fs rename_blk_file)) + + (macro write_fs_blk_files ((type ARG1)) + (allow ARG1 fs write_blk_file)) + + (macro writeinherited_fs-blk_files ((type ARG1)) + (allow ARG1 fs writeinherited_blk_file))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_fs_chr_files ((type ARG1)) + (allow ARG1 fs append_chr_file)) + + (macro appendinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs appendinherited_chr_file)) + + (macro create_fs_chr_files ((type ARG1)) + (allow ARG1 fs create_chr_file)) + + (macro delete_fs_chr_files ((type ARG1)) + (allow ARG1 fs delete_chr_file)) + + (macro manage_fs_chr_files ((type ARG1)) + (allow ARG1 fs manage_chr_file)) + + (macro mapexecute_fs_chr_files ((type ARG1)) + (allow ARG1 fs mapexecute_chr_file)) + + (macro read_fs_chr_files ((type ARG1)) + (allow ARG1 fs read_chr_file)) + + (macro readinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs readinherited_chr_file)) + + (macro readwrite_fs_chr_files ((type ARG1)) + (allow ARG1 fs readwrite_chr_file)) + + (macro readwriteinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_chr_file)) + + (macro relabel_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabel_chr_file)) + + (macro relabelfrom_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabelfrom_chr_file)) + + (macro relabelto_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabelto_chr_file)) + + (macro rename_fs_chr_files ((type ARG1)) + (allow ARG1 fs rename_chr_file)) + + (macro write_fs_chr_files ((type ARG1)) + (allow ARG1 fs write_chr_file)) + + (macro writeinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs writeinherited_chr_file))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_fs_dirs ((type ARG1)) + (allow ARG1 fs addname_dir)) + + (macro create_fs_dirs ((type ARG1)) + (allow ARG1 fs create_dir)) + + (macro delete_fs_dirs ((type ARG1)) + (allow ARG1 fs delete_dir)) + + (macro deletename_fs_dirs ((type ARG1)) + (allow ARG1 fs deletename_dir)) + + (macro fs_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 fs ARG3 ARG4 ARG2) + (call addname_fs_dirs (ARG1))) + + (macro list_fs_dirs ((type ARG1)) + (allow ARG1 fs list_dir)) + + (macro listinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs listinherited_dir)) + + (macro manage_fs_dirs ((type ARG1)) + (allow ARG1 fs manage_dir)) + + (macro mounton_fs_dirs ((type ARG1)) + (allow ARG1 fs mounton_dir)) + + (macro readwrite_fs_dirs ((type ARG1)) + (allow ARG1 fs readwrite_dir)) + + (macro readwriteinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs readwriteinherited_dir)) + + (macro relabel_fs_dirs ((type ARG1)) + (allow ARG1 fs relabel_dir)) + + (macro relabelfrom_fs_dirs ((type ARG1)) + (allow ARG1 fs relabelfrom_dir)) + + (macro relabelto_fs_dirs ((type ARG1)) + (allow ARG1 fs relabelto_dir)) + + (macro rename_fs_dirs ((type ARG1)) + (allow ARG1 fs rename_dir)) + + (macro search_fs_dirs ((type ARG1)) + (allow ARG1 fs search_dir)) + + (macro write_fs_dirs ((type ARG1)) + (allow ARG1 fs write_dir)) + + (macro writeinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs writeinherited_dir))) + + (block macro_template_fifo_files + + (blockabstract macro_template_fifo_files) + + (macro append_fs_fifo_files ((type ARG1)) + (allow ARG1 fs append_fifo_file)) + + (macro appendinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs appendinherited_fifo_file)) + + (macro create_fs_fifo_files ((type ARG1)) + (allow ARG1 fs create_fifo_file)) + + (macro delete_fs_fifo_files ((type ARG1)) + (allow ARG1 fs delete_fifo_file)) + + (macro manage_fs_fifo_files ((type ARG1)) + (allow ARG1 fs manage_fifo_file)) + + (macro read_fs_fifo_files ((type ARG1)) + (allow ARG1 fs read_fifo_file)) + + (macro readinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readinherited_fifo_file)) + + (macro readwrite_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readwrite_fifo_file)) + + (macro readwriteinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_fifo_file)) + + (macro relabel_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabel_fifo_file)) + + (macro relabelfrom_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabelfrom_fifo_file)) + + (macro relabelto_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabelto_fifo_file)) + + (macro rename_fs_fifo_files ((type ARG1)) + (allow ARG1 fs rename_fifo_file)) + + (macro write_fs_fifo_files ((type ARG1)) + (allow ARG1 fs write_fifo_file)) + + (macro writeinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs writeinherited_fifo_file))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_fs_files ((type ARG1)) + (allow ARG1 fs append_file)) + + (macro appendinherited_fs_files ((type ARG1)) + (allow ARG1 fs appendinherited_file)) + + (macro create_fs_files ((type ARG1)) + (allow ARG1 fs create_file)) + + (macro delete_fs_files ((type ARG1)) + (allow ARG1 fs delete_file)) + + (macro execute_fs_files ((type ARG1)) + (allow ARG1 fs execute_file)) + + (macro manage_fs_files ((type ARG1)) + (allow ARG1 fs manage_file)) + + (macro mapexecute_fs_files ((type ARG1)) + (allow ARG1 fs mapexecute_file)) + + (macro mounton_fs_files ((type ARG1)) + (allow ARG1 fs mounton_file)) + + (macro read_fs_files ((type ARG1)) + (allow ARG1 fs read_file)) + + (macro readinherited_fs_files ((type ARG1)) + (allow ARG1 fs readinherited_file)) + + (macro readwrite_fs_files ((type ARG1)) + (allow ARG1 fs readwrite_file)) + + (macro readwriteinherited_fs_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_file)) + + (macro relabel_fs_files ((type ARG1)) + (allow ARG1 fs relabel_file)) + + (macro relabelfrom_fs_files ((type ARG1)) + (allow ARG1 fs relabelfrom_file)) + + (macro relabelto_fs_files ((type ARG1)) + (allow ARG1 fs relabelto_file)) + + (macro rename_fs_files ((type ARG1)) + (allow ARG1 fs rename_file)) + + (macro write_fs_files ((type ARG1)) + (allow ARG1 fs write_file)) + + (macro writeinherited_fs_files ((type ARG1)) + (allow ARG1 fs writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_fs_lnk_files ((type ARG1)) + (allow ARG1 fs create_lnk_file)) + + (macro delete_fs_lnk_files ((type ARG1)) + (allow ARG1 fs delete_lnk_file)) + + (macro manage_fs_lnk_files ((type ARG1)) + (allow ARG1 fs manage_lnk_file)) + + (macro read_fs_lnk_files ((type ARG1)) + (allow ARG1 fs read_lnk_file)) + + (macro readwrite_fs_lnk_files ((type ARG1)) + (allow ARG1 fs readwrite_lnk_file)) + + (macro relabel_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabel_lnk_file)) + + (macro relabelfrom_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabelfrom_lnk_file)) + + (macro relabelto_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabelto_lnk_file)) + + (macro rename_fs_lnk_files ((type ARG1)) + (allow ARG1 fs rename_lnk_file)) + + (macro write_fs_lnk_files ((type ARG1)) + (allow ARG1 fs write_lnk_file))) + + (block macro_template_sock_files + + (blockabstract macro_template_sock_files) + + (macro create_fs_sock_files ((type ARG1)) + (allow ARG1 fs create_sock_file)) + + (macro delete_fs_sock_files ((type ARG1)) + (allow ARG1 fs delete_sock_file)) + + (macro manage_fs_sock_files ((type ARG1)) + (allow ARG1 fs manage_sock_file)) + + (macro read_fs_sock_files ((type ARG1)) + (allow ARG1 fs read_sock_file)) + + (macro readinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs readinherited_sock_file)) + + (macro readwrite_fs_sock_files ((type ARG1)) + (allow ARG1 fs readwrite_sock_file)) + + (macro readwriteinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_sock_file)) + + (macro relabel_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabel_sock_file)) + + (macro relabelfrom_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabelfrom_sock_file)) + + (macro relabelto_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabelto_sock_file)) + + (macro rename_fs_sock_files ((type ARG1)) + (allow ARG1 fs rename_sock_file)) + + (macro write_fs_sock_files ((type ARG1)) + (allow ARG1 fs write_sock_file)) + + (macro writeinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs writeinherited_sock_file))) + + (block macro_template_fs + + (blockabstract macro_template_fs) + + (macro associate_fs ((type ARG1)) + (allow ARG1 fs (filesystem (associate)))) + + (macro getattr_fs ((type ARG1)) + (allow ARG1 fs (filesystem (getattr)))) + + (macro mount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (mount)))) + + (macro quotaget_fs ((type ARG1)) + (allow ARG1 fs (filesystem (quotaget)))) + + (macro quotamod_fs ((type ARG1)) + (allow ARG1 fs (filesystem (quotamod)))) + + (macro relabel_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelfrom relabelto)))) + + (macro relabelfrom_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelfrom)))) + + (macro relabelto_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelto)))) + + (macro remount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (remount)))) + + (macro unmount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (unmount)))) + + (macro watch_fs ((type ARG1)) + (allow ARG1 fs (filesystem (watch))))) + + (block template + + (blockabstract template) + + (blockabstract .fs.base_template) + (blockabstract .fs.macro_template_fs)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr fs.typeattr + (blk_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr (chr_file (not (audit_access execmod mounton)))) + (allow typeattr fs.typeattr (dir (not (audit_access execmod)))) + (allow typeattr fs.typeattr + (fifo_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr (file (not (audit_access entrypoint execmod)))) + (allow typeattr fs.typeattr (filesystem (not associate))) + (allow typeattr fs.typeattr + (lnk_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr + (sock_file (not (audit_access execmod map mounton)))))) + +(in invalid.unconfined + + (allow typeattr .invalid (filesystem (not (associate relabelto))))) + +(in unconfined + + (call .fs.unconfined.type (typeattr))) diff --git a/src/fs/noseclabelfs.cil b/src/fs/noseclabelfs.cil new file mode 100644 index 0000000..6701423 --- /dev/null +++ b/src/fs/noseclabelfs.cil @@ -0,0 +1,32 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block noseclabelfs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .fs.all_macro_template_fs) + + (allow typeattr self (filesystem (associate))) + + (call .fs.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .fs.base_template) + + (call .noseclabelfs.type (fs))) + + (block template + + (blockabstract template) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template))) diff --git a/src/fs/noseclabelfs/aionoseclabelfs.cil b/src/fs/noseclabelfs/aionoseclabelfs.cil new file mode 100644 index 0000000..b91e583 --- /dev/null +++ b/src/fs/noseclabelfs/aionoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block aio + + (genfscon "aio" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/anoninodenoseclabelfs.cil b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil new file mode 100644 index 0000000..28f5dec --- /dev/null +++ b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block anoninode + + (genfscon "anon_inodefs" "/" fs_context) + + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/autonoseclabelfs.cil b/src/fs/noseclabelfs/autonoseclabelfs.cil new file mode 100644 index 0000000..6a0d922 --- /dev/null +++ b/src/fs/noseclabelfs/autonoseclabelfs.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block auto + + (genfscon "autofs" "/" fs_context) + (genfscon "automount" "/" fs_context) + + (macro getattr_fs_dirs ((type ARG1)) + (allow ARG1 fs (dir (getattr)))) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/bdevnoseclabelfs.cil b/src/fs/noseclabelfs/bdevnoseclabelfs.cil new file mode 100644 index 0000000..dd622d0 --- /dev/null +++ b/src/fs/noseclabelfs/bdevnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bdev + + (genfscon "bdev" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil new file mode 100644 index 0000000..d81fb3d --- /dev/null +++ b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block binfmtmisc + + (genfscon "binfmt_misc" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/bpfnoseclabelfs.cil b/src/fs/noseclabelfs/bpfnoseclabelfs.cil new file mode 100644 index 0000000..0a8cf05 --- /dev/null +++ b/src/fs/noseclabelfs/bpfnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bpf + + (genfscon "bpf" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/cinoseclabelfs.cil b/src/fs/noseclabelfs/cinoseclabelfs.cil new file mode 100644 index 0000000..41d6da8 --- /dev/null +++ b/src/fs/noseclabelfs/cinoseclabelfs.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ci + + (genfscon "cifs" "/" fs_context) + (genfscon "smbfs" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/confignoseclabelfs.cil b/src/fs/noseclabelfs/confignoseclabelfs.cil new file mode 100644 index 0000000..770f183 --- /dev/null +++ b/src/fs/noseclabelfs/confignoseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block config + + (genfscon "configfs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/cpusetnoseclabelfs.cil b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil new file mode 100644 index 0000000..2b68ae6 --- /dev/null +++ b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpuset + + (genfscon "cpuset" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/dosnoseclabelfs.cil b/src/fs/noseclabelfs/dosnoseclabelfs.cil new file mode 100644 index 0000000..77eecc8 --- /dev/null +++ b/src/fs/noseclabelfs/dosnoseclabelfs.cil @@ -0,0 +1,21 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dos + + (genfscon "fat" "/" fs_context) + (genfscon "hfs" "/" fs_context) + (genfscon "hfsplus" "/" fs_context) + (genfscon "msdos" "/" fs_context) + (genfscon "ntfs" "/" fs_context) + (genfscon "ntfs-3g" "/" fs_context) + (genfscon "ntfs3" "/" fs_context) + (genfscon "vfat" "/" fs_context) + (genfscon "exfat" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/drmnoseclabelfs.cil b/src/fs/noseclabelfs/drmnoseclabelfs.cil new file mode 100644 index 0000000..f467da2 --- /dev/null +++ b/src/fs/noseclabelfs/drmnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block drm + + (genfscon "drm" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/efivarnoseclabelfs.cil b/src/fs/noseclabelfs/efivarnoseclabelfs.cil new file mode 100644 index 0000000..45141a4 --- /dev/null +++ b/src/fs/noseclabelfs/efivarnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block efivar + + (genfscon "efivarfs" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/fusenoseclabelfs.cil b/src/fs/noseclabelfs/fusenoseclabelfs.cil new file mode 100644 index 0000000..b2ac9fc --- /dev/null +++ b/src/fs/noseclabelfs/fusenoseclabelfs.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fuse + + (genfscon "fuse" "/" fs_context) + (genfscon "fuseblk" "/" fs_context) + (genfscon "fusectl" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/iso9660noseclabelfs.cil b/src/fs/noseclabelfs/iso9660noseclabelfs.cil new file mode 100644 index 0000000..eac7922 --- /dev/null +++ b/src/fs/noseclabelfs/iso9660noseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iso9660 + + (genfscon "iso9660" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsdnoseclabelfs.cil b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil new file mode 100644 index 0000000..fc0fc01 --- /dev/null +++ b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nfsd + + (genfscon "nfsd" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsnoseclabelfs.cil b/src/fs/noseclabelfs/nfsnoseclabelfs.cil new file mode 100644 index 0000000..c8a1f7e --- /dev/null +++ b/src/fs/noseclabelfs/nfsnoseclabelfs.cil @@ -0,0 +1,18 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nfs + + (genfscon "afs" "/" fs_context) + (genfscon "nfs" "/" fs_context) + (genfscon "nfs4" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/nsnoseclabelfs.cil b/src/fs/noseclabelfs/nsnoseclabelfs.cil new file mode 100644 index 0000000..59938c1 --- /dev/null +++ b/src/fs/noseclabelfs/nsnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ns + + (genfscon "nsfs" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/procnoseclabelfs.cil b/src/fs/noseclabelfs/procnoseclabelfs.cil new file mode 100644 index 0000000..f9711c2 --- /dev/null +++ b/src/fs/noseclabelfs/procnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block proc + + (genfscon "proc" "/" fs_context) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/removablenoseclabelfs.cil b/src/fs/noseclabelfs/removablenoseclabelfs.cil new file mode 100644 index 0000000..95a7e34 --- /dev/null +++ b/src/fs/noseclabelfs/removablenoseclabelfs.cil @@ -0,0 +1,6 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in removable + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil new file mode 100644 index 0000000..50db012 --- /dev/null +++ b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rpcpipe + + (genfscon "rpc_pipefs" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/securitynoseclabelfs.cil b/src/fs/noseclabelfs/securitynoseclabelfs.cil new file mode 100644 index 0000000..a23e94b --- /dev/null +++ b/src/fs/noseclabelfs/securitynoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block security + + (genfscon "securityfs" "/" fs_context) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/selinuxnoseclabelfs.cil b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil new file mode 100644 index 0000000..d0c7063 --- /dev/null +++ b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in selinux + + (genfscon "selinuxfs" "/" fs_context) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/udfnoseclabelfs.cil b/src/fs/noseclabelfs/udfnoseclabelfs.cil new file mode 100644 index 0000000..61c8ec2 --- /dev/null +++ b/src/fs/noseclabelfs/udfnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block udf + + (genfscon "udf" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/seclabelfs.cil b/src/fs/seclabelfs.cil new file mode 100644 index 0000000..eb31584 --- /dev/null +++ b/src/fs/seclabelfs.cil @@ -0,0 +1,37 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block seclabelfs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .fs.all_macro_template_fs) + + (blockinherit .file.all_macro_template_all_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) + + (call .fs.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .fs.base_template) + + (call .seclabelfs.type (fs))) + + (block template + + (blockabstract template) + + (blockinherit .fs.macro_template_fs) + (blockinherit .seclabelfs.base_template))) diff --git a/src/fs/seclabelfs/cgroupseclabelfs.cil b/src/fs/seclabelfs/cgroupseclabelfs.cil new file mode 100644 index 0000000..07c63a2 --- /dev/null +++ b/src/fs/seclabelfs/cgroupseclabelfs.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cgroup + + (genfscon "cgroup" "/" fs_context) + (genfscon "cgroup2" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/debugseclabelfs.cil b/src/fs/seclabelfs/debugseclabelfs.cil new file mode 100644 index 0000000..b406228 --- /dev/null +++ b/src/fs/seclabelfs/debugseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in debug + + (genfscon "debugfs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/devptsseclabelfs.cil b/src/fs/seclabelfs/devptsseclabelfs.cil new file mode 100644 index 0000000..4c5827c --- /dev/null +++ b/src/fs/seclabelfs/devptsseclabelfs.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block devpts + + (fsuse trans "devpts" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_fs) + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/devtmpseclabelfs.cil b/src/fs/seclabelfs/devtmpseclabelfs.cil new file mode 100644 index 0000000..ff814e6 --- /dev/null +++ b/src/fs/seclabelfs/devtmpseclabelfs.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block devtmp + + (fsuse trans "devtmpfs" fs_context) + + (blockinherit .fs.macro_template_all_files) + (blockinherit .fs.macro_template_blk_files) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/eventpollseclabelfs.cil b/src/fs/seclabelfs/eventpollseclabelfs.cil new file mode 100644 index 0000000..058bb7b --- /dev/null +++ b/src/fs/seclabelfs/eventpollseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block eventpoll + + (fsuse task "eventpollfs" fs_context) + + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/hugetlbseclabelfs.cil b/src/fs/seclabelfs/hugetlbseclabelfs.cil new file mode 100644 index 0000000..1b0857e --- /dev/null +++ b/src/fs/seclabelfs/hugetlbseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hugetlb + + (fsuse trans "hugetlbfs" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/mqueueseclabelfs.cil b/src/fs/seclabelfs/mqueueseclabelfs.cil new file mode 100644 index 0000000..553389f --- /dev/null +++ b/src/fs/seclabelfs/mqueueseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mqueue + + (fsuse trans "mqueue" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/pipeseclabelfs.cil b/src/fs/seclabelfs/pipeseclabelfs.cil new file mode 100644 index 0000000..c115ff5 --- /dev/null +++ b/src/fs/seclabelfs/pipeseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pipe + + (fsuse task "pipefs" fs_context) + + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/pstoreseclabelfs.cil b/src/fs/seclabelfs/pstoreseclabelfs.cil new file mode 100644 index 0000000..96d6272 --- /dev/null +++ b/src/fs/seclabelfs/pstoreseclabelfs.cil @@ -0,0 +1,12 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pstore + + (genfscon "pstore" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template) + + (allow fs self (filesystem (associate)))) diff --git a/src/fs/seclabelfs/rootseclabelfs.cil b/src/fs/seclabelfs/rootseclabelfs.cil new file mode 100644 index 0000000..d345922 --- /dev/null +++ b/src/fs/seclabelfs/rootseclabelfs.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in root + + (genfscon "rootfs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/sockseclabelfs.cil b/src/fs/seclabelfs/sockseclabelfs.cil new file mode 100644 index 0000000..6c8eeee --- /dev/null +++ b/src/fs/seclabelfs/sockseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sock + + (fsuse task "sockfs" fs_context) + + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/sysseclabelfs.cil b/src/fs/seclabelfs/sysseclabelfs.cil new file mode 100644 index 0000000..946a5ef --- /dev/null +++ b/src/fs/seclabelfs/sysseclabelfs.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in sys + + (genfscon "sysfs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/tmpseclabelfs.cil b/src/fs/seclabelfs/tmpseclabelfs.cil new file mode 100644 index 0000000..9563056 --- /dev/null +++ b/src/fs/seclabelfs/tmpseclabelfs.cil @@ -0,0 +1,18 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tmp + + (fsuse trans "ramfs" fs_context) + (fsuse trans "shm" fs_context) + (fsuse trans "tmpfs" fs_context) + + (blockinherit .fs.macro_template_all_files) + (blockinherit .fs.macro_template_blk_files) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/traceseclabelfs.cil b/src/fs/seclabelfs/traceseclabelfs.cil new file mode 100644 index 0000000..4aab6df --- /dev/null +++ b/src/fs/seclabelfs/traceseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block trace + + (genfscon "tracefs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/xattrseclabelfs.cil b/src/fs/seclabelfs/xattrseclabelfs.cil new file mode 100644 index 0000000..fbe482d --- /dev/null +++ b/src/fs/seclabelfs/xattrseclabelfs.cil @@ -0,0 +1,35 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block xattr + + (fsuse xattr "btrfs" fs_context) + (fsuse xattr "ceph" fs_context) + (fsuse xattr "encfs" fs_context) + (fsuse xattr "erofs" fs_context) + (fsuse xattr "ext2" fs_context) + (fsuse xattr "ext3" fs_context) + (fsuse xattr "ext4" fs_context) + (fsuse xattr "ext4dev" fs_context) + (fsuse xattr "f2fs" fs_context) + (fsuse xattr "gfs" fs_context) + (fsuse xattr "gfs2" fs_context) + (fsuse xattr "gpfs" fs_context) + (fsuse xattr "incremental-fs" fs_context) + (fsuse xattr "jffs2" fs_context) + (fsuse xattr "jfs" fs_context) + (fsuse xattr "lustre" fs_context) + (fsuse xattr "ocfs2" fs_context) + (fsuse xattr "odms" fs_context) + (fsuse xattr "overlay" fs_context) + (fsuse xattr "shiftfs" fs_context) + (fsuse xattr "squashfs" fs_context) + (fsuse xattr "ubifs" fs_context) + (fsuse xattr "virtiofs" fs_context) + (fsuse xattr "vxclonefs" fs_context) + (fsuse xattr "vxfs" fs_context) + (fsuse xattr "xfs" fs_context) + (fsuse xattr "yaffs2" fs_context) + (fsuse xattr "zfs" fs_context) + + (blockinherit .seclabelfs.template)) diff --git a/src/invalid.cil b/src/invalid.cil new file mode 100644 index 0000000..b11a4e0 --- /dev/null +++ b/src/invalid.cil @@ -0,0 +1,441 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext unlabeled (sys.id sys.role invalid lowlevelrange)) + +(macro addname_invalid_dirs ((type ARG1)) + (allow ARG1 invalid addname_dir)) + +(macro append_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid append_blk_file)) + +(macro append_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid append_chr_file)) + +(macro append_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid append_fifo_file)) + +(macro append_invalid_files ((type ARG1)) + (allow ARG1 invalid append_file)) + +(macro appendinherited_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid appendinherited_blk_file)) + +(macro appendinherited_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid appendinherited_chr_file)) + +(macro appendinherited_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid appendinherited_fifo_file)) + +(macro appendinherited_invalid_files ((type ARG1)) + (allow ARG1 invalid appendinherited_file)) + +(macro create_invalid ((type ARG1)) + (allow ARG1 invalid (files (create)))) + +(macro create_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid create_blk_file)) + +(macro create_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid create_chr_file)) + +(macro create_invalid_dirs ((type ARG1)) + (allow ARG1 invalid create_dir)) + +(macro create_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid create_fifo_file)) + +(macro create_invalid_files ((type ARG1)) + (allow ARG1 invalid create_file)) + +(macro create_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid create_lnk_file)) + +(macro create_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid create_sock_file)) + +(macro delete_invalid ((type ARG1)) + (allow ARG1 invalid (files (delete)))) + +(macro delete_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid delete_blk_file)) + +(macro delete_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid delete_chr_file)) + +(macro delete_invalid_dirs ((type ARG1)) + (allow ARG1 invalid delete_dir)) + +(macro delete_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid delete_fifo_file)) + +(macro delete_invalid_files ((type ARG1)) + (allow ARG1 invalid delete_file)) + +(macro delete_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid delete_lnk_file)) + +(macro delete_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid delete_sock_file)) + +(macro deletename_invalid_dirs ((type ARG1)) + (allow ARG1 invalid deletename_dir)) + +(macro execute_invalid_files ((type ARG1)) + (allow ARG1 invalid execute_file)) + +(macro getattr_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (getattr)))) + +(macro getrlimit_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (getrlimit)))) + +(macro getsched_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (getsched)))) + +(macro invalid_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 invalid ARG3 ARG4 ARG2) + (call addname_invalid_dirs (ARG1))) + +(macro list_invalid_dirs ((type ARG1)) + (allow ARG1 invalid list_dir)) + +(macro listinherited_invalid_dirs ((type ARG1)) + (allow ARG1 invalid listinherited_dir)) + +(macro manage_invalid ((type ARG1)) + (allow ARG1 invalid (files (manage)))) + +(macro manage_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid manage_blk_file)) + +(macro manage_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid manage_chr_file)) + +(macro manage_invalid_dirs ((type ARG1)) + (allow ARG1 invalid manage_dir)) + +(macro manage_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid manage_fifo_file)) + +(macro manage_invalid_files ((type ARG1)) + (allow ARG1 invalid manage_file)) + +(macro manage_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid manage_lnk_file)) + +(macro manage_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid manage_sock_file)) + +(macro mapexecute_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid mapexecute_chr_file)) + +(macro mapexecute_invalid_files ((type ARG1)) + (allow ARG1 invalid mapexecute_file)) + +(macro mounton_invalid_dirs ((type ARG1)) + (allow ARG1 invalid mounton_dir)) + +(macro mounton_invalid_files ((type ARG1)) + (allow ARG1 invalid mounton_file)) + +(macro nnptransition_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process2 (nnp_transition)))) + +(macro noatsecure_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (noatsecure)))) + +(macro nosuidtransition_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process2 (nosuid_transition)))) + +(macro ps_invalid_states ((type ARG1)) + (allow ARG1 invalid (state (ps)))) + +(macro ptrace_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (ptrace)))) + +(macro read_invalid ((type ARG1)) + (allow ARG1 invalid (files (read)))) + +(macro read_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid read_blk_file)) + +(macro read_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid read_chr_file)) + +(macro read_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid read_fifo_file)) + +(macro read_invalid_files ((type ARG1)) + (allow ARG1 invalid read_file)) + +(macro read_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid read_lnk_file)) + +(macro read_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid read_sock_file)) + +(macro read_invalid_states ((type ARG1)) + (allow ARG1 invalid (state (read)))) + +(macro readinherited_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid readinherited_blk_file)) + +(macro readinherited_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid readinherited_chr_file)) + +(macro readinherited_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid readinherited_fifo_file)) + +(macro readinherited_invalid_files ((type ARG1)) + (allow ARG1 invalid readinherited_file)) + +(macro readinherited_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid readinherited_sock_file)) + +(macro readwrite_invalid ((type ARG1)) + (allow ARG1 invalid (files (readwrite)))) + +(macro readwrite_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid readwrite_blk_file)) + +(macro readwrite_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid readwrite_chr_file)) + +(macro readwrite_invalid_dirs ((type ARG1)) + (allow ARG1 invalid readwrite_dir)) + +(macro readwrite_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid readwrite_fifo_file)) + +(macro readwrite_invalid_files ((type ARG1)) + (allow ARG1 invalid readwrite_file)) + +(macro readwrite_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid readwrite_lnk_file)) + +(macro readwrite_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid readwrite_sock_file)) + +(macro readwriteinherited_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid readwriteinherited_blk_file)) + +(macro readwriteinherited_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid readwriteinherited_chr_file)) + +(macro readwriteinherited_invalid_dirs ((type ARG1)) + (allow ARG1 invalid readwriteinherited_dir)) + +(macro readwriteinherited_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid readwriteinherited_fifo_file)) + +(macro readwriteinherited_invalid_files ((type ARG1)) + (allow ARG1 invalid readwriteinherited_file)) + +(macro readwriteinherited_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid readwriteinherited_sock_file)) + +(macro relabel_invalid ((type ARG1)) + (allow ARG1 invalid (files (relabel)))) + +(macro relabel_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid relabel_blk_file)) + +(macro relabel_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid relabel_chr_file)) + +(macro relabel_invalid_dirs ((type ARG1)) + (allow ARG1 invalid relabel_dir)) + +(macro relabel_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid relabel_fifo_file)) + +(macro relabel_invalid_files ((type ARG1)) + (allow ARG1 invalid relabel_file)) + +(macro relabel_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid relabel_lnk_file)) + +(macro relabel_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid relabel_sock_file)) + +(macro relabelfrom_invalid ((type ARG1)) + (allow ARG1 invalid (files (relabelfrom)))) + +(macro relabelfrom_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_blk_file)) + +(macro relabelfrom_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_chr_file)) + +(macro relabelfrom_invalid_dirs ((type ARG1)) + (allow ARG1 invalid relabelfrom_dir)) + +(macro relabelfrom_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_fifo_file)) + +(macro relabelfrom_invalid_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_file)) + +(macro relabelfrom_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_lnk_file)) + +(macro relabelfrom_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid relabelfrom_sock_file)) + +(macro relabelto_invalid ((type ARG1)) + (allow ARG1 invalid (files (relabelto)))) + +(macro relabelto_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid relabelto_blk_file)) + +(macro relabelto_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid relabelto_chr_file)) + +(macro relabelto_invalid_dirs ((type ARG1)) + (allow ARG1 invalid relabelto_dir)) + +(macro relabelto_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid relabelto_fifo_file)) + +(macro relabelto_invalid_files ((type ARG1)) + (allow ARG1 invalid relabelto_file)) + +(macro relabelto_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid relabelto_lnk_file)) + +(macro relabelto_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid relabelto_sock_file)) + +(macro rename_invalid ((type ARG1)) + (allow ARG1 invalid (files (rename)))) + +(macro rename_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid rename_blk_file)) + +(macro rename_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid rename_chr_file)) + +(macro rename_invalid_dirs ((type ARG1)) + (allow ARG1 invalid rename_dir)) + +(macro rename_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid rename_fifo_file)) + +(macro rename_invalid_files ((type ARG1)) + (allow ARG1 invalid rename_file)) + +(macro rename_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid rename_lnk_file)) + +(macro rename_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid rename_sock_file)) + +(macro rlimitinh_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (rlimitinh)))) + +(macro search_invalid_dirs ((type ARG1)) + (allow ARG1 invalid search_dir)) + +(macro setrlimit_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (setrlimit)))) + +(macro setsched_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (setsched)))) + +(macro sigchld_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (sigchld)))) + +(macro sigkill_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (sigkill)))) + +(macro signal_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (signal)))) + +(macro signull_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (signull)))) + +(macro sigstop_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (sigstop)))) + +(macro transition_invalid_processes ((type ARG1)) + (allow ARG1 invalid (process (transition)))) + +(macro write_invalid ((type ARG1)) + (allow ARG1 invalid (files (write)))) + +(macro write_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid write_blk_file)) + +(macro write_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid write_chr_file)) + +(macro write_invalid_dirs ((type ARG1)) + (allow ARG1 invalid write_dir)) + +(macro write_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid write_fifo_file)) + +(macro write_invalid_files ((type ARG1)) + (allow ARG1 invalid write_file)) + +(macro write_invalid_lnk_files ((type ARG1)) + (allow ARG1 invalid write_lnk_file)) + +(macro write_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid write_sock_file)) + +(macro writeinherited_invalid_blk_files ((type ARG1)) + (allow ARG1 invalid writeinherited_blk_file)) + +(macro writeinherited_invalid_chr_files ((type ARG1)) + (allow ARG1 invalid writeinherited_chr_file)) + +(macro writeinherited_invalid_dirs ((type ARG1)) + (allow ARG1 invalid writeinherited_dir)) + +(macro writeinherited_invalid_fifo_files ((type ARG1)) + (allow ARG1 invalid writeinherited_fifo_file)) + +(macro writeinherited_invalid_files ((type ARG1)) + (allow ARG1 invalid writeinherited_file)) + +(macro writeinherited_invalid_sock_files ((type ARG1)) + (allow ARG1 invalid writeinherited_sock_file)) + +(type invalid) +(roletype sys.role invalid) + +(call .xattr.associate_fs (invalid)) + +(block invalid + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr .invalid + (process (not (dyntransition execheap execstack transition)))) + (allow typeattr .invalid + (process2 (not (nnp_transition nosuid_transition)))) + + (allow typeattr .invalid + (blk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (chr_file (not (audit_access execmod mounton relabelto)))) + (allow typeattr .invalid (dir (not (audit_access execmod relabelto)))) + (allow typeattr .invalid + (fifo_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (file (not (audit_access entrypoint execmod relabelto)))) + (allow typeattr .invalid + (lnk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (sock_file (not (audit_access execmod map mounton relabelto)))))) + +(in unconfined + + (call .invalid.unconfined.type (typeattr))) diff --git a/src/misc.cil b/src/misc.cil new file mode 100644 index 0000000..73c45aa --- /dev/null +++ b/src/misc.cil @@ -0,0 +1,697 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in boot + + (filecon "/boot" dir file_context) + (filecon "/boot/.*" any file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "boot")))) + +(in bpf + + (filecon "/sys/fs/bpf" dir ()) + (filecon "/sys/fs/bpf/.*" any ())) + +(in cache + + (filecon "/var/cache" dir file_context) + (filecon "/var/cache/.*" any file_context) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "cache"))) + + (call .root.associate_fs (file))) + +(in cert + + (filecon "/etc/pki" dir file_context) + (filecon "/etc/pki/.*" any file_context) + + (filecon "/etc/ssl" dir file_context) + (filecon "/etc/ssl/.*" any file_context) + + (filecon "/usr/share/pki" dir file_context) + (filecon "/usr/share/pki/.*" any file_context) + + (macro conf_file_type_transition_file ((type ARG1)) + (call .conf.file_type_transition + (ARG1 file dir "pki")) + (call .conf.file_type_transition + (ARG1 file dir "ssl"))) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "pki")))) + +(in cgroup + + (filecon "/sys/fs/cgroup" dir ()) + (filecon "/sys/fs/cgroup/.*" any ()) + + (allow fs self (filesystem (associate))) + + (call .rbacsep.exempt.obj.type (fs)) + + (call .sys.associate_fs (fs))) + +(in conf + + (filecon "/etc" dir file_context) + (filecon "/etc/.*" any file_context) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "etc"))) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "etc")))) + +(in config + + (filecon "/sys/kernel/config" dir ()) + (filecon "/sys/kernel/config/.*" any ())) + +(in data + + (filecon "/opt" dir file_context) + (filecon "/opt/.*" any file_context) + + (filecon "/usr" dir file_context) + (filecon "/usr/.*" any file_context) + + (filecon "/tmp" symlink file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "opt")) + (call .root.file_type_transition + (ARG1 file dir "usr")))) + +(in db + + (filecon "/var/db" dir file_context) + (filecon "/var/db/.*" any file_context) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "db")))) + +(in debug + + (filecon "/sys/kernel/debug" dir ()) + (filecon "/sys/kernel/debug/.*" any ())) + +(in dev + + (filecon "/dev" dir file_context) + (filecon "/dev/.*" block file_context) + (filecon "/dev/.*" char file_context) + (filecon "/dev/.*" dir file_context) + (filecon "/dev/.*" file file_context) + (filecon "/dev/.*" pipe file_context) + (filecon "/dev/.*" socket file_context) + (filecon "/dev/.*" symlink file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "dev"))) + + (call .tmp.associate_fs (typeattr)) + + (call .tmp.associate_fs (file)) + + (call .xattr.associate_fs (file))) + +(in devpts + + (filecon "/dev/pts" dir ()) + (filecon "/dev/pts/.*" any ())) + +(in devtmp + + (allow fs self (filesystem (associate)))) + +(in dos + + (filecon "/boot/efi" dir fs_context) + (filecon "/boot/efi/.*" any ()) + + (filecon "/efi" dir fs_context) + (filecon "/efi/.*" any ()) + + (macro boot_file_type_transition_fs ((type ARG1)) + (call .boot.file_type_transition + (ARG1 fs dir "efi"))) + + (macro root_file_type_transition_fs ((type ARG1)) + (call .boot.file_type_transition + (ARG1 fs dir "efi"))) + + (call .xattr.associate_fs (fs))) + +(in efivar + + (filecon "/sys/firmware/efi/efivars" dir ()) + (filecon "/sys/firmware/efi/efivars/.*" any ())) + +(in exec + + (filecon "/usr/bin" dir file_context) + (filecon "/usr/bin/.*" any file_context) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "bin")) + (call .data.file_type_transition + (ARG1 file dir "libexec")) + (call .data.file_type_transition + (ARG1 file dir "sbin"))) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "bin")) + (call .root.file_type_transition + (ARG1 file dir "sbin")))) + +(in file.run + + (call .xattr.associate_fs (typeattr))) + +(in file.tmp + + (call .xattr.associate_fs (typeattr))) + +(in file.unconfined + + (call .boot.root_file_type_transition_file (typeattr)) + (call .cache.var_file_type_transition_file (typeattr)) + (call .cert.conf_file_type_transition_file (typeattr)) + (call .cert.data_file_type_transition_file (typeattr)) + (call .conf.data_file_type_transition_file (typeattr)) + (call .conf.root_file_type_transition_file (typeattr)) + (call .data.root_file_type_transition_file (typeattr)) + (call .db.var_file_type_transition_file (typeattr)) + (call .dev.root_file_type_transition_file (typeattr)) + (call .exec.data_file_type_transition_file (typeattr)) + (call .exec.root_file_type_transition_file (typeattr)) + (call .home.root_file_type_transition_file (typeattr)) + (call .lib.data_file_type_transition_file (typeattr)) + (call .lib.root_file_type_transition_file (typeattr)) + (call .log.var_file_type_transition_file (typeattr)) + (call .lostfound.boot_file_type_transition_file (typeattr)) + (call .lostfound.cache_file_type_transition_file (typeattr)) + (call .lostfound.conf_file_type_transition_file (typeattr)) + (call .lostfound.data_file_type_transition_file (typeattr)) + (call .lostfound.db_file_type_transition_file (typeattr)) + (call .lostfound.home_file_type_transition_file (typeattr)) + (call .lostfound.log_file_type_transition_file (typeattr)) + (call .lostfound.root_file_type_transition_file (typeattr)) + (call .lostfound.run_file_type_transition_file (typeattr)) + (call .lostfound.spool_file_type_transition_file (typeattr)) + (call .lostfound.state_file_type_transition_file (typeattr)) + (call .lostfound.tmp_file_type_transition_file (typeattr)) + (call .lostfound.var_file_type_transition_file (typeattr)) + (call .mail.spool.spool_file_type_transition_file (typeattr)) + (call .mail.spool.var_file_type_transition_file (typeattr)) + (call .media.root_file_type_transition_file (typeattr)) + (call .media.run_file_type_transition_file (typeattr)) + (call .mod.lib_file_type_transition_file (typeattr)) + (call .run.root_file_type_transition_file (typeattr)) + (call .run.var_file_type_transition_file (typeattr)) + (call .runlock.run_file_type_transition_file (typeattr)) + (call .runlock.var_file_type_transition_file (typeattr)) + (call .runuser.run_file_type_transition_file (typeattr)) + (call .spool.var_file_type_transition_file (typeattr)) + (call .src.data_file_type_transition_file (typeattr)) + (call .state.var_file_type_transition_file (typeattr)) + (call .sys.home.root_file_type_transition_file (typeattr)) + (call .tmp.data_file_type_transition_file (typeattr)) + (call .tmp.root_file_type_transition_file (typeattr)) + (call .tmp.var_file_type_transition_file (typeattr)) + (call .var.root_file_type_transition_file (typeattr))) + +(in fs.unconfined + + (call .dos.boot_file_type_transition_fs (typeattr)) + (call .dos.root_file_type_transition_fs (typeattr)) + (call .proc.root_file_type_transition_fs (typeattr)) + (call .sys.root_file_type_transition_fs (typeattr))) + +(in fuse + + (filecon "/sys/fs/fuse/connections" dir ()) + (filecon "/sys/fs/fuse/connections/.*" any ())) + +(in home + + (filecon "/home" dir file_context) + (filecon "/home/.*" any file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "home")))) + +(in hugetlb + + (filecon "/dev/hugepages" dir ()) + (filecon "/dev/hugepages/.*" any ()) + + (allow fs self (filesystem (associate)))) + +(in lib + + (filecon "/usr/lib" dir file_context) + (filecon "/usr/lib/.*" any file_context) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "lib")) + (call .data.file_type_transition + (ARG1 file dir "lib64"))) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "lib")) + (call .root.file_type_transition + (ARG1 file dir "lib64")))) + +(in log + + (filecon "/var/log" dir file_context) + (filecon "/var/log/.*" any file_context) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "log"))) + + (call .tmp.associate_fs (file))) + +(in lostfound + + (filecon "/\.journal" file ()) + (filecon "/lost\+found" dir file_context) + + (filecon "/boot/\.journal" file ()) + (filecon "/boot/lost\+found" dir file_context) + + (filecon "/etc/\.journal" file ()) + (filecon "/etc/lost\+found" dir file_context) + + (filecon "/home/\.journal" file ()) + (filecon "/home/lost\+found" dir file_context) + + (filecon "/opt/\.journal" file ()) + (filecon "/opt/lost\+found" dir file_context) + + (filecon "/run/\.journal" file ()) + (filecon "/run/lost\+found" dir file_context) + + (filecon "/srv/\.journal" file ()) + (filecon "/srv/lost\+found" dir file_context) + + (filecon "/tmp/\.journal" file ()) + (filecon "/tmp/lost\+found" dir file_context) + + (filecon "/usr/\.journal" file ()) + (filecon "/usr/lost\+found" dir file_context) + + (filecon "/usr/tmp/\.journal" file ()) + (filecon "/usr/tmp/lost\+found" dir file_context) + + (filecon "/var/\.journal" file ()) + (filecon "/var/lost\+found" dir file_context) + + (filecon "/var/cache/\.journal" file ()) + (filecon "/var/cache/lost\+found" dir file_context) + + (filecon "/var/db/\.journal" file ()) + (filecon "/var/db/lost\+found" dir file_context) + + (filecon "/var/lib/\.journal" file ()) + (filecon "/var/lib/lost\+found" dir file_context) + + (filecon "/var/log/\.journal" file ()) + (filecon "/var/log/lost\+found" dir file_context) + + (filecon "/var/run/\.journal" file ()) + (filecon "/var/run/lost\+found" dir file_context) + + (filecon "/var/spool/\.journal" file ()) + (filecon "/var/spool/lost\+found" dir file_context) + + (filecon "/var/tmp/\.journal" file ()) + (filecon "/var/tmp/lost\+found" dir file_context) + + (macro boot_file_type_transition_file ((type ARG1)) + (call .boot.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro cache_file_type_transition_file ((type ARG1)) + (call .cache.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro conf_file_type_transition_file ((type ARG1)) + (call .conf.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro db_file_type_transition_file ((type ARG1)) + (call .db.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro home_file_type_transition_file ((type ARG1)) + (call .home.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro log_file_type_transition_file ((type ARG1)) + (call .log.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro run_file_type_transition_file ((type ARG1)) + (call .run.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro spool_file_type_transition_file ((type ARG1)) + (call .spool.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro state_file_type_transition_file ((type ARG1)) + (call .state.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro tmp_file_type_transition_file ((type ARG1)) + (call .tmp.file_type_transition + (ARG1 file dir "lost+found"))) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "lost+found")))) + +(in mail.spool + + (filecon "/var/spool/mail" dir file_context) + (filecon "/var/spool/mail/.*" any file_context) + + (macro spool_file_type_transition_file ((type ARG1)) + (call .spool.file_type_transition + (ARG1 file dir "mail"))) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "mail")))) + +(in media + + (filecon "/media" dir file_context) + (filecon "/media/.*" any ()) + + (filecon "/mnt" dir file_context) + (filecon "/mnt/.*" any ()) + + (filecon "/run/media" dir file_context) + (filecon "/run/media/.*" any ()) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "media")) + (call .root.file_type_transition + (ARG1 file dir "mnt"))) + + (macro run_file_type_transition_file ((type ARG1)) + (call .run.file_type_transition + (ARG1 file dir "media"))) + + (call .tmp.associate_fs (file))) + +(in mod + + (filecon "/usr/lib/modules" dir file_context) + (filecon "/usr/lib/modules/.*" any file_context) + + (macro lib_file_type_transition_file ((type ARG1)) + (call .lib.file_type_transition + (ARG1 file dir "modules")))) + +(in mqueue + + (filecon "/dev/mqueue" dir ()) + (filecon "/dev/mqueue/.*" any ()) + + (allow fs self (filesystem (associate)))) + +(in proc + + (filecon "/proc" dir fs_context) + (filecon "/proc/.*" any ()) + + (macro root_file_type_transition_fs ((type ARG1)) + (call .root.file_type_transition + (ARG1 fs dir "proc"))) + + (call .xattr.associate_fs (fs))) + +(in pstore + + (filecon "/sys/fs/pstore" dir ()) + (filecon "/sys/fs/pstore/.*" any ())) + +(in root + + (filecon "/usr/bin" symlink file_context) + (filecon "/usr/lib" symlink file_context) + + (allow fs self (filesystem (associate)))) + +(in rpcpipe + + (filecon "/run/rpc_pipefs" dir ()) + (filecon "/run/rpc_pipefs/.*" any ())) + +(in run + + (filecon "/run" dir file_context) + (filecon "/run/.*" any file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "run"))) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "run"))) + + (call .root.associate_fs (file))) + +(in runlock + + (filecon "/run/lock" dir file_context) + (filecon "/run/lock/.*" any file_context) + + (macro run_file_type_transition_file ((type ARG1)) + (call .run.file_type_transition + (ARG1 file dir "lock"))) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "lock")))) + +(in runuser + + (filecon "/run/user" dir file_context) + (filecon "/run/user/.*" any file_context) + + (macro run_file_type_transition_file ((type ARG1)) + (call .run.file_type_transition + (ARG1 file dir "user")))) + +(in security + + (filecon "/sys/kernel/security" dir ()) + (filecon "/sys/kernel/security/.*" any ())) + +(in selinux + + (filecon "/sys/fs/selinux" dir ()) + (filecon "/sys/fs/selinux/.*" any ())) + +(in spool + + (filecon "/var/spool" dir file_context) + (filecon "/var/spool/.*" any file_context) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "spool")))) + +(in src + + (filecon "/usr/src" dir file_context) + (filecon "/usr/src/.*" any file_context) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "src")))) + +(in state + + (filecon "/var/lib" dir file_context) + (filecon "/var/lib/.*" any file_context) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "lib"))) + + (call .root.associate_fs (file))) + +(in sys + + (filecon "/sys" dir fs_context) + (filecon "/sys/.*" any ()) + + (macro root_file_type_transition_fs ((type ARG1)) + (call .root.file_type_transition + (ARG1 fs dir "sys"))) + + (allow fs self (filesystem (associate))) + + (call hugetlbfs.hugetlb_fs_type_transition_file (subj "*")) + + (call mqueuefs.mqueue_fs_type_transition_file (subj "*")) + + (call tmp.tmp_file_type_transition_file (subj dir "*")) + (call tmp.tmp_file_type_transition_file (subj fifo_file "*")) + (call tmp.tmp_file_type_transition_file (subj file "*")) + (call tmp.tmp_file_type_transition_file (subj lnk_file "*")) + (call tmp.tmp_file_type_transition_file (subj sock_file "*")) + + (call tmpfs.tmp_fs_type_transition_file (subj dir "*")) + (call tmpfs.tmp_fs_type_transition_file (subj fifo_file "*")) + (call tmpfs.tmp_fs_type_transition_file (subj file "*")) + (call tmpfs.tmp_fs_type_transition_file (subj lnk_file "*")) + (call tmpfs.tmp_fs_type_transition_file (subj sock_file "*")) + + (call .tmp.sys_tmp_file_type_transition_file (subj)) + + (call .xattr.associate_fs (fs))) + +(in sys.home + + (filecon "/root" dir file_context) + (filecon "/root/.*" any file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.fs_type_transition + (ARG1 file dir "root")))) + +(in sys.hugetlbfs + + (macro hugetlb_fs_type_transition_file ((type ARG1)(name ARG2)) + (call .hugetlb.fs_type_transition + (ARG1 file file ARG2)))) + +(in sys.mqueuefs + + (macro mqueue_fs_type_transition_file ((type ARG1)(name ARG2)) + (call .mqueue.fs_type_transition + (ARG1 file file ARG2)))) + +(in sys.tmp + + (macro tmp_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) + (call .tmp.file_type_transition + (ARG1 file ARG2 ARG3)))) + +(in sys.tmpfs + + (macro tmp_fs_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) + (call .tmp.fs_type_transition + (ARG1 file ARG2 ARG3)))) + +(in sys.unconfined + + (allow typeattr subj (system (reboot reload start status stop)))) + +(in tmp + + (filecon "/dev/shm" dir fs_context) + (filecon "/dev/shm/.*" any ()) + + (filecon "/run/initramfs/.*" any ()) + + (filecon "/tmp" dir file_context) + (filecon "/tmp/.*" any ()) + + (filecon "/tmp/\.font-unix" dir file_context) + (filecon "/tmp/\.font-unix/.*" any ()) + (filecon "/tmp/\.ICE-unix" dir file_context) + (filecon "/tmp/\.ICE-unix/.*" any ()) + (filecon "/tmp/\.Test-unix" dir file_context) + (filecon "/tmp/\.Test-unix/.*" any ()) + (filecon "/tmp/\.X11-unix" dir file_context) + (filecon "/tmp/\.X11-unix/.*" any ()) + (filecon "/tmp/\.XIM-unix" dir file_context) + (filecon "/tmp/\.XIM-unix/.*" any ()) + + (macro data_file_type_transition_file ((type ARG1)) + (call .data.file_type_transition + (ARG1 file dir "tmp"))) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "tmp"))) + + (macro sys_tmp_file_type_transition_file ((type ARG1)) + (call .sys.tmp.file_type_transition + (ARG1 file dir "tmp"))) + + (macro var_file_type_transition_file ((type ARG1)) + (call .var.file_type_transition + (ARG1 file dir "tmp"))) + + (allow fs self (filesystem (associate))) + + (call .devtmp.associate_fs (fs))) + +(in trace + + (filecon "/sys/kernel/tracing" dir ()) + (filecon "/sys/kernel/tracing/.*" any ())) + +(in var + + (filecon "/run" symlink file_context) + (filecon "/run/lock" symlink file_context) + + (filecon "/srv" dir file_context) + (filecon "/srv/.*" any file_context) + + (filecon "/var" dir file_context) + (filecon "/var/.*" any file_context) + + (filecon "/var/spool/mail" symlink file_context) + + (macro root_file_type_transition_file ((type ARG1)) + (call .root.file_type_transition + (ARG1 file dir "srv")) + (call .root.file_type_transition + (ARG1 file dir "var")))) + +(typealias dpkg_script_t) +(typealiasactual dpkg_script_t sys.subj) + +(typealias rpm_script_t) +(typealiasactual rpm_script_t sys.subj) + +(tunable xserver_object_manager false) diff --git a/src/misc/av.cil b/src/misc/av.cil new file mode 100644 index 0000000..e366d81 --- /dev/null +++ b/src/misc/av.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class blk_file ()) +(classorder (unordered blk_file)) + +(class chr_file ()) +(classorder (unordered chr_file)) + +(class dir (add_name remove_name reparent rmdir search)) +(classorder (unordered dir)) + +(class fifo_file ()) +(classorder (unordered fifo_file)) + +(class file (entrypoint execute_no_trans)) +(classorder (unordered file)) + +(class lnk_file ()) +(classorder (unordered lnk_file)) + +(class process + (dyntransition execheap execmem execstack fork getattr getcap getpgid + getrlimit getsched getsession noatsecure ptrace rlimitinh + setexec setcap setcurrent setfscreate setkeycreate setpgid + setrlimit setsched setsockcreate share sigchld siginh + sigkill signal signull sigstop transition)) +(classorder (unordered process)) + +(class process2 (nnp_transition nosuid_transition)) +(classorder (unordered process2)) + +(class sock_file ()) +(classorder (unordered sock_file)) + +(classcommon blk_file common_file) +(classcommon chr_file common_file) +(classcommon dir common_file) +(classcommon fifo_file common_file) +(classcommon file common_file) +(classcommon lnk_file common_file) +(classcommon sock_file common_file) + +(common common_file + (append audit_access create execmod execute getattr ioctl lock link map + mounton open quotaon read relabelfrom relabelto rename setattr + unlink watch watch_mount watch_reads watch_sb watch_with_perm + write)) diff --git a/src/misc/av/binderav.cil b/src/misc/av/binderav.cil new file mode 100644 index 0000000..a6108c4 --- /dev/null +++ b/src/misc/av/binderav.cil @@ -0,0 +1,41 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class binder (call impersonate set_context_mgr transfer)) +(classorder (unordered binder)) + +(macro call_invalid_binders ((type ARG1)) + (allow ARG1 .invalid (binder (call)))) + +(macro transfer_invalid_binders ((type ARG1)) + (allow ARG1 .invalid (binder (transfer)))) + +(in invalid.unconfined + + (allow typeattr .invalid (binder (not (impersonate set_context_mgr))))) + +(in subj + + (macro call_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (call)))) + + (macro impersonate_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (impersonate)))) + + (macro transfer_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (transfer))))) + +(in subj.macro_template + + (macro call_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (call)))) + + (macro impersonate_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (impersonate)))) + + (macro transfer_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (transfer))))) + +(in subj.unconfined + + (allow typeattr .subj.typeattr (binder (all)))) diff --git a/src/misc/av/bpfav.cil b/src/misc/av/bpfav.cil new file mode 100644 index 0000000..8258a1d --- /dev/null +++ b/src/misc/av/bpfav.cil @@ -0,0 +1,30 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class bpf (map_create map_read map_write prog_load prog_run)) +(classorder (unordered bpf)) + +(in invalid.unconfined + + (allow typeattr .invalid (bpf (map_read map_write prog_run)))) + +(in mcs + + (mlsconstrain (bpf (map_read map_write prog_run)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (bpf (map_read map_write prog_run)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr self (bpf (not (map_read map_write prog_run)))) + (allow typeattr subj.typeattr (bpf (map_read map_write prog_run)))) diff --git a/src/misc/av/capabilityav.cil b/src/misc/av/capabilityav.cil new file mode 100644 index 0000000..dbfdfe0 --- /dev/null +++ b/src/misc/av/capabilityav.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class cap_userns ()) +(classorder (unordered cap_userns)) + +(class cap2_userns ()) +(classorder (unordered cap2_userns)) + +(class capability ()) +(classorder (unordered capability)) + +(class capability2 ()) +(classorder (unordered capability2)) + +(classcommon cap_userns common_capability) +(classcommon cap2_userns common_capability2) +(classcommon capability common_capability) +(classcommon capability2 common_capability2) + +(common common_capability + (audit_control audit_write chown dac_read_search dac_override fowner + fsetid ipc_lock ipc_owner kill linux_immutable lease + mknod net_admin net_bind_service net_broadcast net_raw + setfcap setgid setpcap setuid sys_admin sys_boot + sys_chroot sys_module sys_nice sys_pacct sys_ptrace + sys_rawio sys_resource sys_time sys_tty_config)) + +(common common_capability2 + (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override + perfmon syslog wake_alarm)) + +(in subj.unconfined + + (allow typeattr self (cap_userns (all))) + (allow typeattr self (cap2_userns (not (mac_admin mac_override)))) + (allow typeattr self (capability (all))) + (allow typeattr self (capability2 (not (mac_admin mac_override))))) diff --git a/src/misc/av/fdav.cil b/src/misc/av/fdav.cil new file mode 100644 index 0000000..9c43343 --- /dev/null +++ b/src/misc/av/fdav.cil @@ -0,0 +1,92 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class fd (use)) +(classorder (unordered fd)) + +(macro use_invalid_fds ((type ARG1)) + (allow ARG1 invalid (fd (use)))) + +(in invalid.unconfined + + (allow typeattr .invalid (fd (all)))) + +(in mcs + + (mlsconstrain (fd (use)) + (or (or (dom h1 h2) + (neq t1 constrained.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) + + (block usefdsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block usefdtarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in rbacsep + + (constrain (fd (use)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) + + (block usefdsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block usefdtarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj + + (block interactivefd + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call .mcs.usefdtarget.type (typeattr))) + + (block useinteractivefd + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr interactivefd.typeattr (fd (use))))) + +(in subj.all_macro_template + + (macro use_all_fds ((type ARG1)) + (allow ARG1 typeattr (fd (use))))) + +(in subj.macro_template + + (macro use_subj_fds ((type ARG1)) + (allow ARG1 subj (fd (use))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (fd (all)))) diff --git a/src/misc/av/iouringav.cil b/src/misc/av/iouringav.cil new file mode 100644 index 0000000..22a8821 --- /dev/null +++ b/src/misc/av/iouringav.cil @@ -0,0 +1,98 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class io_uring (cmd override_creds sqpoll)) +(classorder (unordered io_uring)) + +(in booleanfile.unconfined + + (allow typeattr booleanfile.typeattr (io_uring (cmd)))) + +(in bpffile.unconfined + + (allow typeattr bpffile.typeattr (io_uring (cmd)))) + +(in cgroupfile.unconfined + + (allow typeattr cgroupfile.typeattr (io_uring (cmd)))) + +(in debugfile.unconfined + + (allow typeattr debugfile.typeattr (io_uring (cmd)))) + +(in dev.unconfined + + (allow typeattr dev.typeattr (io_uring (cmd)))) + +(in file.unconfined + + (allow typeattr file.typeattr (io_uring (cmd)))) + +(in fs.unconfined + + (allow typeattr fs.typeattr (io_uring (cmd)))) + +(in invalid.unconfined + + (allow typeattr .invalid (io_uring (cmd override_creds)))) + +(in mcs + + (mlsconstrain (io_uring (override_creds)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in nodedev.unconfined + + (allow typeattr nodedev.typeattr (io_uring (cmd)))) + +(in procfile.unconfined + + (allow typeattr procfile.typeattr (io_uring (cmd)))) + +(in pstorefile.unconfined + + (allow typeattr pstorefile.typeattr (io_uring (cmd)))) + +(in rbacsep + + (constrain (io_uring (override_creds)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in securityfile.unconfined + + (allow typeattr securityfile.typeattr (io_uring (cmd)))) + +(in stordev.unconfined + + (allow typeattr stordev.typeattr (io_uring (cmd)))) + +(in subj.unconfined + + (allow typeattr self (io_uring (sqpoll))) + (allow typeattr subj.typeattr (io_uring (override_creds)))) + +(in sysctlfile.unconfined + + (allow typeattr sysctlfile.typeattr (io_uring (cmd)))) + +(in sysfile.unconfined + + (allow typeattr sysfile.typeattr (io_uring (cmd)))) + +(in termdev.unconfined + + (allow typeattr termdev.typeattr (io_uring (cmd)))) + +(in tracefile.unconfined + + (allow typeattr tracefile.typeattr (io_uring (cmd)))) + +(in unlabeled.unconfined + + (allow typeattr .unlabeled (io_uring (cmd)))) diff --git a/src/misc/av/ipcav.cil b/src/misc/av/ipcav.cil new file mode 100644 index 0000000..0ae848c --- /dev/null +++ b/src/misc/av/ipcav.cil @@ -0,0 +1,140 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class ipc ()) +(classorder (unordered ipc)) + +(class msgq (enqueue)) +(classorder (unordered msgq)) + +(class sem ()) +(classorder (unordered sem)) + +(class shm (lock)) +(classorder (unordered shm)) + +(classcommon ipc common_ipc) +(classcommon msgq common_ipc) +(classcommon sem common_ipc) +(classcommon shm common_ipc) + +(common common_ipc + (associate create destroy getattr read setattr unix_read unix_write + write)) + +(classpermission create_ipc) +(classpermission create_msgq) +(classpermission create_sem) +(classpermission create_shm) + +(classpermission read_ipc) +(classpermission read_msgq) +(classpermission read_sem) +(classpermission read_shm) + +(classpermission readwrite_ipc) +(classpermission readwrite_msgq) +(classpermission readwrite_sem) +(classpermission readwrite_shm) + +(classpermissionset create_ipc + (ipc (associate create destroy getattr read setattr + unix_read unix_write write))) +(classpermissionset create_msgq + (msgq (associate create destroy enqueue getattr read setattr + unix_read unix_write write))) +(classpermissionset create_sem + (sem (associate create destroy getattr read setattr + unix_read unix_write write))) +(classpermissionset create_shm + (shm (associate create destroy getattr read setattr + unix_read unix_write write))) + +(classpermissionset read_ipc (ipc (associate getattr read unix_read))) +(classpermissionset read_msgq (msgq (associate getattr read unix_read))) +(classpermissionset read_sem (sem (associate getattr read unix_read))) +(classpermissionset read_shm (shm (associate getattr read unix_read))) + +(classpermissionset readwrite_ipc + (ipc (associate getattr read unix_read unix_write write))) +(classpermissionset readwrite_msgq + (msgq (associate enqueue getattr read unix_read unix_write + write))) +(classpermissionset readwrite_sem + (sem (associate getattr read unix_read unix_write write))) +(classpermissionset readwrite_shm + (shm (associate getattr read unix_read unix_write write))) + +(classmap constrainipcsubject (create getattr read setattr write)) + +(classmapping constrainipcsubject create (ipc (create))) +(classmapping constrainipcsubject create (msgq (create))) +(classmapping constrainipcsubject create (sem (create))) +(classmapping constrainipcsubject create (shm (create))) + +(classmapping constrainipcsubject getattr (ipc (getattr))) +(classmapping constrainipcsubject getattr (msgq (getattr))) +(classmapping constrainipcsubject getattr (sem (getattr))) +(classmapping constrainipcsubject getattr (shm (getattr))) + +(classmapping constrainipcsubject read (ipc (read))) +(classmapping constrainipcsubject read (msgq (read))) +(classmapping constrainipcsubject read (sem (read))) +(classmapping constrainipcsubject read (shm (read))) + +(classmapping constrainipcsubject setattr (ipc (setattr))) +(classmapping constrainipcsubject setattr (msgq (setattr))) +(classmapping constrainipcsubject setattr (sem (setattr))) +(classmapping constrainipcsubject setattr (shm (setattr))) + +(classmapping constrainipcsubject write (ipc (write))) +(classmapping constrainipcsubject write (msgq (write))) +(classmapping constrainipcsubject write (sem (write))) +(classmapping constrainipcsubject write (shm (write))) + +(in ibac + + (constrain (constrainipcsubject (create)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (ipc (all))) + (allow typeattr .invalid (msgq (all))) + (allow typeattr .invalid (sem (all))) + (allow typeattr .invalid (shm (all)))) + +(in mcs + + (mlsconstrain (constrainipcsubject (create getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (constrainipcsubject (create)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (constrainipcsubject (getattr read setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (ipc (all))) + (allow typeattr subj.typeattr (msgq (all))) + (allow typeattr subj.typeattr (sem (all))) + (allow typeattr subj.typeattr (shm (all)))) diff --git a/src/misc/av/kernelserviceav.cil b/src/misc/av/kernelserviceav.cil new file mode 100644 index 0000000..ece6b3e --- /dev/null +++ b/src/misc/av/kernelserviceav.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class kernel_service (create_files_as use_as_override)) +(classorder (unordered kernel_service)) + +(macro createfilesas_invalid_kernel_services ((type ARG1)) + (allow ARG1 invalid (kernel_service (create_files_as)))) + +(macro createfilesas_unlabeled_kernel_services ((type ARG1)) + (allow ARG1 unlabeled (kernel_service (create_files_as)))) + +(macro useasoverride_invalid_kernel_services ((type ARG1)) + (allow ARG1 invalid (kernel_service (use_as_override)))) + +(in file + + (blockinherit all_macro_template_kernel_services) + + (block all_macro_template_kernel_services + + (blockabstract all_macro_template_kernel_services) + + (macro createfileas_all_kernel_services ((type ARG1)) + (allow ARG1 typeattr (kernel_service (create_files_as))))) + + (block macro_template_kernel_services + + (blockabstract macro_template_kernel_services) + + (macro createfileas_file_kernel_services ((type ARG1)) + (allow ARG1 file (kernel_service (create_files_as)))))) + +(in file.unconfined + + (allow typeattr file.typeattr (kernel_service (create_files_as)))) + +(in invalid.unconfined + + (allow typeattr .invalid (kernel_service (all)))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (kernel_service (use_as_override)))) + +(in unlabeled.unconfined + + (allow typeattr .unlabeled (kernel_service (create_files_as)))) diff --git a/src/misc/av/keyav.cil b/src/misc/av/keyav.cil new file mode 100644 index 0000000..2d8bf4c --- /dev/null +++ b/src/misc/av/keyav.cil @@ -0,0 +1,46 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class key (create link read search setattr view write)) +(classorder (unordered key)) + +(in ibac + + (constrain (key (create)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (key (all)))) + +(in mcs + + (mlsconstrain (key (create read setattr view write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (key (create)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (key (read setattr view write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (key (all)))) diff --git a/src/misc/av/memprotectav.cil b/src/misc/av/memprotectav.cil new file mode 100644 index 0000000..a0ab2b8 --- /dev/null +++ b/src/misc/av/memprotectav.cil @@ -0,0 +1,25 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class memprotect (mmap_zero)) +(classorder (unordered memprotect)) + +(in subj + + (block mmapzero + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (memprotect (mmap_zero))))) + +(in subj.unconfined + + (allow typeattr self (memprotect (all))) + + (call mmapzero.type (typeattr))) diff --git a/src/misc/av/msgav.cil b/src/misc/av/msgav.cil new file mode 100644 index 0000000..f16260d --- /dev/null +++ b/src/misc/av/msgav.cil @@ -0,0 +1,31 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class msg (receive send)) +(classorder (unordered msg)) + +(defaultrole msg source) + +(in invalid.unconfined + + (allow typeattr .invalid (msg (all)))) + +(in mcs + + (mlsconstrain (msg (send)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (msg (send)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (msg (all)))) diff --git a/src/misc/av/perfeventav.cil b/src/misc/av/perfeventav.cil new file mode 100644 index 0000000..1946d80 --- /dev/null +++ b/src/misc/av/perfeventav.cil @@ -0,0 +1,30 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class perf_event (cpu kernel open read tracepoint write)) +(classorder (unordered perf_event)) + +(in invalid.unconfined + + (allow typeattr .invalid (perf_event (read write)))) + +(in mcs + + (mlsconstrain (perf_event (read write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (perf_event (read write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr self (perf_event (not (read write)))) + (allow typeattr subj.typeattr (perf_event (read write)))) diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil new file mode 100644 index 0000000..047f970 --- /dev/null +++ b/src/misc/av/socketav.cil @@ -0,0 +1,1601 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class alg_socket ()) +(classorder (unordered alg_socket)) + +(class appletalk_socket ()) +(classorder (unordered appletalk_socket)) + +(class atmpvc_socket ()) +(classorder (unordered atmpvc_socket)) + +(class atmsvc_socket ()) +(classorder (unordered atmsvc_socket)) + +(class ax25_socket ()) +(classorder (unordered ax25_socket)) + +(class bluetooth_socket ()) +(classorder (unordered bluetooth_socket)) + +(class caif_socket ()) +(classorder (unordered caif_socket)) + +(class can_socket ()) +(classorder (unordered can_socket)) + +(class dccp_socket (name_connect node_bind)) +(classorder (unordered dccp_socket)) + +(class decnet_socket ()) +(classorder (unordered decnet_socket)) + +(class icmp_socket (node_bind)) +(classorder (unordered icmp_socket)) + +(class ieee802154_socket ()) +(classorder (unordered ieee802154_socket)) + +(class ipx_socket ()) +(classorder (unordered ipx_socket)) + +(class irda_socket ()) +(classorder (unordered irda_socket)) + +(class isdn_socket ()) +(classorder (unordered isdn_socket)) + +(class iucv_socket ()) +(classorder (unordered iucv_socket)) + +(class kcm_socket ()) +(classorder (unordered kcm_socket)) + +(class key_socket ()) +(classorder (unordered key_socket)) + +(class llc_socket ()) +(classorder (unordered llc_socket)) + +(class mctp_socket ()) +(classorder (unordered mctp_socket)) + +(class netlink_audit_socket + (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) +(classorder (unordered netlink_audit_socket)) + +(class netlink_connector_socket ()) +(classorder (unordered netlink_connector_socket)) + +(class netlink_crypto_socket ()) +(classorder (unordered netlink_crypto_socket)) + +(class netlink_dnrt_socket ()) +(classorder (unordered netlink_dnrt_socket)) + +(class netlink_fib_lookup_socket ()) +(classorder (unordered netlink_fib_lookup_socket)) + +(class netlink_generic_socket ()) +(classorder (unordered netlink_generic_socket)) + +(class netlink_iscsi_socket ()) +(classorder (unordered netlink_iscsi_socket)) + +(class netlink_kobject_uevent_socket ()) +(classorder (unordered netlink_kobject_uevent_socket)) + +(class netlink_netfilter_socket ()) +(classorder (unordered netlink_netfilter_socket)) + +(class netlink_nflog_socket ()) +(classorder (unordered netlink_nflog_socket)) + +(class netlink_rdma_socket ()) +(classorder (unordered netlink_rdma_socket)) + +(class netlink_route_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_route_socket)) + +(class netlink_scsitransport_socket ()) +(classorder (unordered netlink_scsitransport_socket)) + +(class netlink_selinux_socket ()) +(classorder (unordered netlink_selinux_socket)) + +(class netlink_socket ()) +(classorder (unordered netlink_socket)) + +(class netlink_tcpdiag_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_tcpdiag_socket)) + +(class netlink_xfrm_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_xfrm_socket)) + +(class netrom_socket ()) +(classorder (unordered netrom_socket)) + +(class nfc_socket ()) +(classorder (unordered nfc_socket)) + +(class packet_socket ()) +(classorder (unordered packet_socket)) + +(class phonet_socket ()) +(classorder (unordered phonet_socket)) + +(class pppox_socket ()) +(classorder (unordered pppox_socket)) + +(class qipcrtr_socket ()) +(classorder (unordered qipcrtr_socket)) + +(class rawip_socket (node_bind)) +(classorder (unordered rawip_socket)) + +(class rds_socket ()) +(classorder (unordered rds_socket)) + +(class rose_socket ()) +(classorder (unordered rose_socket)) + +(class rxrpc_socket ()) +(classorder (unordered rxrpc_socket)) + +(class sctp_socket (association name_connect node_bind)) +(classorder (unordered sctp_socket)) + +(class smc_socket ()) +(classorder (unordered smc_socket)) + +(class socket ()) +(classorder (unordered socket)) + +(class tcp_socket (name_connect node_bind)) +(classorder (unordered tcp_socket)) + +(class tipc_socket ()) +(classorder (unordered tipc_socket)) + +(class tun_socket (attach_queue)) +(classorder (unordered tun_socket)) + +(class udp_socket (node_bind)) +(classorder (unordered udp_socket)) + +(class unix_dgram_socket ()) +(classorder (unordered unix_dgram_socket)) + +(class unix_stream_socket (connectto)) +(classorder (unordered unix_stream_socket)) + +(class vsock_socket ()) +(classorder (unordered vsock_socket)) + +(class x25_socket ()) +(classorder (unordered x25_socket)) + +(class xdp_socket ()) +(classorder (unordered xdp_socket)) + +(classcommon alg_socket common_socket) +(classcommon appletalk_socket common_socket) +(classcommon atmpvc_socket common_socket) +(classcommon atmsvc_socket common_socket) +(classcommon ax25_socket common_socket) +(classcommon bluetooth_socket common_socket) +(classcommon caif_socket common_socket) +(classcommon can_socket common_socket) +(classcommon dccp_socket common_socket) +(classcommon decnet_socket common_socket) +(classcommon icmp_socket common_socket) +(classcommon ieee802154_socket common_socket) +(classcommon ipx_socket common_socket) +(classcommon irda_socket common_socket) +(classcommon isdn_socket common_socket) +(classcommon iucv_socket common_socket) +(classcommon kcm_socket common_socket) +(classcommon key_socket common_socket) +(classcommon llc_socket common_socket) +(classcommon mctp_socket common_socket) +(classcommon netlink_audit_socket common_socket) +(classcommon netlink_connector_socket common_socket) +(classcommon netlink_crypto_socket common_socket) +(classcommon netlink_dnrt_socket common_socket) +(classcommon netlink_fib_lookup_socket common_socket) +(classcommon netlink_generic_socket common_socket) +(classcommon netlink_iscsi_socket common_socket) +(classcommon netlink_kobject_uevent_socket common_socket) +(classcommon netlink_netfilter_socket common_socket) +(classcommon netlink_nflog_socket common_socket) +(classcommon netlink_rdma_socket common_socket) +(classcommon netlink_route_socket common_socket) +(classcommon netlink_scsitransport_socket common_socket) +(classcommon netlink_selinux_socket common_socket) +(classcommon netlink_socket common_socket) +(classcommon netlink_tcpdiag_socket common_socket) +(classcommon netlink_xfrm_socket common_socket) +(classcommon netrom_socket common_socket) +(classcommon nfc_socket common_socket) +(classcommon packet_socket common_socket) +(classcommon phonet_socket common_socket) +(classcommon pppox_socket common_socket) +(classcommon qipcrtr_socket common_socket) +(classcommon rawip_socket common_socket) +(classcommon rds_socket common_socket) +(classcommon rose_socket common_socket) +(classcommon rxrpc_socket common_socket) +(classcommon sctp_socket common_socket) +(classcommon smc_socket common_socket) +(classcommon socket common_socket) +(classcommon tcp_socket common_socket) +(classcommon tipc_socket common_socket) +(classcommon tun_socket common_socket) +(classcommon udp_socket common_socket) +(classcommon unix_dgram_socket common_socket) +(classcommon unix_stream_socket common_socket) +(classcommon vsock_socket common_socket) +(classcommon x25_socket common_socket) +(classcommon xdp_socket common_socket) + +(common common_socket + (accept append bind connect create getattr getopt ioctl listen lock map + name_bind read recvfrom relabelfrom relabelto sendto setattr + setopt shutdown write)) + +(classpermission create_alg_socket) +(classpermission create_alg_stream_socket) +(classpermission create_appletalk_socket) +(classpermission create_atmpvc_socket) +(classpermission create_atmsvc_socket) +(classpermission create_ax25_socket) +(classpermission create_bluetooth_socket) +(classpermission create_bluetooth_stream_socket) +(classpermission create_caif_socket) +(classpermission create_can_socket) +(classpermission create_dccp_socket) +(classpermission create_dccp_stream_socket) +(classpermission create_decnet_socket) +(classpermission create_icmp_socket) +(classpermission create_ieee802154_socket) +(classpermission create_ipx_socket) +(classpermission create_irda_socket) +(classpermission create_isdn_socket) +(classpermission create_iucv_socket) +(classpermission create_kcm_socket) +(classpermission create_key_socket) +(classpermission create_llc_socket) +(classpermission create_mctp_socket) +(classpermission create_netrom_socket) +(classpermission create_nfc_socket) +(classpermission create_netlink_audit_socket) +(classpermission create_netlink_connector_socket) +(classpermission create_netlink_crypto_socket) +(classpermission create_netlink_dnrt_socket) +(classpermission create_netlink_fib_lookup_socket) +(classpermission create_netlink_generic_socket) +(classpermission create_netlink_iscsi_socket) +(classpermission create_netlink_kobject_uevent_socket) +(classpermission create_netlink_netfilter_socket) +(classpermission create_netlink_nflog_socket) +(classpermission create_netlink_rdma_socket) +(classpermission create_netlink_route_socket) +(classpermission create_netlink_scsitransport_socket) +(classpermission create_netlink_selinux_socket) +(classpermission create_netlink_socket) +(classpermission create_netlink_tcpdiag_socket) +(classpermission create_netlink_xfrm_socket) +(classpermission create_packet_socket) +(classpermission create_phonet_socket) +(classpermission create_pppox_socket) +(classpermission create_qipcrtr_socket) +(classpermission create_rawip_socket) +(classpermission create_rds_socket) +(classpermission create_rose_socket) +(classpermission create_rxrpc_socket) +(classpermission create_sctp_socket) +(classpermission create_sctp_stream_socket) +(classpermission create_smc_socket) +(classpermission create_socket) +(classpermission create_tcp_socket) +(classpermission create_tcp_stream_socket) +(classpermission create_tipc_socket) +(classpermission create_tun_socket) +(classpermission create_udp_socket) +(classpermission create_unix_dgram_socket) +(classpermission create_unix_stream_socket) +(classpermission create_unix_stream_stream_socket) +(classpermission create_vsock_socket) +(classpermission create_vsock_stream_socket) +(classpermission create_x25_socket) +(classpermission create_xdp_socket) + +(classpermission readwrite_alg_socket) +(classpermission readwrite_bluetooth_socket) +(classpermission readwrite_dccp_socket) +(classpermission readwrite_netlink_audit_socket) +(classpermission readwrite_sctp_socket) +(classpermission readwrite_tcp_socket) +(classpermission readwrite_tun_socket) +(classpermission readwrite_unix_dgram_socket) +(classpermission readwrite_unix_stream_socket) +(classpermission readwrite_vsock_socket) + +(classpermission write_alg_socket) +(classpermission write_bluetooth_socket) +(classpermission write_dccp_socket) +(classpermission write_sctp_socket) +(classpermission write_tcp_socket) +(classpermission write_tun_socket) +(classpermission write_unix_dgram_socket) +(classpermission write_unix_stream_socket) +(classpermission write_vsock_socket) + +(classpermissionset create_alg_socket + (alg_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_alg_stream_socket + (alg_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_appletalk_socket + (appletalk_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_atmpvc_socket + (atmpvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_atmsvc_socket + (atmsvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_ax25_socket + (ax25_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_bluetooth_socket + (bluetooth_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_bluetooth_stream_socket + (bluetooth_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) +(classpermissionset create_caif_socket + (caif_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_can_socket + (can_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_dccp_socket + (dccp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_dccp_stream_socket + (dccp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_decnet_socket + (decnet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_icmp_socket + (icmp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_ieee802154_socket + (ieee802154_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_ipx_socket + (ipx_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_irda_socket + (irda_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_isdn_socket + (isdn_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_iucv_socket + (iucv_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_kcm_socket + (kcm_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_key_socket + (key_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_llc_socket + (llc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_mctp_socket + (mctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_netlink_audit_socket + (netlink_audit_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_connector_socket + (netlink_connector_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) +(classpermissionset create_netlink_crypto_socket + (netlink_crypto_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_dnrt_socket + (netlink_dnrt_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_fib_lookup_socket + (netlink_fib_lookup_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_generic_socket + (netlink_generic_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_iscsi_socket + (netlink_iscsi_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_kobject_uevent_socket + (netlink_kobject_uevent_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_netfilter_socket + (netlink_netfilter_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) +(classpermissionset create_netlink_nflog_socket + (netlink_nflog_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_rdma_socket + (netlink_rdma_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_route_socket + (netlink_route_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_scsitransport_socket + (netlink_scsitransport_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_selinux_socket + (netlink_selinux_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_socket + (netlink_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_netlink_tcpdiag_socket + (netlink_tcpdiag_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_xfrm_socket + (netlink_xfrm_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netrom_socket + (netrom_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_nfc_socket + (nfc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_packet_socket + (packet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_phonet_socket + (phonet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_pppox_socket + (pppox_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_qipcrtr_socket + (qipcrtr_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rawip_socket + (rawip_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rds_socket + (rds_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_rose_socket + (rose_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rxrpc_socket + (rxrpc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_sctp_socket + (sctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_sctp_stream_socket + (sctp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_smc_socket + (smc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_socket + (socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_tcp_socket + (tcp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_tcp_stream_socket + (tcp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_tipc_socket + (tipc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_tun_socket + (tun_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_udp_socket + (udp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_unix_dgram_socket + (unix_dgram_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_unix_stream_socket + (unix_stream_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_unix_stream_stream_socket + (unix_stream_socket (accept append bind connect create + getattr getopt ioctl listen read + setattr setopt shutdown write))) +(classpermissionset create_vsock_socket + (vsock_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_vsock_stream_socket + (vsock_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) +(classpermissionset create_x25_socket + (x25_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_xdp_socket + (xdp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) + +(classpermissionset readwrite_alg_socket + (alg_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_bluetooth_socket + (bluetooth_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) +(classpermissionset readwrite_dccp_socket + (dccp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_netlink_audit_socket + (netlink_audit_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) +(classpermissionset readwrite_sctp_socket + (sctp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_tcp_socket + (tcp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_tun_socket + (tun_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_unix_dgram_socket + (unix_dgram_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) +(classpermissionset readwrite_unix_stream_socket + (unix_stream_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) +(classpermissionset readwrite_vsock_socket + (vsock_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) + +(classpermissionset write_alg_socket + (alg_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_bluetooth_socket + (bluetooth_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_dccp_socket + (dccp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_sctp_socket + (sctp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_tcp_socket + (tcp_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_tun_socket + (tun_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_unix_dgram_socket + (unix_dgram_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_unix_stream_socket + (unix_stream_socket (append bind connect getattr getopt + ioctl setopt shutdown write))) +(classpermissionset write_vsock_socket + (vsock_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) + +(classmap constrainsocketobject (nameconnect nodebind)) +(classmap constrainsocketsubject + (append association attachqueue connectto create getattr read + relabelto sendto setattr write)) + +(classmap sockets (common getattr)) + +(classmapping constrainsocketobject nameconnect (dccp_socket (name_connect))) +(classmapping constrainsocketobject nameconnect (sctp_socket (name_connect))) +(classmapping constrainsocketobject nameconnect (tcp_socket (name_connect))) + +(classmapping constrainsocketobject nodebind (dccp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (icmp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (rawip_socket (node_bind))) +(classmapping constrainsocketobject nodebind (sctp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (tcp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (udp_socket (node_bind))) + +(classmapping constrainsocketsubject append (alg_socket (append))) +(classmapping constrainsocketsubject append (appletalk_socket (append))) +(classmapping constrainsocketsubject append (atmpvc_socket (append))) +(classmapping constrainsocketsubject append (atmsvc_socket (append))) +(classmapping constrainsocketsubject append (ax25_socket (append))) +(classmapping constrainsocketsubject append (bluetooth_socket (append))) +(classmapping constrainsocketsubject append (caif_socket (append))) +(classmapping constrainsocketsubject append (can_socket (append))) +(classmapping constrainsocketsubject append (dccp_socket (append))) +(classmapping constrainsocketsubject append (decnet_socket (append))) +(classmapping constrainsocketsubject append (icmp_socket (append))) +(classmapping constrainsocketsubject append (ieee802154_socket (append))) +(classmapping constrainsocketsubject append (ipx_socket (append))) +(classmapping constrainsocketsubject append (irda_socket (append))) +(classmapping constrainsocketsubject append (isdn_socket (append))) +(classmapping constrainsocketsubject append (iucv_socket (append))) +(classmapping constrainsocketsubject append (kcm_socket (append))) +(classmapping constrainsocketsubject append (key_socket (append))) +(classmapping constrainsocketsubject append (llc_socket (append))) +(classmapping constrainsocketsubject append (mctp_socket (append))) +(classmapping constrainsocketsubject append (netlink_audit_socket (append))) +(classmapping constrainsocketsubject append (netlink_connector_socket (append))) +(classmapping constrainsocketsubject append (netlink_crypto_socket (append))) +(classmapping constrainsocketsubject append (netlink_dnrt_socket (append))) +(classmapping constrainsocketsubject append + (netlink_fib_lookup_socket (append))) +(classmapping constrainsocketsubject append (netlink_generic_socket (append))) +(classmapping constrainsocketsubject append (netlink_iscsi_socket (append))) +(classmapping constrainsocketsubject append + (netlink_kobject_uevent_socket (append))) +(classmapping constrainsocketsubject append (netlink_netfilter_socket (append))) +(classmapping constrainsocketsubject append (netlink_nflog_socket (append))) +(classmapping constrainsocketsubject append (netlink_rdma_socket (append))) +(classmapping constrainsocketsubject append (netlink_route_socket (append))) +(classmapping constrainsocketsubject append + (netlink_scsitransport_socket (append))) +(classmapping constrainsocketsubject append (netlink_selinux_socket (append))) +(classmapping constrainsocketsubject append (netlink_socket (append))) +(classmapping constrainsocketsubject append (netlink_tcpdiag_socket (append))) +(classmapping constrainsocketsubject append (netlink_xfrm_socket (append))) +(classmapping constrainsocketsubject append (netrom_socket (append))) +(classmapping constrainsocketsubject append (nfc_socket (append))) +(classmapping constrainsocketsubject append (packet_socket (append))) +(classmapping constrainsocketsubject append (phonet_socket (append))) +(classmapping constrainsocketsubject append (pppox_socket (append))) +(classmapping constrainsocketsubject append (qipcrtr_socket (append))) +(classmapping constrainsocketsubject append (rawip_socket (append))) +(classmapping constrainsocketsubject append (rds_socket (append))) +(classmapping constrainsocketsubject append (rose_socket (append))) +(classmapping constrainsocketsubject append (rxrpc_socket (append))) +(classmapping constrainsocketsubject append (sctp_socket (append))) +(classmapping constrainsocketsubject append (smc_socket (append))) +(classmapping constrainsocketsubject append (socket (append))) +(classmapping constrainsocketsubject append (tcp_socket (append))) +(classmapping constrainsocketsubject append (tipc_socket (append))) +(classmapping constrainsocketsubject append (tun_socket (append))) +(classmapping constrainsocketsubject append (udp_socket (append))) +(classmapping constrainsocketsubject append (unix_dgram_socket (append))) +(classmapping constrainsocketsubject append (unix_stream_socket (append))) +(classmapping constrainsocketsubject append (vsock_socket (append))) +(classmapping constrainsocketsubject append (x25_socket (append))) +(classmapping constrainsocketsubject append (xdp_socket (append))) + +(classmapping constrainsocketsubject + association (sctp_socket (association))) + +(classmapping constrainsocketsubject + attachqueue (tun_socket (attach_queue))) + +(classmapping constrainsocketsubject + connectto (unix_stream_socket (connectto))) + +(classmapping constrainsocketsubject create (alg_socket (create))) +(classmapping constrainsocketsubject create (appletalk_socket (create))) +(classmapping constrainsocketsubject create (atmpvc_socket (create))) +(classmapping constrainsocketsubject create (atmsvc_socket (create))) +(classmapping constrainsocketsubject create (ax25_socket (create))) +(classmapping constrainsocketsubject create (bluetooth_socket (create))) +(classmapping constrainsocketsubject create (caif_socket (create))) +(classmapping constrainsocketsubject create (can_socket (create))) +(classmapping constrainsocketsubject create (dccp_socket (create))) +(classmapping constrainsocketsubject create (decnet_socket (create))) +(classmapping constrainsocketsubject create (icmp_socket (create))) +(classmapping constrainsocketsubject create (ieee802154_socket (create))) +(classmapping constrainsocketsubject create (ipx_socket (create))) +(classmapping constrainsocketsubject create (irda_socket (create))) +(classmapping constrainsocketsubject create (isdn_socket (create))) +(classmapping constrainsocketsubject create (iucv_socket (create))) +(classmapping constrainsocketsubject create (kcm_socket (create))) +(classmapping constrainsocketsubject create (key_socket (create))) +(classmapping constrainsocketsubject create (llc_socket (create))) +(classmapping constrainsocketsubject create (mctp_socket (create))) +(classmapping constrainsocketsubject create (netlink_audit_socket (create))) +(classmapping constrainsocketsubject create (netlink_connector_socket (create))) +(classmapping constrainsocketsubject create (netlink_crypto_socket (create))) +(classmapping constrainsocketsubject create (netlink_dnrt_socket (create))) +(classmapping constrainsocketsubject create + (netlink_fib_lookup_socket (create))) +(classmapping constrainsocketsubject create (netlink_generic_socket (create))) +(classmapping constrainsocketsubject create (netlink_iscsi_socket (create))) +(classmapping constrainsocketsubject create + (netlink_kobject_uevent_socket (create))) +(classmapping constrainsocketsubject create (netlink_netfilter_socket (create))) +(classmapping constrainsocketsubject create (netlink_nflog_socket (create))) +(classmapping constrainsocketsubject create (netlink_rdma_socket (create))) +(classmapping constrainsocketsubject create (netlink_route_socket (create))) +(classmapping constrainsocketsubject create + (netlink_scsitransport_socket (create))) +(classmapping constrainsocketsubject create (netlink_selinux_socket (create))) +(classmapping constrainsocketsubject create (netlink_socket (create))) +(classmapping constrainsocketsubject create (netlink_tcpdiag_socket (create))) +(classmapping constrainsocketsubject create (netlink_xfrm_socket (create))) +(classmapping constrainsocketsubject create (netrom_socket (create))) +(classmapping constrainsocketsubject create (nfc_socket (create))) +(classmapping constrainsocketsubject create (packet_socket (create))) +(classmapping constrainsocketsubject create (phonet_socket (create))) +(classmapping constrainsocketsubject create (pppox_socket (create))) +(classmapping constrainsocketsubject create (qipcrtr_socket (create))) +(classmapping constrainsocketsubject create (rawip_socket (create))) +(classmapping constrainsocketsubject create (rds_socket (create))) +(classmapping constrainsocketsubject create (rose_socket (create))) +(classmapping constrainsocketsubject create (rxrpc_socket (create))) +(classmapping constrainsocketsubject create (sctp_socket (create))) +(classmapping constrainsocketsubject create (smc_socket (create))) +(classmapping constrainsocketsubject create (socket (create))) +(classmapping constrainsocketsubject create (tcp_socket (create))) +(classmapping constrainsocketsubject create (tipc_socket (create))) +(classmapping constrainsocketsubject create (tun_socket (create))) +(classmapping constrainsocketsubject create (udp_socket (create))) +(classmapping constrainsocketsubject create (unix_dgram_socket (create))) +(classmapping constrainsocketsubject create (unix_stream_socket (create))) +(classmapping constrainsocketsubject create (vsock_socket (create))) +(classmapping constrainsocketsubject create (x25_socket (create))) +(classmapping constrainsocketsubject create (xdp_socket (create))) + +(classmapping constrainsocketsubject getattr (alg_socket (getattr))) +(classmapping constrainsocketsubject getattr (appletalk_socket (getattr))) +(classmapping constrainsocketsubject getattr (atmpvc_socket (getattr))) +(classmapping constrainsocketsubject getattr (atmsvc_socket (getattr))) +(classmapping constrainsocketsubject getattr (ax25_socket (getattr))) +(classmapping constrainsocketsubject getattr (bluetooth_socket (getattr))) +(classmapping constrainsocketsubject getattr (caif_socket (getattr))) +(classmapping constrainsocketsubject getattr (can_socket (getattr))) +(classmapping constrainsocketsubject getattr (dccp_socket (getattr))) +(classmapping constrainsocketsubject getattr (decnet_socket (getattr))) +(classmapping constrainsocketsubject getattr (icmp_socket (getattr))) +(classmapping constrainsocketsubject getattr (ieee802154_socket (getattr))) +(classmapping constrainsocketsubject getattr (ipx_socket (getattr))) +(classmapping constrainsocketsubject getattr (irda_socket (getattr))) +(classmapping constrainsocketsubject getattr (isdn_socket (getattr))) +(classmapping constrainsocketsubject getattr (iucv_socket (getattr))) +(classmapping constrainsocketsubject getattr (kcm_socket (getattr))) +(classmapping constrainsocketsubject getattr (key_socket (getattr))) +(classmapping constrainsocketsubject getattr (llc_socket (getattr))) +(classmapping constrainsocketsubject getattr (mctp_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_audit_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_connector_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_crypto_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_dnrt_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_fib_lookup_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_generic_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_iscsi_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_kobject_uevent_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_netfilter_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_nflog_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_rdma_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_route_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_scsitransport_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_selinux_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_tcpdiag_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_xfrm_socket (getattr))) +(classmapping constrainsocketsubject getattr (netrom_socket (getattr))) +(classmapping constrainsocketsubject getattr (nfc_socket (getattr))) +(classmapping constrainsocketsubject getattr (packet_socket (getattr))) +(classmapping constrainsocketsubject getattr (phonet_socket (getattr))) +(classmapping constrainsocketsubject getattr (pppox_socket (getattr))) +(classmapping constrainsocketsubject getattr (process (getattr))) +(classmapping constrainsocketsubject getattr (qipcrtr_socket (getattr))) +(classmapping constrainsocketsubject getattr (rawip_socket (getattr))) +(classmapping constrainsocketsubject getattr (rds_socket (getattr))) +(classmapping constrainsocketsubject getattr (rose_socket (getattr))) +(classmapping constrainsocketsubject getattr (rxrpc_socket (getattr))) +(classmapping constrainsocketsubject getattr (sctp_socket (getattr))) +(classmapping constrainsocketsubject getattr (smc_socket (getattr))) +(classmapping constrainsocketsubject getattr (socket (getattr))) +(classmapping constrainsocketsubject getattr (tcp_socket (getattr))) +(classmapping constrainsocketsubject getattr (tipc_socket (getattr))) +(classmapping constrainsocketsubject getattr (tun_socket (getattr))) +(classmapping constrainsocketsubject getattr (udp_socket (getattr))) +(classmapping constrainsocketsubject getattr (unix_dgram_socket (getattr))) +(classmapping constrainsocketsubject getattr (unix_stream_socket (getattr))) +(classmapping constrainsocketsubject getattr (vsock_socket (getattr))) +(classmapping constrainsocketsubject getattr (x25_socket (getattr))) +(classmapping constrainsocketsubject getattr (xdp_socket (getattr))) + +(classmapping constrainsocketsubject read (alg_socket (read))) +(classmapping constrainsocketsubject read (appletalk_socket (read))) +(classmapping constrainsocketsubject read (atmpvc_socket (read))) +(classmapping constrainsocketsubject read (atmsvc_socket (read))) +(classmapping constrainsocketsubject read (ax25_socket (read))) +(classmapping constrainsocketsubject read (bluetooth_socket (read))) +(classmapping constrainsocketsubject read (caif_socket (read))) +(classmapping constrainsocketsubject read (can_socket (read))) +(classmapping constrainsocketsubject read (dccp_socket (read))) +(classmapping constrainsocketsubject read (decnet_socket (read))) +(classmapping constrainsocketsubject read (icmp_socket (read))) +(classmapping constrainsocketsubject read (ieee802154_socket (read))) +(classmapping constrainsocketsubject read (ipx_socket (read))) +(classmapping constrainsocketsubject read (irda_socket (read))) +(classmapping constrainsocketsubject read (isdn_socket (read))) +(classmapping constrainsocketsubject read (iucv_socket (read))) +(classmapping constrainsocketsubject read (kcm_socket (read))) +(classmapping constrainsocketsubject read (key_socket (read))) +(classmapping constrainsocketsubject read (llc_socket (read))) +(classmapping constrainsocketsubject read (mctp_socket (read))) +(classmapping constrainsocketsubject read (netlink_audit_socket (read))) +(classmapping constrainsocketsubject read (netlink_connector_socket (read))) +(classmapping constrainsocketsubject read (netlink_crypto_socket (read))) +(classmapping constrainsocketsubject read (netlink_dnrt_socket (read))) +(classmapping constrainsocketsubject read (netlink_fib_lookup_socket (read))) +(classmapping constrainsocketsubject read (netlink_generic_socket (read))) +(classmapping constrainsocketsubject read (netlink_iscsi_socket (read))) +(classmapping constrainsocketsubject read + (netlink_kobject_uevent_socket (read))) +(classmapping constrainsocketsubject read (netlink_netfilter_socket (read))) +(classmapping constrainsocketsubject read (netlink_nflog_socket (read))) +(classmapping constrainsocketsubject read (netlink_rdma_socket (read))) +(classmapping constrainsocketsubject read (netlink_route_socket (read))) +(classmapping constrainsocketsubject read (netlink_scsitransport_socket (read))) +(classmapping constrainsocketsubject read (netlink_selinux_socket (read))) +(classmapping constrainsocketsubject read (netlink_socket (read))) +(classmapping constrainsocketsubject read (netlink_tcpdiag_socket (read))) +(classmapping constrainsocketsubject read (netlink_xfrm_socket (read))) +(classmapping constrainsocketsubject read (netrom_socket (read))) +(classmapping constrainsocketsubject read (nfc_socket (read))) +(classmapping constrainsocketsubject read (packet_socket (read))) +(classmapping constrainsocketsubject read (phonet_socket (read))) +(classmapping constrainsocketsubject read (pppox_socket (read))) +(classmapping constrainsocketsubject read (qipcrtr_socket (read))) +(classmapping constrainsocketsubject read (rawip_socket (read))) +(classmapping constrainsocketsubject read (rds_socket (read))) +(classmapping constrainsocketsubject read (rose_socket (read))) +(classmapping constrainsocketsubject read (rxrpc_socket (read))) +(classmapping constrainsocketsubject read (sctp_socket (read))) +(classmapping constrainsocketsubject read (smc_socket (read))) +(classmapping constrainsocketsubject read (socket (read))) +(classmapping constrainsocketsubject read (tcp_socket (read))) +(classmapping constrainsocketsubject read (tipc_socket (read))) +(classmapping constrainsocketsubject read (tun_socket (read))) +(classmapping constrainsocketsubject read (udp_socket (read))) +(classmapping constrainsocketsubject read (unix_dgram_socket (read))) +(classmapping constrainsocketsubject read (unix_stream_socket (read))) +(classmapping constrainsocketsubject read (vsock_socket (read))) +(classmapping constrainsocketsubject read (x25_socket (read))) +(classmapping constrainsocketsubject read (xdp_socket (read))) + +(classmapping constrainsocketsubject relabelto (alg_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (appletalk_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (atmpvc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (atmsvc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ax25_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (bluetooth_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (caif_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (can_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (dccp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (decnet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (icmp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ieee802154_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ipx_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (irda_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (isdn_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (iucv_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (kcm_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (key_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (llc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (mctp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_audit_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_connector_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_crypto_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_dnrt_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_fib_lookup_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_generic_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_iscsi_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_kobject_uevent_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_netfilter_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_nflog_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_rdma_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_route_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_scsitransport_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_selinux_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (netlink_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_tcpdiag_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_xfrm_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (netrom_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (nfc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (packet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (phonet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (pppox_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (qipcrtr_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rawip_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rds_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rose_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rxrpc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (sctp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (smc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tcp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tipc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tun_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (udp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (unix_dgram_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (unix_stream_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (vsock_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (x25_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (xdp_socket (relabelto))) + +(classmapping constrainsocketsubject sendto (unix_dgram_socket (sendto))) + +(classmapping constrainsocketsubject setattr (alg_socket (setattr))) +(classmapping constrainsocketsubject setattr (appletalk_socket (setattr))) +(classmapping constrainsocketsubject setattr (atmpvc_socket (setattr))) +(classmapping constrainsocketsubject setattr (atmsvc_socket (setattr))) +(classmapping constrainsocketsubject setattr (ax25_socket (setattr))) +(classmapping constrainsocketsubject setattr (bluetooth_socket (setattr))) +(classmapping constrainsocketsubject setattr (caif_socket (setattr))) +(classmapping constrainsocketsubject setattr (can_socket (setattr))) +(classmapping constrainsocketsubject setattr (dccp_socket (setattr))) +(classmapping constrainsocketsubject setattr (decnet_socket (setattr))) +(classmapping constrainsocketsubject setattr (icmp_socket (setattr))) +(classmapping constrainsocketsubject setattr (ieee802154_socket (setattr))) +(classmapping constrainsocketsubject setattr (ipx_socket (setattr))) +(classmapping constrainsocketsubject setattr (irda_socket (setattr))) +(classmapping constrainsocketsubject setattr (isdn_socket (setattr))) +(classmapping constrainsocketsubject setattr (iucv_socket (setattr))) +(classmapping constrainsocketsubject setattr (kcm_socket (setattr))) +(classmapping constrainsocketsubject setattr (key_socket (setattr))) +(classmapping constrainsocketsubject setattr (llc_socket (setattr))) +(classmapping constrainsocketsubject setattr (mctp_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_audit_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_connector_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_crypto_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_dnrt_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_fib_lookup_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_generic_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_iscsi_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_kobject_uevent_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_netfilter_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_nflog_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_rdma_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_route_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_scsitransport_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_selinux_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_tcpdiag_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_xfrm_socket (setattr))) +(classmapping constrainsocketsubject setattr (netrom_socket (setattr))) +(classmapping constrainsocketsubject setattr (nfc_socket (setattr))) +(classmapping constrainsocketsubject setattr (packet_socket (setattr))) +(classmapping constrainsocketsubject setattr (phonet_socket (setattr))) +(classmapping constrainsocketsubject setattr (pppox_socket (setattr))) +(classmapping constrainsocketsubject setattr (qipcrtr_socket (setattr))) +(classmapping constrainsocketsubject setattr (rawip_socket (setattr))) +(classmapping constrainsocketsubject setattr (rds_socket (setattr))) +(classmapping constrainsocketsubject setattr (rose_socket (setattr))) +(classmapping constrainsocketsubject setattr (rxrpc_socket (setattr))) +(classmapping constrainsocketsubject setattr (sctp_socket (setattr))) +(classmapping constrainsocketsubject setattr (smc_socket (setattr))) +(classmapping constrainsocketsubject setattr (socket (setattr))) +(classmapping constrainsocketsubject setattr (tcp_socket (setattr))) +(classmapping constrainsocketsubject setattr (tipc_socket (setattr))) +(classmapping constrainsocketsubject setattr (tun_socket (setattr))) +(classmapping constrainsocketsubject setattr (udp_socket (setattr))) +(classmapping constrainsocketsubject setattr (unix_dgram_socket (setattr))) +(classmapping constrainsocketsubject setattr (unix_stream_socket (setattr))) +(classmapping constrainsocketsubject setattr (vsock_socket (setattr))) +(classmapping constrainsocketsubject setattr (x25_socket (setattr))) +(classmapping constrainsocketsubject setattr (xdp_socket (setattr))) + +(classmapping constrainsocketsubject write (alg_socket (write))) +(classmapping constrainsocketsubject write (appletalk_socket (write))) +(classmapping constrainsocketsubject write (atmpvc_socket (write))) +(classmapping constrainsocketsubject write (atmsvc_socket (write))) +(classmapping constrainsocketsubject write (ax25_socket (write))) +(classmapping constrainsocketsubject write (bluetooth_socket (write))) +(classmapping constrainsocketsubject write (caif_socket (write))) +(classmapping constrainsocketsubject write (can_socket (write))) +(classmapping constrainsocketsubject write (dccp_socket (write))) +(classmapping constrainsocketsubject write (decnet_socket (write))) +(classmapping constrainsocketsubject write (icmp_socket (write))) +(classmapping constrainsocketsubject write (ieee802154_socket (write))) +(classmapping constrainsocketsubject write (ipx_socket (write))) +(classmapping constrainsocketsubject write (irda_socket (write))) +(classmapping constrainsocketsubject write (isdn_socket (write))) +(classmapping constrainsocketsubject write (iucv_socket (write))) +(classmapping constrainsocketsubject write (kcm_socket (write))) +(classmapping constrainsocketsubject write (key_socket (write))) +(classmapping constrainsocketsubject write (llc_socket (write))) +(classmapping constrainsocketsubject write (mctp_socket (write))) +(classmapping constrainsocketsubject write (netlink_audit_socket (write))) +(classmapping constrainsocketsubject write (netlink_connector_socket (write))) +(classmapping constrainsocketsubject write (netlink_crypto_socket (write))) +(classmapping constrainsocketsubject write (netlink_dnrt_socket (write))) +(classmapping constrainsocketsubject write (netlink_fib_lookup_socket (write))) +(classmapping constrainsocketsubject write (netlink_generic_socket (write))) +(classmapping constrainsocketsubject write (netlink_iscsi_socket (write))) +(classmapping constrainsocketsubject write + (netlink_kobject_uevent_socket (write))) +(classmapping constrainsocketsubject write (netlink_netfilter_socket (write))) +(classmapping constrainsocketsubject write (netlink_nflog_socket (write))) +(classmapping constrainsocketsubject write (netlink_rdma_socket (write))) +(classmapping constrainsocketsubject write (netlink_route_socket (write))) +(classmapping constrainsocketsubject write + (netlink_scsitransport_socket (write))) +(classmapping constrainsocketsubject write (netlink_selinux_socket (write))) +(classmapping constrainsocketsubject write (netlink_socket (write))) +(classmapping constrainsocketsubject write (netlink_tcpdiag_socket (write))) +(classmapping constrainsocketsubject write (netlink_xfrm_socket (write))) +(classmapping constrainsocketsubject write (netrom_socket (write))) +(classmapping constrainsocketsubject write (nfc_socket (write))) +(classmapping constrainsocketsubject write (packet_socket (write))) +(classmapping constrainsocketsubject write (phonet_socket (write))) +(classmapping constrainsocketsubject write (pppox_socket (write))) +(classmapping constrainsocketsubject write (qipcrtr_socket (write))) +(classmapping constrainsocketsubject write (rawip_socket (write))) +(classmapping constrainsocketsubject write (rds_socket (write))) +(classmapping constrainsocketsubject write (rose_socket (write))) +(classmapping constrainsocketsubject write (rxrpc_socket (write))) +(classmapping constrainsocketsubject write (sctp_socket (write))) +(classmapping constrainsocketsubject write (smc_socket (write))) +(classmapping constrainsocketsubject write (socket (write))) +(classmapping constrainsocketsubject write (tcp_socket (write))) +(classmapping constrainsocketsubject write (tipc_socket (write))) +(classmapping constrainsocketsubject write (tun_socket (write))) +(classmapping constrainsocketsubject write (udp_socket (write))) +(classmapping constrainsocketsubject write (unix_dgram_socket (write))) +(classmapping constrainsocketsubject write (unix_stream_socket (write))) +(classmapping constrainsocketsubject write (vsock_socket (write))) +(classmapping constrainsocketsubject write (x25_socket (write))) +(classmapping constrainsocketsubject write (xdp_socket (write))) + +(classmapping sockets common + (alg_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (appletalk_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (atmpvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (atmsvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (ax25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (bluetooth_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (caif_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (can_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (dccp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (decnet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (icmp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (ieee802154_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (ipx_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (irda_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (isdn_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (iucv_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (kcm_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (key_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (llc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (mctp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_audit_socket (not (accept listen map name_bind nlmsg_read + nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (netlink_connector_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_crypto_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_dnrt_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_fib_lookup_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_generic_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_iscsi_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_kobject_uevent_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_netfilter_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_nflog_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_rdma_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_route_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_scsitransport_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_selinux_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_tcpdiag_socket (not (accept listen map name_bind + nlmsg_read nlmsg_write + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netrom_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (nfc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (packet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (phonet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (pppox_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (qipcrtr_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rawip_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (rds_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rose_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rxrpc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (sctp_socket (not (accept association listen map name_connect + name_bind node_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (smc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (tcp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (tipc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (tun_socket (not (accept attach_queue listen map name_bind + relabelfrom relabelto recvfrom sendto)))) +(classmapping sockets common + (udp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom sendto)))) +(classmapping sockets common + (unix_dgram_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (unix_stream_socket (not (accept connectto listen map name_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (vsock_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (x25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (xdp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) + +(classmapping sockets getattr (ax25_socket (getattr))) +(classmapping sockets getattr (alg_socket (getattr))) +(classmapping sockets getattr (appletalk_socket (getattr))) +(classmapping sockets getattr (atmpvc_socket (getattr))) +(classmapping sockets getattr (atmsvc_socket (getattr))) +(classmapping sockets getattr (bluetooth_socket (getattr))) +(classmapping sockets getattr (caif_socket (getattr))) +(classmapping sockets getattr (can_socket (getattr))) +(classmapping sockets getattr (dccp_socket (getattr))) +(classmapping sockets getattr (decnet_socket (getattr))) +(classmapping sockets getattr (icmp_socket (getattr))) +(classmapping sockets getattr (ieee802154_socket (getattr))) +(classmapping sockets getattr (ipx_socket (getattr))) +(classmapping sockets getattr (irda_socket (getattr))) +(classmapping sockets getattr (isdn_socket (getattr))) +(classmapping sockets getattr (iucv_socket (getattr))) +(classmapping sockets getattr (kcm_socket (getattr))) +(classmapping sockets getattr (key_socket (getattr))) +(classmapping sockets getattr (llc_socket (getattr))) +(classmapping sockets getattr (mctp_socket (getattr))) +(classmapping sockets getattr (netlink_audit_socket (getattr))) +(classmapping sockets getattr (netlink_connector_socket (getattr))) +(classmapping sockets getattr (netlink_crypto_socket (getattr))) +(classmapping sockets getattr (netlink_dnrt_socket (getattr))) +(classmapping sockets getattr (netlink_fib_lookup_socket (getattr))) +(classmapping sockets getattr (netlink_generic_socket (getattr))) +(classmapping sockets getattr (netlink_iscsi_socket (getattr))) +(classmapping sockets getattr (netlink_kobject_uevent_socket (getattr))) +(classmapping sockets getattr (netlink_netfilter_socket (getattr))) +(classmapping sockets getattr (netlink_nflog_socket (getattr))) +(classmapping sockets getattr (netlink_rdma_socket (getattr))) +(classmapping sockets getattr (netlink_route_socket (getattr))) +(classmapping sockets getattr (netlink_scsitransport_socket (getattr))) +(classmapping sockets getattr (netlink_selinux_socket (getattr))) +(classmapping sockets getattr (netlink_socket (getattr))) +(classmapping sockets getattr (netlink_tcpdiag_socket (getattr))) +(classmapping sockets getattr (netlink_xfrm_socket (getattr))) +(classmapping sockets getattr (netrom_socket (getattr))) +(classmapping sockets getattr (nfc_socket (getattr))) +(classmapping sockets getattr (packet_socket (getattr))) +(classmapping sockets getattr (phonet_socket (getattr))) +(classmapping sockets getattr (pppox_socket (getattr))) +(classmapping sockets getattr (qipcrtr_socket (getattr))) +(classmapping sockets getattr (rawip_socket (getattr))) +(classmapping sockets getattr (rds_socket (getattr))) +(classmapping sockets getattr (rose_socket (getattr))) +(classmapping sockets getattr (rxrpc_socket (getattr))) +(classmapping sockets getattr (sctp_socket (getattr))) +(classmapping sockets getattr (smc_socket (getattr))) +(classmapping sockets getattr (socket (getattr))) +(classmapping sockets getattr (tcp_socket (getattr))) +(classmapping sockets getattr (tipc_socket (getattr))) +(classmapping sockets getattr (tun_socket (getattr))) +(classmapping sockets getattr (udp_socket (getattr))) +(classmapping sockets getattr (unix_dgram_socket (getattr))) +(classmapping sockets getattr (unix_stream_socket (getattr))) +(classmapping sockets getattr (vsock_socket (getattr))) +(classmapping sockets getattr (x25_socket (getattr))) +(classmapping sockets getattr (xdp_socket (getattr))) + +(macro association_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (association)))) + +(macro connectto_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid (unix_stream_socket (connectto)))) + +(macro getattr_invalid_sockets ((type ARG1)) + (allow ARG1 invalid (sockets (getattr)))) + +(macro namebind_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (name_bind)))) + +(macro namebind_invalid_icmp_sockets ((type ARG1)) + (allow ARG1 invalid (icmp_socket (name_bind)))) + +(macro namebind_invalid_rawip_sockets ((type ARG1)) + (allow ARG1 invalid (rawip_socket (name_bind)))) + +(macro namebind_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (name_bind)))) + +(macro namebind_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (name_bind)))) + +(macro namebind_invalid_udp_sockets ((type ARG1)) + (allow ARG1 invalid (udp_socket (name_bind)))) + +(macro nameconnect_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (name_connect)))) + +(macro nameconnect_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (name_connect)))) + +(macro nameconnect_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (name_connect)))) + +(macro nodebind_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (node_bind)))) + +(macro nodebind_invalid_icmp_sockets ((type ARG1)) + (allow ARG1 invalid (icmp_socket (node_bind)))) + +(macro nodebind_invalid_rawip_sockets ((type ARG1)) + (allow ARG1 invalid (rawip_socket (node_bind)))) + +(macro nodebind_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (node_bind)))) + +(macro nodebind_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (node_bind)))) + +(macro nodebind_invalid_udp_sockets ((type ARG1)) + (allow ARG1 invalid (udp_socket (node_bind)))) + +(macro readwrite_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid readwrite_unix_dgram_socket)) + +(macro readwrite_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid readwrite_unix_stream_socket)) + +(macro sendto_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid (unix_dgram_socket (sendto)))) + +(macro write_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid write_unix_dgram_socket)) + +(macro write_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid write_unix_stream_socket)) + +(in ibac + + (constrain (constrainsocketsubject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (sockets (common))) + (allow typeattr .invalid (alg_socket (accept listen))) + (allow typeattr .invalid (bluetooth_socket (accept listen))) + (allow typeattr .invalid + (dccp_socket (accept listen name_bind name_connect node_bind))) + (allow typeattr .invalid (icmp_socket (name_bind node_bind))) + (allow typeattr .invalid (rawip_socket (name_bind node_bind))) + (allow typeattr .invalid + (sctp_socket (association accept listen name_bind name_connect + node_bind))) + (allow typeattr .invalid (udp_socket (name_bind node_bind))) + (allow typeattr .invalid + (tcp_socket (accept listen name_bind name_connect node_bind))) + (allow typeattr .invalid (tun_socket (attach_queue))) + (allow typeattr .invalid (unix_dgram_socket (sendto))) + (allow typeattr .invalid (unix_stream_socket (accept connectto listen))) + (allow typeattr .invalid (vsock_socket (accept listen)))) + +(in mcs + + (mlsconstrain (constrainsocketobject (nameconnect nodebind)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain + (constrainsocketsubject (append association attachqueue connectto create + getattr read relabelto sendto setattr + write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (constrainsocketsubject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (constrainsocketsubject (append getattr read setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.all_macro_template + + (macro association_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (association)))) + + (macro connectto_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr (unix_stream_socket (connectto)))) + + (macro getattr_all_sockets ((type ARG1)) + (allow ARG1 typeattr (sockets (getattr)))) + + (macro readwrite_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr readwrite_unix_dgram_socket)) + + (macro readwrite_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr readwrite_unix_stream_socket)) + + (macro sendto_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr (unix_dgram_socket (sendto)))) + + (macro write_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr write_unix_dgram_socket)) + + (macro write_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr write_unix_stream_socket))) + +(in subj.macro_template + + (macro association_subj_sctp_sockets ((type ARG1)) + (allow ARG1 subj (sctp_socket (association)))) + + (macro connectto_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj (unix_stream_socket (connectto)))) + + (macro getattr_subj_sockets ((type ARG1)) + (allow ARG1 subj (sockets (getattr)))) + + (macro readwrite_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj readwrite_unix_dgram_socket)) + + (macro readwrite_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj readwrite_unix_stream_socket)) + + (macro sendto_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj (unix_dgram_socket (sendto)))) + + (macro write_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj write_unix_dgram_socket)) + + (macro write_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj write_unix_stream_socket))) + +(in subj.unconfined + + (allow typeattr self + (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write))) + (allow typeattr self (netlink_route_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (netlink_tcpdiag_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (netlink_xfrm_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (packet_socket (map))) + (allow typeattr self (tun_socket (relabelto))) + + (allow typeattr subj.typeattr (alg_socket (accept listen))) + (allow typeattr subj.typeattr (bluetooth_socket (accept listen))) + (allow typeattr subj.typeattr (dccp_socket (accept listen))) + (allow typeattr subj.typeattr (sctp_socket (association accept listen))) + (allow typeattr subj.typeattr (sockets (common))) + (allow typeattr subj.typeattr (tcp_socket (accept listen))) + (allow typeattr subj.typeattr (tun_socket (attach_queue relabelfrom))) + (allow typeattr subj.typeattr (unix_dgram_socket (sendto))) + (allow typeattr subj.typeattr + (unix_stream_socket (accept connectto listen))) + (allow typeattr subj.typeattr (vsock_socket (accept listen)))) diff --git a/src/misc/av/systemav.cil b/src/misc/av/systemav.cil new file mode 100644 index 0000000..ef9de4c --- /dev/null +++ b/src/misc/av/systemav.cil @@ -0,0 +1,60 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class system + (halt ipc_info module_load module_request reboot reload start status + stop syslog_console syslog_mod syslog_read)) +(classorder (unordered system)) + +(in sys + + (macro ipcinfo_system ((type ARG1)) + (allow ARG1 subj (system (ipc_info)))) + + (macro modulerequest_system ((type ARG1)) + (allow ARG1 subj (system (module_request)))) + + (macro syslogconsole_system ((type ARG1)) + (allow ARG1 subj (system (syslog_console)))) + + (macro syslogmod_system ((type ARG1)) + (allow ARG1 subj (system (syslog_mod)))) + + (macro syslogread_system ((type ARG1)) + (allow ARG1 subj (system (syslog_read)))) + + (block moduleload + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (system (module_load)))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr self (system (module_load))) + (allow typeattr subj + (system (ipc_info module_request syslog_console syslog_mod + syslog_read))) + + ;; potentially happens in autorelabel.target on policy model change + (allow typeattr .invalid (system (module_load))) + + ;; potentially happens in autorelabel.target on fresh install + (allow typeattr .unlabeled (system (module_load))) + + (call moduleload.type (typeattr)))) + +(in unconfined + + (call .sys.unconfined.type (typeattr))) diff --git a/src/misc/av/usernamespaceav.cil b/src/misc/av/usernamespaceav.cil new file mode 100644 index 0000000..c390313 --- /dev/null +++ b/src/misc/av/usernamespaceav.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class user_namespace (create)) +(classorder (unordered user_namespace)) + +(in subj.unconfined + + (allow typeattr self (user_namespace (create)))) diff --git a/src/misc/conf.cil b/src/misc/conf.cil new file mode 100644 index 0000000..f7c70d4 --- /dev/null +++ b/src/misc/conf.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(handleunknown allow) +(mls true) + +(policycap "always_check_network") +(policycap "cgroup_seclabel") +(policycap "extended_socket_class") +(policycap "genfs_seclabel_symlinks") +(policycap "network_peer_controls") +(policycap "nnp_nosuid_transition") +(policycap "open_perms") + +;; SELinux 3.4/Linux 5.18 +;; (policycap "ioctl_skip_cloexec") diff --git a/src/misc/constrain/ibac.cil b/src/misc/constrain/ibac.cil new file mode 100644 index 0000000..ae2d4b8 --- /dev/null +++ b/src/misc/constrain/ibac.cil @@ -0,0 +1,84 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ibac + + (constrain (constrainobject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) + (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) + + (constrain (process (dyntransition transition)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 exempt.typeattr))) + + (block change + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) + + (block changesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) + + (block exempt + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj.unconfined + + (call .ibac.exempt.type (typeattr))) diff --git a/src/misc/constrain/mcs.cil b/src/misc/constrain/mcs.cil new file mode 100644 index 0000000..849d525 --- /dev/null +++ b/src/misc/constrain/mcs.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(defaultrange blk_file source low) +(defaultrange chr_file source low) +(defaultrange dir source low) +(defaultrange fifo_file source low) +(defaultrange file source low) +(defaultrange lnk_file source low) +(defaultrange sock_file source low) + +(block mcs + + (mlsconstrain (constrainobject (create relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) + + (mlsconstrain (constrainobject (append getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain + (process (dyntransition getrlimit getsched ptrace setrlimit setsched + sigchld sigkill signal signull sigstop + transition)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain (fifo_file (append getattr read write setattr)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (block constrained + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) diff --git a/src/misc/constrain/rbac.cil b/src/misc/constrain/rbac.cil new file mode 100644 index 0000000..790d554 --- /dev/null +++ b/src/misc/constrain/rbac.cil @@ -0,0 +1,84 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rbac + + (constrain (constrainobject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) + + (constrain (process (dyntransition transition)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) + (eq t1 exempt.typeattr))) + + (block change + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) + + (block changesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) + + (block exempt + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj.unconfined + + (call .rbac.exempt.type (typeattr))) diff --git a/src/misc/constrain/rbacsep.cil b/src/misc/constrain/rbacsep.cil new file mode 100644 index 0000000..a3e1b6f --- /dev/null +++ b/src/misc/constrain/rbacsep.cil @@ -0,0 +1,112 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rbacsep + + (constrain (fifo_file (append getattr read setattr write)) + (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr)))) + + (constrain (constrainobject (append setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr))) + + (constrain (constrainobject (getattr read)) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and + (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr)))) + + (constrain + (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill + signal signull sigstop)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (block constrained + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block exempt + + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) + + (roleattribute roleattr) + + (block obj + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subj + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + + (block exemptsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block exempttarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatesource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in obj + + (call .rbacsep.type (typeattr))) + +(in subj.unconfined + + (call .rbacsep.exempt.subj.type (typeattr))) + +(in sys + + (call .rbacsep.exempt.role (role))) diff --git a/src/misc/default.cil b/src/misc/default.cil new file mode 100644 index 0000000..da5851a --- /dev/null +++ b/src/misc/default.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(defaultrole blk_file source) +(defaultrole chr_file source) +(defaultrole dir source) +(defaultrole fifo_file source) +(defaultrole file source) +(defaultrole lnk_file source) +(defaultrole sock_file source) diff --git a/src/misc/isid.cil b/src/misc/isid.cil new file mode 100644 index 0000000..e369a87 --- /dev/null +++ b/src/misc/isid.cil @@ -0,0 +1,37 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sid devnull) +(sid file) +(sid kernel) +(sid netif) +(sid netmsg) +(sid node) +(sid port) +(sid security) +(sid unlabeled) + +(sid any_socket) +(sid file_labels) +(sid fs) +(sid icmp_socket) +(sid igmp_packet) +(sid init) +(sid kmod) +(sid policy) +(sid scmp_packet) +(sid sysctl) +(sid sysctl_dev) +(sid sysctl_fs) +(sid sysctl_kernel) +(sid sysctl_modprobe) +(sid sysctl_net) +(sid sysctl_net_unix) +(sid sysctl_vm) +(sid tcp_socket) + +(sidorder + (kernel security unlabeled fs file file_labels init any_socket port netif + netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl + sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev + kmod policy scmp_packet devnull)) diff --git a/src/misc/map.cil b/src/misc/map.cil new file mode 100644 index 0000000..591084c --- /dev/null +++ b/src/misc/map.cil @@ -0,0 +1,161 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(classmap constrainobject (append create getattr read relabelto setattr write)) + +(classmap files + (create delete manage read readwrite relabel relabelfrom relabelto + rename watch write)) + +(classmapping constrainobject append (blk_file (append))) +(classmapping constrainobject append (chr_file (append))) +(classmapping constrainobject append (dir (append))) +(classmapping constrainobject append (file (append))) +(classmapping constrainobject append (lnk_file (append))) +(classmapping constrainobject append (sock_file (append))) + +(classmapping constrainobject create (blk_file (create))) +(classmapping constrainobject create (chr_file (create))) +(classmapping constrainobject create (dir (create))) +(classmapping constrainobject create (fifo_file (create))) +(classmapping constrainobject create (file (create))) +(classmapping constrainobject create (lnk_file (create))) +(classmapping constrainobject create (sock_file (create))) + +(classmapping constrainobject getattr (blk_file (getattr))) +(classmapping constrainobject getattr (chr_file (getattr))) +(classmapping constrainobject getattr (dir (getattr))) +(classmapping constrainobject getattr (file (getattr))) +(classmapping constrainobject getattr (lnk_file (getattr))) +(classmapping constrainobject getattr (sock_file (getattr))) + +(classmapping constrainobject read (blk_file (read))) +(classmapping constrainobject read (chr_file (read))) +(classmapping constrainobject read (dir (read))) +(classmapping constrainobject read (file (read))) +(classmapping constrainobject read (lnk_file (read))) +(classmapping constrainobject read (sock_file (read))) + +(classmapping constrainobject relabelto (blk_file (relabelto))) +(classmapping constrainobject relabelto (chr_file (relabelto))) +(classmapping constrainobject relabelto (dir (relabelto))) +(classmapping constrainobject relabelto (fifo_file (relabelto))) +(classmapping constrainobject relabelto (file (relabelto))) +(classmapping constrainobject relabelto (lnk_file (relabelto))) +(classmapping constrainobject relabelto (sock_file (relabelto))) + +(classmapping constrainobject setattr (blk_file (setattr))) +(classmapping constrainobject setattr (chr_file (setattr))) +(classmapping constrainobject setattr (dir (setattr))) +(classmapping constrainobject setattr (file (setattr))) +(classmapping constrainobject setattr (lnk_file (setattr))) +(classmapping constrainobject setattr (sock_file (setattr))) + +(classmapping constrainobject write (blk_file (write))) +(classmapping constrainobject write (chr_file (write))) +(classmapping constrainobject write (dir (write))) +(classmapping constrainobject write (file (write))) +(classmapping constrainobject write (lnk_file (write))) +(classmapping constrainobject write (sock_file (write))) + +(classmapping files create addname_dir) +(classmapping files create create_blk_file) +(classmapping files create create_chr_file) +(classmapping files create create_dir) +(classmapping files create create_fifo_file) +(classmapping files create create_file) +(classmapping files create create_lnk_file) +(classmapping files create create_sock_file) +(classmapping files create read_lnk_file) + +(classmapping files delete delete_blk_file) +(classmapping files delete delete_chr_file) +(classmapping files delete delete_dir) +(classmapping files delete delete_fifo_file) +(classmapping files delete delete_file) +(classmapping files delete delete_lnk_file) +(classmapping files delete delete_sock_file) +(classmapping files delete deletename_dir) +(classmapping files delete read_lnk_file) + +(classmapping files manage manage_blk_file) +(classmapping files manage manage_chr_file) +(classmapping files manage manage_dir) +(classmapping files manage manage_fifo_file) +(classmapping files manage manage_file) +(classmapping files manage manage_lnk_file) +(classmapping files manage manage_sock_file) +(classmapping files manage read_lnk_file) + +(classmapping files read list_dir) +(classmapping files read read_blk_file) +(classmapping files read read_chr_file) +(classmapping files read read_fifo_file) +(classmapping files read read_file) +(classmapping files read read_lnk_file) +(classmapping files read read_sock_file) + +(classmapping files readwrite readwrite_blk_file) +(classmapping files readwrite readwrite_chr_file) +(classmapping files readwrite readwrite_dir) +(classmapping files readwrite readwrite_fifo_file) +(classmapping files readwrite readwrite_file) +(classmapping files readwrite readwrite_lnk_file) +(classmapping files readwrite readwrite_sock_file) + +(classmapping files relabel read_lnk_file) +(classmapping files relabel relabel_blk_file) +(classmapping files relabel relabel_chr_file) +(classmapping files relabel relabel_dir) +(classmapping files relabel relabel_fifo_file) +(classmapping files relabel relabel_file) +(classmapping files relabel relabel_lnk_file) +(classmapping files relabel relabel_sock_file) +(classmapping files relabel search_dir) + +(classmapping files relabelfrom read_lnk_file) +(classmapping files relabelfrom relabelfrom_blk_file) +(classmapping files relabelfrom relabelfrom_chr_file) +(classmapping files relabelfrom relabelfrom_dir) +(classmapping files relabelfrom relabelfrom_fifo_file) +(classmapping files relabelfrom relabelfrom_file) +(classmapping files relabelfrom relabelfrom_lnk_file) +(classmapping files relabelfrom relabelfrom_sock_file) +(classmapping files relabelfrom search_dir) + +(classmapping files relabelto read_lnk_file) +(classmapping files relabelto relabelto_blk_file) +(classmapping files relabelto relabelto_chr_file) +(classmapping files relabelto relabelto_dir) +(classmapping files relabelto relabelto_fifo_file) +(classmapping files relabelto relabelto_file) +(classmapping files relabelto relabelto_lnk_file) +(classmapping files relabelto relabelto_sock_file) +(classmapping files relabelto search_dir) + +(classmapping files rename read_lnk_file) +(classmapping files rename readwrite_dir) +(classmapping files rename rename_blk_file) +(classmapping files rename rename_chr_file) +(classmapping files rename rename_dir) +(classmapping files rename rename_fifo_file) +(classmapping files rename rename_file) +(classmapping files rename rename_lnk_file) +(classmapping files rename rename_sock_file) + +(classmapping files watch (blk_file (watch))) +(classmapping files watch (chr_file (watch))) +(classmapping files watch (dir (watch))) +(classmapping files watch (fifo_file (watch))) +(classmapping files watch (file (watch))) +(classmapping files watch (lnk_file (watch))) +(classmapping files watch (sock_file (watch))) + +(classmapping files write read_lnk_file) +(classmapping files write write_blk_file) +(classmapping files write write_chr_file) +(classmapping files write write_dir) +(classmapping files write write_fifo_file) +(classmapping files write write_file) +(classmapping files write write_lnk_file) +(classmapping files write write_sock_file) diff --git a/src/misc/mls.cil b/src/misc/mls.cil new file mode 100644 index 0000000..c18f9a5 --- /dev/null +++ b/src/misc/mls.cil @@ -0,0 +1,1110 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(category c0) +(category c1) +(category c2) +(category c3) +(category c4) +(category c5) +(category c6) +(category c7) +(category c8) +(category c9) +(category c10) +(category c11) +(category c12) +(category c13) +(category c14) +(category c15) +(category c16) +(category c17) +(category c18) +(category c19) +(category c20) +(category c21) +(category c22) +(category c23) +(category c24) +(category c25) +(category c26) +(category c27) +(category c28) +(category c29) +(category c30) +(category c31) +(category c32) +(category c33) +(category c34) +(category c35) +(category c36) +(category c37) +(category c38) +(category c39) +(category c40) +(category c41) +(category c42) +(category c43) +(category c44) +(category c45) +(category c46) +(category c47) +(category c48) +(category c49) +(category c50) +(category c51) +(category c52) +(category c53) +(category c54) +(category c55) +(category c56) +(category c57) +(category c58) +(category c59) +(category c60) +(category c61) +(category c62) +(category c63) +(category c64) +(category c65) +(category c66) +(category c67) +(category c68) +(category c69) +(category c70) +(category c71) +(category c72) +(category c73) +(category c74) +(category c75) +(category c76) +(category c77) +(category c78) +(category c79) +(category c80) +(category c81) +(category c82) +(category c83) +(category c84) +(category c85) +(category c86) +(category c87) +(category c88) +(category c89) +(category c90) +(category c91) +(category c92) +(category c93) +(category c94) +(category c95) +(category c96) +(category c97) +(category c98) +(category c99) +(category c100) +(category c101) +(category c102) +(category c103) +(category c104) +(category c105) +(category c106) +(category c107) +(category c108) +(category c109) +(category c110) +(category c111) +(category c112) +(category c113) +(category c114) +(category c115) +(category c116) +(category c117) +(category c118) +(category c119) +(category c120) +(category c121) +(category c122) +(category c123) +(category c124) +(category c125) +(category c126) +(category c127) +(category c128) +(category c129) +(category c130) +(category c131) +(category c132) +(category c133) +(category c134) +(category c135) +(category c136) +(category c137) +(category c138) +(category c139) +(category c140) +(category c141) +(category c142) +(category c143) +(category c144) +(category c145) +(category c146) +(category c147) +(category c148) +(category c149) +(category c150) +(category c151) +(category c152) +(category c153) +(category c154) +(category c155) +(category c156) +(category c157) +(category c158) +(category c159) +(category c160) +(category c161) +(category c162) +(category c163) +(category c164) +(category c165) +(category c166) +(category c167) +(category c168) +(category c169) +(category c170) +(category c171) +(category c172) +(category c173) +(category c174) +(category c175) +(category c176) +(category c177) +(category c178) +(category c179) +(category c180) +(category c181) +(category c182) +(category c183) +(category c184) +(category c185) +(category c186) +(category c187) +(category c188) +(category c189) +(category c190) +(category c191) +(category c192) +(category c193) +(category c194) +(category c195) +(category c196) +(category c197) +(category c198) +(category c199) +(category c200) +(category c201) +(category c202) +(category c203) +(category c204) +(category c205) +(category c206) +(category c207) +(category c208) +(category c209) +(category c210) +(category c211) +(category c212) +(category c213) +(category c214) +(category c215) +(category c216) +(category c217) +(category c218) +(category c219) +(category c220) +(category c221) +(category c222) +(category c223) +(category c224) +(category c225) +(category c226) +(category c227) +(category c228) +(category c229) +(category c230) +(category c231) +(category c232) +(category c233) +(category c234) +(category c235) +(category c236) +(category c237) +(category c238) +(category c239) +(category c240) +(category c241) +(category c242) +(category c243) +(category c244) +(category c245) +(category c246) +(category c247) +(category c248) +(category c249) +(category c250) +(category c251) +(category c252) +(category c253) +(category c254) +(category c255) +(category c256) +(category c257) +(category c258) +(category c259) +(category c260) +(category c261) +(category c262) +(category c263) +(category c264) +(category c265) +(category c266) +(category c267) +(category c268) +(category c269) +(category c270) +(category c271) +(category c272) +(category c273) +(category c274) +(category c275) +(category c276) +(category c277) +(category c278) +(category c279) +(category c280) +(category c281) +(category c282) +(category c283) +(category c284) +(category c285) +(category c286) +(category c287) +(category c288) +(category c289) +(category c290) +(category c291) +(category c292) +(category c293) +(category c294) +(category c295) +(category c296) +(category c297) +(category c298) +(category c299) +(category c300) +(category c301) +(category c302) +(category c303) +(category c304) +(category c305) +(category c306) +(category c307) +(category c308) +(category c309) +(category c310) +(category c311) +(category c312) +(category c313) +(category c314) +(category c315) +(category c316) +(category c317) +(category c318) +(category c319) +(category c320) +(category c321) +(category c322) +(category c323) +(category c324) +(category c325) +(category c326) +(category c327) +(category c328) +(category c329) +(category c330) +(category c331) +(category c332) +(category c333) +(category c334) +(category c335) +(category c336) +(category c337) +(category c338) +(category c339) +(category c340) +(category c341) +(category c342) +(category c343) +(category c344) +(category c345) +(category c346) +(category c347) +(category c348) +(category c349) +(category c350) +(category c351) +(category c352) +(category c353) +(category c354) +(category c355) +(category c356) +(category c357) +(category c358) +(category c359) +(category c360) +(category c361) +(category c362) +(category c363) +(category c364) +(category c365) +(category c366) +(category c367) +(category c368) +(category c369) +(category c370) +(category c371) +(category c372) +(category c373) +(category c374) +(category c375) +(category c376) +(category c377) +(category c378) +(category c379) +(category c380) +(category c381) +(category c382) +(category c383) +(category c384) +(category c385) +(category c386) +(category c387) +(category c388) +(category c389) +(category c390) +(category c391) +(category c392) +(category c393) +(category c394) +(category c395) +(category c396) +(category c397) +(category c398) +(category c399) +(category c400) +(category c401) +(category c402) +(category c403) +(category c404) +(category c405) +(category c406) +(category c407) +(category c408) +(category c409) +(category c410) +(category c411) +(category c412) +(category c413) +(category c414) +(category c415) +(category c416) +(category c417) +(category c418) +(category c419) +(category c420) +(category c421) +(category c422) +(category c423) +(category c424) +(category c425) +(category c426) +(category c427) +(category c428) +(category c429) +(category c430) +(category c431) +(category c432) +(category c433) +(category c434) +(category c435) +(category c436) +(category c437) +(category c438) +(category c439) +(category c440) +(category c441) +(category c442) +(category c443) +(category c444) +(category c445) +(category c446) +(category c447) +(category c448) +(category c449) +(category c450) +(category c451) +(category c452) +(category c453) +(category c454) +(category c455) +(category c456) +(category c457) +(category c458) +(category c459) +(category c460) +(category c461) +(category c462) +(category c463) +(category c464) +(category c465) +(category c466) +(category c467) +(category c468) +(category c469) +(category c470) +(category c471) +(category c472) +(category c473) +(category c474) +(category c475) +(category c476) +(category c477) +(category c478) +(category c479) +(category c480) +(category c481) +(category c482) +(category c483) +(category c484) +(category c485) +(category c486) +(category c487) +(category c488) +(category c489) +(category c490) +(category c491) +(category c492) +(category c493) +(category c494) +(category c495) +(category c496) +(category c497) +(category c498) +(category c499) +(category c500) +(category c501) +(category c502) +(category c503) +(category c504) +(category c505) +(category c506) +(category c507) +(category c508) +(category c509) +(category c510) +(category c511) +(category c512) +(category c513) +(category c514) +(category c515) +(category c516) +(category c517) +(category c518) +(category c519) +(category c520) +(category c521) +(category c522) +(category c523) +(category c524) +(category c525) +(category c526) +(category c527) +(category c528) +(category c529) +(category c530) +(category c531) +(category c532) +(category c533) +(category c534) +(category c535) +(category c536) +(category c537) +(category c538) +(category c539) +(category c540) +(category c541) +(category c542) +(category c543) +(category c544) +(category c545) +(category c546) +(category c547) +(category c548) +(category c549) +(category c550) +(category c551) +(category c552) +(category c553) +(category c554) +(category c555) +(category c556) +(category c557) +(category c558) +(category c559) +(category c560) +(category c561) +(category c562) +(category c563) +(category c564) +(category c565) +(category c566) +(category c567) +(category c568) +(category c569) +(category c570) +(category c571) +(category c572) +(category c573) +(category c574) +(category c575) +(category c576) +(category c577) +(category c578) +(category c579) +(category c580) +(category c581) +(category c582) +(category c583) +(category c584) +(category c585) +(category c586) +(category c587) +(category c588) +(category c589) +(category c590) +(category c591) +(category c592) +(category c593) +(category c594) +(category c595) +(category c596) +(category c597) +(category c598) +(category c599) +(category c600) +(category c601) +(category c602) +(category c603) +(category c604) +(category c605) +(category c606) +(category c607) +(category c608) +(category c609) +(category c610) +(category c611) +(category c612) +(category c613) +(category c614) +(category c615) +(category c616) +(category c617) +(category c618) +(category c619) +(category c620) +(category c621) +(category c622) +(category c623) +(category c624) +(category c625) +(category c626) +(category c627) +(category c628) +(category c629) +(category c630) +(category c631) +(category c632) +(category c633) +(category c634) +(category c635) +(category c636) +(category c637) +(category c638) +(category c639) +(category c640) +(category c641) +(category c642) +(category c643) +(category c644) +(category c645) +(category c646) +(category c647) +(category c648) +(category c649) +(category c650) +(category c651) +(category c652) +(category c653) +(category c654) +(category c655) +(category c656) +(category c657) +(category c658) +(category c659) +(category c660) +(category c661) +(category c662) +(category c663) +(category c664) +(category c665) +(category c666) +(category c667) +(category c668) +(category c669) +(category c670) +(category c671) +(category c672) +(category c673) +(category c674) +(category c675) +(category c676) +(category c677) +(category c678) +(category c679) +(category c680) +(category c681) +(category c682) +(category c683) +(category c684) +(category c685) +(category c686) +(category c687) +(category c688) +(category c689) +(category c690) +(category c691) +(category c692) +(category c693) +(category c694) +(category c695) +(category c696) +(category c697) +(category c698) +(category c699) +(category c700) +(category c701) +(category c702) +(category c703) +(category c704) +(category c705) +(category c706) +(category c707) +(category c708) +(category c709) +(category c710) +(category c711) +(category c712) +(category c713) +(category c714) +(category c715) +(category c716) +(category c717) +(category c718) +(category c719) +(category c720) +(category c721) +(category c722) +(category c723) +(category c724) +(category c725) +(category c726) +(category c727) +(category c728) +(category c729) +(category c730) +(category c731) +(category c732) +(category c733) +(category c734) +(category c735) +(category c736) +(category c737) +(category c738) +(category c739) +(category c740) +(category c741) +(category c742) +(category c743) +(category c744) +(category c745) +(category c746) +(category c747) +(category c748) +(category c749) +(category c750) +(category c751) +(category c752) +(category c753) +(category c754) +(category c755) +(category c756) +(category c757) +(category c758) +(category c759) +(category c760) +(category c761) +(category c762) +(category c763) +(category c764) +(category c765) +(category c766) +(category c767) +(category c768) +(category c769) +(category c770) +(category c771) +(category c772) +(category c773) +(category c774) +(category c775) +(category c776) +(category c777) +(category c778) +(category c779) +(category c780) +(category c781) +(category c782) +(category c783) +(category c784) +(category c785) +(category c786) +(category c787) +(category c788) +(category c789) +(category c790) +(category c791) +(category c792) +(category c793) +(category c794) +(category c795) +(category c796) +(category c797) +(category c798) +(category c799) +(category c800) +(category c801) +(category c802) +(category c803) +(category c804) +(category c805) +(category c806) +(category c807) +(category c808) +(category c809) +(category c810) +(category c811) +(category c812) +(category c813) +(category c814) +(category c815) +(category c816) +(category c817) +(category c818) +(category c819) +(category c820) +(category c821) +(category c822) +(category c823) +(category c824) +(category c825) +(category c826) +(category c827) +(category c828) +(category c829) +(category c830) +(category c831) +(category c832) +(category c833) +(category c834) +(category c835) +(category c836) +(category c837) +(category c838) +(category c839) +(category c840) +(category c841) +(category c842) +(category c843) +(category c844) +(category c845) +(category c846) +(category c847) +(category c848) +(category c849) +(category c850) +(category c851) +(category c852) +(category c853) +(category c854) +(category c855) +(category c856) +(category c857) +(category c858) +(category c859) +(category c860) +(category c861) +(category c862) +(category c863) +(category c864) +(category c865) +(category c866) +(category c867) +(category c868) +(category c869) +(category c870) +(category c871) +(category c872) +(category c873) +(category c874) +(category c875) +(category c876) +(category c877) +(category c878) +(category c879) +(category c880) +(category c881) +(category c882) +(category c883) +(category c884) +(category c885) +(category c886) +(category c887) +(category c888) +(category c889) +(category c890) +(category c891) +(category c892) +(category c893) +(category c894) +(category c895) +(category c896) +(category c897) +(category c898) +(category c899) +(category c900) +(category c901) +(category c902) +(category c903) +(category c904) +(category c905) +(category c906) +(category c907) +(category c908) +(category c909) +(category c910) +(category c911) +(category c912) +(category c913) +(category c914) +(category c915) +(category c916) +(category c917) +(category c918) +(category c919) +(category c920) +(category c921) +(category c922) +(category c923) +(category c924) +(category c925) +(category c926) +(category c927) +(category c928) +(category c929) +(category c930) +(category c931) +(category c932) +(category c933) +(category c934) +(category c935) +(category c936) +(category c937) +(category c938) +(category c939) +(category c940) +(category c941) +(category c942) +(category c943) +(category c944) +(category c945) +(category c946) +(category c947) +(category c948) +(category c949) +(category c950) +(category c951) +(category c952) +(category c953) +(category c954) +(category c955) +(category c956) +(category c957) +(category c958) +(category c959) +(category c960) +(category c961) +(category c962) +(category c963) +(category c964) +(category c965) +(category c966) +(category c967) +(category c968) +(category c969) +(category c970) +(category c971) +(category c972) +(category c973) +(category c974) +(category c975) +(category c976) +(category c977) +(category c978) +(category c979) +(category c980) +(category c981) +(category c982) +(category c983) +(category c984) +(category c985) +(category c986) +(category c987) +(category c988) +(category c989) +(category c990) +(category c991) +(category c992) +(category c993) +(category c994) +(category c995) +(category c996) +(category c997) +(category c998) +(category c999) +(category c1000) +(category c1001) +(category c1002) +(category c1003) +(category c1004) +(category c1005) +(category c1006) +(category c1007) +(category c1008) +(category c1009) +(category c1010) +(category c1011) +(category c1012) +(category c1013) +(category c1014) +(category c1015) +(category c1016) +(category c1017) +(category c1018) +(category c1019) +(category c1020) +(category c1021) +(category c1022) +(category c1023) + +(categoryorder + (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 + c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 + c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 + c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 + c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 + c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 + c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 + c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 + c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 + c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 + c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 + c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 + c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 + c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 + c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 + c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 + c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 + c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 + c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 + c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 + c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 + c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 + c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 + c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 + c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 + c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 + c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 + c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 + c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 + c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 + c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 + c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 + c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 + c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 + c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 + c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 + c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 + c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 + c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 + c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 + c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 + c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 + c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 + c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 + c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 + c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 + c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 + c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 + c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 + c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 + c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 + c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 + c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 + c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 + c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 + c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 + c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 + c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 + c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 + c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 + c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 + c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 + c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 + c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 + c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 + c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 + c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 + c1023)) + +(categoryset allcatset (range c0 c1023)) + +(sensitivity s0) +(sensitivityorder (s0)) + +(sensitivitycategory s0 allcatset) + +(level systemlow (s0)) +(level systemhigh (s0 allcatset)) + +(levelrange lowlevelrange (systemlow systemlow)) +(levelrange lowhighlevelrange (systemlow systemhigh)) diff --git a/src/misc/modular.cil b/src/misc/modular.cil new file mode 100644 index 0000000..97e603d --- /dev/null +++ b/src/misc/modular.cil @@ -0,0 +1,5 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(selinuxuserdefault sys.id lowlevelrange) +(userprefix sys.id sys.role) diff --git a/src/misc/obj.cil b/src/misc/obj.cil new file mode 100644 index 0000000..1611462 --- /dev/null +++ b/src/misc/obj.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block obj + + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (roleattribute roleattr) + + (typeattribute typeattr) + + (roletype roleattr typeattr)) diff --git a/src/misc/perm.cil b/src/misc/perm.cil new file mode 100644 index 0000000..0728143 --- /dev/null +++ b/src/misc/perm.cil @@ -0,0 +1,314 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(classpermission addname_dir) +(classpermission append_blk_file) +(classpermission append_chr_file) +(classpermission append_fifo_file) +(classpermission append_file) + +(classpermission appendinherited_blk_file) +(classpermission appendinherited_chr_file) +(classpermission appendinherited_fifo_file) +(classpermission appendinherited_file) + +(classpermission create_blk_file) +(classpermission create_chr_file) +(classpermission create_dir) +(classpermission create_fifo_file) +(classpermission create_file) +(classpermission create_lnk_file) +(classpermission create_sock_file) + +(classpermission delete_blk_file) +(classpermission delete_chr_file) +(classpermission delete_dir) +(classpermission delete_fifo_file) +(classpermission delete_file) +(classpermission delete_lnk_file) +(classpermission delete_sock_file) + +(classpermission deletename_dir) + +(classpermission execute_file) + +(classpermission list_dir) + +(classpermission listinherited_dir) + +(classpermission manage_blk_file) +(classpermission manage_chr_file) +(classpermission manage_dir) +(classpermission manage_fifo_file) +(classpermission manage_file) +(classpermission manage_lnk_file) +(classpermission manage_sock_file) + +(classpermission mapexecute_chr_file) +(classpermission mapexecute_file) + +(classpermission mounton_chr_file) +(classpermission mounton_dir) +(classpermission mounton_file) + +(classpermission read_blk_file) +(classpermission read_chr_file) +(classpermission read_fifo_file) +(classpermission read_file) +(classpermission read_lnk_file) +(classpermission read_sock_file) + +(classpermission readinherited_blk_file) +(classpermission readinherited_chr_file) +(classpermission readinherited_fifo_file) +(classpermission readinherited_file) +(classpermission readinherited_sock_file) + +(classpermission readwrite_blk_file) +(classpermission readwrite_chr_file) +(classpermission readwrite_dir) +(classpermission readwrite_fifo_file) +(classpermission readwrite_file) +(classpermission readwrite_lnk_file) +(classpermission readwrite_sock_file) + +(classpermission readwriteinherited_blk_file) +(classpermission readwriteinherited_chr_file) +(classpermission readwriteinherited_dir) +(classpermission readwriteinherited_fifo_file) +(classpermission readwriteinherited_file) +(classpermission readwriteinherited_sock_file) + +(classpermission relabel_blk_file) +(classpermission relabel_chr_file) +(classpermission relabel_dir) +(classpermission relabel_fifo_file) +(classpermission relabel_file) +(classpermission relabel_lnk_file) +(classpermission relabel_sock_file) + +(classpermission relabelfrom_blk_file) +(classpermission relabelfrom_chr_file) +(classpermission relabelfrom_dir) +(classpermission relabelfrom_fifo_file) +(classpermission relabelfrom_file) +(classpermission relabelfrom_lnk_file) +(classpermission relabelfrom_sock_file) + +(classpermission relabelto_blk_file) +(classpermission relabelto_chr_file) +(classpermission relabelto_dir) +(classpermission relabelto_fifo_file) +(classpermission relabelto_file) +(classpermission relabelto_lnk_file) +(classpermission relabelto_sock_file) + +(classpermission rename_blk_file) +(classpermission rename_chr_file) +(classpermission rename_dir) +(classpermission rename_fifo_file) +(classpermission rename_file) +(classpermission rename_lnk_file) +(classpermission rename_sock_file) + +(classpermission search_dir) + +(classpermission write_blk_file) +(classpermission write_chr_file) +(classpermission write_dir) +(classpermission write_fifo_file) +(classpermission write_file) +(classpermission write_lnk_file) +(classpermission write_sock_file) + +(classpermission writeinherited_blk_file) +(classpermission writeinherited_chr_file) +(classpermission writeinherited_dir) +(classpermission writeinherited_fifo_file) +(classpermission writeinherited_file) +(classpermission writeinherited_sock_file) + +(classpermissionset addname_dir + (dir (add_name getattr ioctl lock open read search write))) + +(classpermissionset append_blk_file (blk_file (append getattr ioctl lock open))) +(classpermissionset append_chr_file (chr_file (append getattr ioctl lock open))) +(classpermissionset append_fifo_file + (fifo_file (append getattr ioctl lock open))) +(classpermissionset append_file (file (append getattr ioctl lock open))) + +(classpermissionset appendinherited_blk_file + (blk_file (append getattr ioctl lock))) +(classpermissionset appendinherited_chr_file + (chr_file (append getattr ioctl lock))) +(classpermissionset appendinherited_fifo_file + (fifo_file (append getattr ioctl lock))) +(classpermissionset appendinherited_file (file (append getattr ioctl lock))) + +(classpermissionset create_blk_file (blk_file (create getattr))) +(classpermissionset create_chr_file (chr_file (create getattr))) +(classpermissionset create_dir (dir (create getattr))) +(classpermissionset create_fifo_file (fifo_file (create getattr))) +(classpermissionset create_file (file (create getattr))) +(classpermissionset create_lnk_file (lnk_file (create getattr))) +(classpermissionset create_sock_file (sock_file (create getattr))) + +(classpermissionset delete_blk_file (blk_file (getattr unlink))) +(classpermissionset delete_chr_file (chr_file (getattr unlink))) +(classpermissionset delete_dir (dir (getattr rmdir))) +(classpermissionset delete_fifo_file (fifo_file (getattr unlink))) +(classpermissionset delete_file (file (getattr unlink))) +(classpermissionset delete_lnk_file (lnk_file (getattr unlink))) +(classpermissionset delete_sock_file (sock_file (getattr unlink))) + +(classpermissionset deletename_dir + (dir (getattr ioctl lock open read remove_name search + write))) + +(classpermissionset execute_file + (file (execute execute_no_trans getattr ioctl map open + read))) + +(classpermissionset list_dir (dir (getattr ioctl lock open read search))) + +(classpermissionset listinherited_dir (dir (getattr ioctl lock read search))) + +(classpermissionset manage_blk_file + (blk_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_chr_file + (chr_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_dir + (dir (add_name create getattr ioctl link lock open read + setattr remove_name rename reparent rmdir + search write))) +(classpermissionset manage_fifo_file + (fifo_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_file + (file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_lnk_file + (lnk_file (append create getattr link lock read rename + setattr unlink write))) +(classpermissionset manage_sock_file + (sock_file (append create getattr ioctl link lock open read + rename setattr unlink write))) + +(classpermissionset mapexecute_chr_file (chr_file (execute map))) +(classpermissionset mapexecute_file (file (execute map))) + +(classpermissionset mounton_chr_file (chr_file (getattr mounton))) +(classpermissionset mounton_dir (dir (getattr mounton))) +(classpermissionset mounton_file (file (getattr mounton))) + +(classpermissionset read_blk_file (blk_file (getattr ioctl lock open read))) +(classpermissionset read_chr_file (chr_file (getattr ioctl lock open read))) +(classpermissionset read_fifo_file (fifo_file (getattr ioctl lock open read))) +(classpermissionset read_file (file (getattr ioctl lock open read))) +(classpermissionset read_lnk_file (lnk_file (getattr lock read))) +(classpermissionset read_sock_file (sock_file (getattr ioctl lock open read))) + +(classpermissionset readinherited_blk_file (blk_file (getattr ioctl lock read))) +(classpermissionset readinherited_chr_file (chr_file (getattr ioctl lock read))) +(classpermissionset readinherited_fifo_file + (fifo_file (getattr ioctl lock read))) +(classpermissionset readinherited_file (file (getattr ioctl lock read))) +(classpermissionset readinherited_sock_file + (sock_file (getattr ioctl lock read))) + +(classpermissionset readwrite_blk_file + (blk_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_chr_file + (chr_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_dir + (dir (add_name getattr ioctl lock open read remove_name + search write))) +(classpermissionset readwrite_fifo_file + (fifo_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_file + (file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_lnk_file + (lnk_file (append getattr lock read write))) +(classpermissionset readwrite_sock_file + (sock_file (append getattr ioctl lock open read write))) + +(classpermissionset readwriteinherited_blk_file + (blk_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_chr_file + (chr_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_dir + (dir (add_name getattr ioctl lock read remove_name search + write))) +(classpermissionset readwriteinherited_fifo_file + (fifo_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_file + (file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_sock_file + (sock_file (append getattr ioctl lock read write))) + +(classpermissionset relabel_blk_file (blk_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_chr_file (chr_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_dir (dir (getattr relabelfrom relabelto))) +(classpermissionset relabel_fifo_file + (fifo_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_file (file (getattr relabelfrom relabelto))) +(classpermissionset relabel_lnk_file (lnk_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_sock_file + (sock_file (getattr relabelfrom relabelto))) + +(classpermissionset relabelfrom_blk_file (blk_file (getattr relabelfrom))) +(classpermissionset relabelfrom_chr_file (chr_file (getattr relabelfrom))) +(classpermissionset relabelfrom_dir (dir (getattr relabelfrom))) +(classpermissionset relabelfrom_fifo_file (fifo_file (getattr relabelfrom))) +(classpermissionset relabelfrom_file (file (getattr relabelfrom))) +(classpermissionset relabelfrom_lnk_file (lnk_file (getattr relabelfrom))) +(classpermissionset relabelfrom_sock_file (sock_file (getattr relabelfrom))) + +(classpermissionset relabelto_blk_file (blk_file (getattr relabelto))) +(classpermissionset relabelto_chr_file (chr_file (getattr relabelto))) +(classpermissionset relabelto_dir (dir (getattr relabelto))) +(classpermissionset relabelto_fifo_file (fifo_file (getattr relabelto))) +(classpermissionset relabelto_file (file (getattr relabelto))) +(classpermissionset relabelto_lnk_file (lnk_file (getattr relabelto))) +(classpermissionset relabelto_sock_file (sock_file (getattr relabelto))) + +(classpermissionset rename_blk_file (blk_file (getattr rename))) +(classpermissionset rename_chr_file (chr_file (getattr rename))) +(classpermissionset rename_dir (dir (getattr rename))) +(classpermissionset rename_fifo_file (fifo_file (getattr rename))) +(classpermissionset rename_file (file (getattr rename))) +(classpermissionset rename_lnk_file (lnk_file (getattr rename))) +(classpermissionset rename_sock_file (sock_file (getattr rename))) + +(classpermissionset search_dir (dir (getattr search))) + +(classpermissionset write_blk_file + (blk_file (append getattr ioctl lock open write))) +(classpermissionset write_chr_file + (chr_file (append getattr ioctl lock open write))) +(classpermissionset write_dir + (dir (add_name getattr ioctl lock open remove_name search + write))) +(classpermissionset write_fifo_file + (fifo_file (append getattr ioctl lock open write))) +(classpermissionset write_file + (file (append getattr ioctl lock open write))) +(classpermissionset write_lnk_file (lnk_file (append getattr lock write))) +(classpermissionset write_sock_file + (sock_file (append getattr ioctl lock open write))) + +(classpermissionset writeinherited_blk_file + (blk_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_chr_file + (chr_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_dir + (dir (add_name getattr ioctl lock remove_name search + write))) +(classpermissionset writeinherited_fifo_file + (fifo_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_file + (file (append getattr ioctl lock write))) +(classpermissionset writeinherited_sock_file + (sock_file (append getattr ioctl lock write))) diff --git a/src/misc/unconfined.cil b/src/misc/unconfined.cil new file mode 100644 index 0000000..09e045a --- /dev/null +++ b/src/misc/unconfined.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) diff --git a/src/misc/xperm.cil b/src/misc/xperm.cil new file mode 100644 index 0000000..4aca460 --- /dev/null +++ b/src/misc/xperm.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(permissionx FIOCLEX_FIONCLEX_CHRFILE + (ioctl chr_file (0x6601 0x5451 0x6602 0x5450))) + +(permissionx FIOCLEX (ioctl chr_file (0x6601 0x5451))) +(permissionx FIONCLEX (ioctl chr_file (0x6602 0x5450))) diff --git a/src/misc/xperm/consolexperm.cil b/src/misc/xperm/consolexperm.cil new file mode 100644 index 0000000..9e52407 --- /dev/null +++ b/src/misc/xperm/consolexperm.cil @@ -0,0 +1,145 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLCONSOLE + (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 + 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 + 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 + 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a + 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 + 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a + 0x4b4c 0x4b4d 0x4b4e 0x541c 0x4bfa + 0x4bfb))) + +;; Font handling +(permissionx KDFONTOP (ioctl chr_file (0x4b72))) + +;; Get state of LEDs +(permissionx KDGETLED (ioctl chr_file (0x4b31))) + +;; Set the LEDs +(permissionx KDSETLED (ioctl chr_file (0x4b32))) + +;; Get keyboard flags CapsLock, NumLock, ScrollLock (not lights) +(permissionx KDGKBLED (ioctl chr_file (0x4b64))) + +;; Set keyboard flags CapsLock, NumLock, ScrollLock (not lights) +(permissionx KDSKBLED (ioctl chr_file (0x4b65))) + +;; Get keyboard type +(permissionx KDGKBTYPE (ioctl chr_file (0x4b33))) + +;; Add I/O port as valid +(permissionx KDADDIO (ioctl chr_file (0x4b34))) + +;; Delete I/O port as valid +(permissionx KDDELIO (ioctl chr_file (0x4b35))) + +;; Enable I/O to video board +(permissionx KDENABIO (ioctl chr_file (0x4b36))) + +;; Disable I/O to video board +(permissionx KDDISABIO (ioctl chr_file (0x4b37))) + +;; Set text/graphics mode +(permissionx KDSETMODE (ioctl chr_file (0x4b3a))) + +;; Get text/graphics mode +(permissionx KDGETMODE (ioctl chr_file (0x4b3b))) + +;; Generate tone of specified length +(permissionx KDMKTONE (ioctl chr_file (0x4b30))) + +;; Start or stop sound generation +(permissionx KIOCSOUND (ioctl chr_file (0x4b2f))) + +;; Get the current default color map from kernel +(permissionx GIO_CMAP (ioctl chr_file (0x4b70))) + +;; Change the default text-mode color map +(permissionx PIO_CMAP (ioctl chr_file (0x4b71))) + +;; Gets 256-character screen font in expanded form +(permissionx GIO_FONT (ioctl chr_file (0x4b60))) + +;; Gets screen font and associated information +(permissionx GIO_FONTX (ioctl chr_file (0x4b6b))) + +;; Sets 256-character screen font +(permissionx PIO_FONT (ioctl chr_file (0x4b61))) + +;; Sets screen font and associated rendering information +(permissionx PIO_FONTX (ioctl chr_file (0x4b6c))) + +;; Resets the screen font, size, and Unicode mapping to the bootup defaults +(permissionx PIO_FONTRESET (ioctl chr_file (0x4b6d))) + +;; Get screen mapping from kernel +(permissionx GIO_SCRNMAP (ioctl chr_file (0x4b40))) + +;; Get full Unicode screen mapping from kernel +(permissionx GIO_UNISCRNMAP (ioctl chr_file (0x4b69))) + +;; Loads the "user definable" (fourth) table in the kernel which maps bytes +;; into console screen symbols +(permissionx PIO_SCRNMAP (ioctl chr_file (0x4b41))) + +;; Loads the "user definable" (fourth) table in the kernel which maps bytes +;; into Unicodes, which are then translated into screen symbols according to +;; the currently loaded Unicode-to-font map +(permissionx PIO_UNISCRNMAP (ioctl chr_file (0x4b6a))) + +;; Get Unicode-to-font mapping from kernel +(permissionx GIO_UNIMAP (ioctl chr_file (0x4b66))) + +;; Put unicode-to-font mapping in kernel +(permissionx PIO_UNIMAP (ioctl chr_file (0x4b67))) + +;; Clear table, possibly advise hash algorithm +(permissionx PIO_UNIMAPCLR (ioctl chr_file (0x4b68))) + +;; Gets current keyboard mode +(permissionx KDGKBMODE (ioctl chr_file (0x4b44))) + +;; Sets current keyboard mode +(permissionx KDSKBMODE (ioctl chr_file (0x4b45))) + +;; Gets meta key handling mode +(permissionx KDGKBMETA (ioctl chr_file (0x4b62))) + +;; Sets meta key handling mode +(permissionx KDSKBMETA (ioctl chr_file (0x4b63))) + +;; Gets one entry in key translation table +(permissionx KDGKBENT (ioctl chr_file (0x4b46))) + +;; Sets one entry in translation table +(permissionx KDSKBENT (ioctl chr_file (0x4b47))) + +;; Gets one function key string +(permissionx KDGKBSENT (ioctl chr_file (0x4b48))) + +;; Sets one function key string entry +(permissionx KDSKBSENT (ioctl chr_file (0x4b49))) + +;; Read kernel accent table +(permissionx KDGKBDIACR (ioctl chr_file (0x4b4a))) + +;; Read kernel keycode table entry +(permissionx KDGETKEYCODE (ioctl chr_file (0x4b4c))) + +;; Read kernel accent table (Universal Character Set) +(permissionx KDGKBDIACRUC (ioctl chr_file (0x4bfa))) + +;; Write kernel accent table (Universal Character Set) +(permissionx KDSKBDIACRUC (ioctl chr_file (0x4bfb))) + +;; Write kernel keycode table entry +(permissionx KDSETKEYCODE (ioctl chr_file (0x4b4d))) + +;; The calling process indicates its willingness to accept the signal argp when +;; it is generated by pressing an appropriate key combination +(permissionx KDSIGACCEPT (ioctl chr_file (0x4b4e))) + +;; Dump the screen. Disappeared in Linux 1.1.92 +(permissionx TIOCLINUX (ioctl chr_file (0x541c))) diff --git a/src/misc/xperm/ttyxperm.cil b/src/misc/xperm/ttyxperm.cil new file mode 100644 index 0000000..7e50ab5 --- /dev/null +++ b/src/misc/xperm/ttyxperm.cil @@ -0,0 +1,139 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLTTY_NOT_TIOCSTI + (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 + 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 + 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 + 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f + 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 + 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c + 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 + 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 + 0x545c 0x545d 0x5419 0x541a 0x541e))) + +;; Get the current serial port settings +(permissionx TCGETS (ioctl chr_file (0x5405 0x542a 0x540d 0x5401))) + +;; Set the current serial port settings +(permissionx TCSETS (ioctl chr_file (0x5406 0x542b 0x5402))) + +;; Allow the output buffer to drain, and set the current serial port settings +(permissionx TCSETSW (ioctl chr_file (0x5403 0x542c 0x5407))) + +;; Allow the output buffer to drain, discard pending input, and set the current +;; serial port settings +(permissionx TCSETSF (ioctl chr_file (0x5404 0x542d 0x5408))) + +;; Gets the locking status of the termios structure of the terminal +(permissionx TIOCGLCKTRMIOS (ioctl chr_file (0x5456))) + +;; Sets the locking status of the termios structure of the terminal. Only a +;; process with the CAP_SYS_ADMIN capability can do this +(permissionx TIOCSLCKTRMIOS (ioctl chr_file (0x5457))) + +;; Get window size +(permissionx TIOCGWINSZ (ioctl chr_file (0x7468 0x5413))) + +;; Set window size +(permissionx TIOCSWINSZ (ioctl chr_file (0x7467 0x5414))) + +;; Send break +(permissionx TCSBRK (ioctl chr_file (0x5409 0x5425))) + +;; Turn break on +(permissionx TIOCSBRK (ioctl chr_file (0x5427))) + +;; Turn break off +(permissionx TIOCCBRK (ioctl chr_file (0x5428))) + +;; Software flow control +(permissionx TCXONC (ioctl chr_file (0x540a))) + +;; Get the number of bytes in the input buffer +(permissionx FIONREAD (ioctl chr_file (0x467f 0x541b))) + +;; Get the number of bytes in the output buffer +(permissionx TIOCOUTQ (ioctl chr_file (0x7472 0x5411))) + +;; Discard data written +(permissionx TCFLSH (ioctl chr_file (0x540b))) + +;; Fake input +(permissionx TIOCSTI (ioctl chr_file (0x5412))) + +;; Redirect console output +(permissionx TIOCCONS (ioctl chr_file (0x541d))) + +;; Make controlling terminal +(permissionx TIOCSCTTY (ioctl chr_file (0x5480 0x540e))) + +;; Give up controlling terminal +(permissionx TIOCNOTTY (ioctl chr_file (0x5422))) + +;; Get the process group ID of the foreground process group on this terminal +(permissionx TIOCGPGRP (ioctl chr_file (0x540f))) + +;; Set the foreground process group ID of this terminal +(permissionx TIOCSPGRP (ioctl chr_file (0x5410))) + +;; Get the session ID of the given terminal +(permissionx TIOCGSID (ioctl chr_file (0x5429))) + +;; Enable exclusive mode +(permissionx TIOCEXCL (ioctl chr_file (0x540c))) + +;; If the terminal is currently in exclusive mode, place a nonzero value +(permissionx TIOCGEXCL (ioctl chr_file (0x5440))) + +;; Disable exclusive mode +(permissionx TIOCNXCL (ioctl chr_file (0x540d))) + +;; Get the line discipline of the terminal +(permissionx TIOCGETD (ioctl chr_file (0x5424))) + +;; Set the line discipline of the terminal +(permissionx TIOCSETD (ioctl chr_file (0x5423))) + +;; Enable or disable packet mode. Can be applied to the master side of a +;; pseudoterminal only +(permissionx TIOCPKT (ioctl chr_file (0x5420))) + +;; Return the current packet mode setting +(permissionx TIOCGPKT (ioctl chr_file (0x5438))) + +;; Set or remove the lock on the pseudoterminal slave device +(permissionx TIOCSPTLCK (ioctl chr_file (0x5431))) + +;; Place the current lock state of the pseudoterminal slave device +(permissionx TIOCGPTLCK (ioctl chr_file (0x5439))) + +;; Safely open the slave +;; (permissionx TIOCGPTPEER (ioctl chr_file ())) + +;; Get the status of modem bits +(permissionx TIOCMGET (ioctl chr_file (0x5415))) + +;; Set the status of modem bits +(permissionx TIOCMSET (ioctl chr_file (0x5418))) + +;; Clear the indicated modem bits +(permissionx TIOCMBIC (ioctl chr_file (0x5417))) + +;; Set the indicated modem bits +(permissionx TIOCMBIS (ioctl chr_file (0x5416))) + +;; Wait for any of the modem bits to change +(permissionx TIOCMIWAIT (ioctl chr_file (0x545c))) + +;; Get counts of input serial line interrupts +(permissionx TIOCGICOUNT (ioctl chr_file (0x545d))) + +;; Get the serial line information +(permissionx TIOCGSERIAL (ioctl chr_file (0x541e))) + +;; Get software carrier flag +(permissionx TIOCGSOFTCAR (ioctl chr_file (0x5419))) + +;; Set software carrier flag +(permissionx TIOCSSOFTCAR (ioctl chr_file (0x541a))) diff --git a/src/misc/xperm/vtxperm.cil b/src/misc/xperm/vtxperm.cil new file mode 100644 index 0000000..cc18806 --- /dev/null +++ b/src/misc/xperm/vtxperm.cil @@ -0,0 +1,68 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLVT + (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 + 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 + 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E + 0x560F))) + +;; Console switch +(permissionx VT_EVENT_SWITCH (ioctl chr_file (0x0001))) + +;; Screen blank +(permissionx VT_EVENT_BLANK (ioctl chr_file (0x0002))) + +;; Screen unblank +(permissionx VT_EVENT_UNBLANK (ioctl chr_file (0x0004))) + +;; Resize display +(permissionx VT_EVENT_RESIZE (ioctl chr_file (0x0008))) + +;; Find available VT +(permissionx VT_OPENQRY (ioctl chr_file (0x5600))) + +;; Get mode of active VT +(permissionx VT_GETMODE (ioctl chr_file (0x5601))) + +;; Set mode of active VT +(permissionx VT_SETMODE (ioctl chr_file (0x5602))) + +;; Get global VT state info +(permissionx VT_GETSTATE (ioctl chr_file (0x5603))) + +;; Signal to send to bitmask VT +(permissionx VT_SENDSIG (ioctl chr_file (0x5604))) + +;; Release display +(permissionx VT_RELDISP (ioctl chr_file (0x5605))) + +;; Make VT active +(permissionx VT_ACTIVATE (ioctl chr_file (0x5606))) + +;; Wait for VT active +(permissionx VT_WAITACTIVE (ioctl chr_file (0x5607))) + +;; Free memory associated with VT +(permissionx VT_DISALLOCATE (ioctl chr_file (0x5608))) + +;; Set kernel idea of screensize +(permissionx VT_RESIZE (ioctl chr_file (0x5609))) + +;; Set kernel idea of screensize + more +(permissionx VT_RESIZEX (ioctl chr_file (0x560A))) + +;; Disallow VT switching +(permissionx VT_LOCKSWITCH (ioctl chr_file (0x560B))) + +;; Allow VT switching +(permissionx VT_UNLOCKSWITCH (ioctl chr_file (0x560C))) + +;; Return hi font mask +(permissionx VT_GETHIFONTMASK (ioctl chr_file (0x560D))) + +;; Wait for an event +(permissionx VT_WAITEVENT (ioctl chr_file (0x560E))) + +;; Activate and set the mode of VT +(permissionx VT_SETACTIVATE (ioctl chr_file (0x560F))) diff --git a/src/net.cil b/src/net.cil new file mode 100644 index 0000000..294d3cb --- /dev/null +++ b/src/net.cil @@ -0,0 +1,15 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block net + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in unconfined + + (call .net.unconfined.type (typeattr))) diff --git a/src/net/ibnet.cil b/src/net/ibnet.cil new file mode 100644 index 0000000..0851d62 --- /dev/null +++ b/src/net/ibnet.cil @@ -0,0 +1,15 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in net + + (call ib.unconfined.type (unconfined.typeattr)) + + (block ib + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)))) diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil new file mode 100644 index 0000000..5494943 --- /dev/null +++ b/src/net/ibnet/endportibnet.cil @@ -0,0 +1,76 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class infiniband_endport (manage_subnet)) +(classorder (unordered infiniband_endport)) + +(macro managesubnet_invalid_endports ((type ARG1)) + (allow ARG1 invalid (infiniband_endport (manage_subnet)))) + +(in invalid.unconfined + + (allow typeattr .invalid (infiniband_endport (all)))) + +(in mcs + + (mlsconstrain (infiniband_endport (manage_subnet)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in net.ib + + (blockinherit endport.template) + + (block endport + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro managesubnet_all_endports ((type ARG1)) + (allow ARG1 typeattr (infiniband_endport (manage_subnet))))) + + (block base_template + + (blockabstract base_template) + + (context endport_context (.sys.id .sys.role endport lowlevelrange)) + + (type endport) + (call .net.ib.endport.type (endport))) + + (block macro_template + + (blockabstract macro_template) + + (macro managesubnet_endports ((type ARG1)) + (allow ARG1 endport (infiniband_endport (manage_subnet))))) + + (block template + + (blockabstract template) + + (blockinherit .net.ib.endport.base_template) + (blockinherit .net.ib.endport.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr endport.typeattr (infiniband_endport (all)))))) + +(in net.ib.unconfined + + (call .net.ib.endport.unconfined.type (typeattr))) diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil new file mode 100644 index 0000000..7293864 --- /dev/null +++ b/src/net/ibnet/pkeyibnet.cil @@ -0,0 +1,76 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class infiniband_pkey (access)) +(classorder (unordered infiniband_pkey)) + +(macro access_invalid_pkeys ((type ARG1)) + (allow ARG1 invalid (infiniband_pkey (access)))) + +(in invalid.unconfined + + (allow typeattr .invalid (infiniband_pkey (all)))) + +(in mcs + + (mlsconstrain (infiniband_pkey (access)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in net.ib + + (blockinherit pkey.template) + + (block pkey + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro access_all_pkeys ((type ARG1)) + (allow ARG1 typeattr (infiniband_pkey (access))))) + + (block base_template + + (blockabstract base_template) + + (context pkey_context (.sys.id .sys.role pkey lowlevelrange)) + + (type pkey) + (call .net.ib.pkey.type (pkey))) + + (block macro_template + + (blockabstract macro_template) + + (macro access_pkeys ((type ARG1)) + (allow ARG1 pkey (infiniband_pkey (access))))) + + (block template + + (blockabstract template) + + (blockinherit .net.ib.pkey.base_template) + (blockinherit .net.ib.pkey.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr pkey.typeattr (infiniband_pkey (all)))))) + +(in net.ib.unconfined + + (call .net.ib.pkey.unconfined.type (typeattr))) diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil new file mode 100644 index 0000000..6fc52db --- /dev/null +++ b/src/net/netifnet.cil @@ -0,0 +1,101 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext netif (sys.id sys.role net.netif lowlevelrange)) + +(class netif (egress ingress)) +(classorder (unordered netif)) + +(macro egress_invalid_netifs ((type ARG1)) + (allow ARG1 invalid (netif (egress)))) + +(macro egressingress_invalid_netifs ((type ARG1)) + (allow ARG1 invalid (netif (egress ingress)))) + +(macro ingress_invalid_netifs ((type ARG1)) + (allow ARG1 invalid (netif (ingress)))) + +(tunableif (or invalid_associations invalid_peers) + (true + + (call net.netif.egressingress_all_netifs (invalid)))) + +(in invalid.unconfined + + (allow typeattr .invalid (netif (all)))) + +(in mcs + + (mlsconstrain (netif (egress ingress)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in net + + (blockinherit netif.template) + + (block netif + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro egress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress)))) + + (macro egressingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress ingress)))) + + (macro ingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (ingress))))) + + (block base_template + + (blockabstract base_template) + + (context netif_context (.sys.id .sys.role netif lowlevelrange)) + + (type netif) + (call .net.netif.type (netif))) + + (block macro_template + + (blockabstract macro_template) + + (macro egress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress)))) + + (macro egressingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress ingress)))) + + (macro ingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (ingress))))) + + (block template + + (blockabstract template) + + (blockinherit .net.netif.base_template) + (blockinherit .net.netif.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr netif.typeattr (netif (all)))))) + +(in net.unconfined + + (call .net.netif.unconfined.type (typeattr))) diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil new file mode 100644 index 0000000..a42df16 --- /dev/null +++ b/src/net/nodenet.cil @@ -0,0 +1,147 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext node (sys.id sys.role net.netnode lowlevelrange)) + +(class node (recvfrom sendto)) +(classorder (unordered node)) + +(macro recvfrom_invalid_nodes ((type ARG1)) + (allow ARG1 invalid (node (recvfrom)))) + +(macro recvfromsendto_invalid_nodes ((type ARG1)) + (allow ARG1 invalid (node (recvfrom sendto)))) + +(macro sendto_invalid_nodes ((type ARG1)) + (allow ARG1 invalid (node (sendto)))) + +(tunableif (or invalid_associations invalid_peers) + (true + + (call net.netnode.recvfromsendto_all_nodes (invalid)))) + +(in invalid.unconfined + + (allow typeattr .invalid (node (all)))) + +(in mcs + + (mlsconstrain (node (sendto)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain (node (recvfrom)) + (or (dom l1 l2) + (neq t1 constrained.typeattr)))) + +(in net + + (blockinherit netnode.template) + + (block netnode + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro nodebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (node_bind)))) + + (macro nodebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (node_bind)))) + + (macro nodebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (node_bind)))) + + (macro nodebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (node_bind)))) + + (macro nodebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (node_bind)))) + + (macro nodebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (node_bind)))) + + (macro recvfrom_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom)))) + + (macro recvfromsendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom sendto)))) + + (macro sendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (sendto))))) + + (block base_template + + (blockabstract base_template) + + (context netnode_context (.sys.id .sys.role netnode lowlevelrange)) + + (type netnode) + (call .net.netnode.type (netnode))) + + (block macro_template + + (blockabstract macro_template) + + (macro nodebind_netnode_dccp_sockets ((type ARG1)) + (allow ARG1 netnode (dccp_socket (node_bind)))) + + (macro nodebind_netnode_icmp_sockets ((type ARG1)) + (allow ARG1 netnode (icmp_socket (node_bind)))) + + (macro nodebind_netnode_rawip_sockets ((type ARG1)) + (allow ARG1 netnode (rawip_socket (node_bind)))) + + (macro nodebind_netnode_sctp_sockets ((type ARG1)) + (allow ARG1 netnode (sctp_socket (node_bind)))) + + (macro nodebind_netnode_tcp_sockets ((type ARG1)) + (allow ARG1 netnode (tcp_socket (node_bind)))) + + (macro nodebind_netnode_udp_sockets ((type ARG1)) + (allow ARG1 netnode (udp_socket (node_bind)))) + + (macro recvfrom_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom)))) + + (macro recvfromsendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom sendto)))) + + (macro sendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (sendto))))) + + (block template + + (blockabstract template) + + (blockinherit .net.netnode.base_template) + (blockinherit .net.netnode.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr netnode.typeattr (dccp_socket (node_bind))) + (allow typeattr netnode.typeattr (icmp_socket (node_bind))) + (allow typeattr netnode.typeattr (node (all))) + (allow typeattr netnode.typeattr (rawip_socket (node_bind))) + (allow typeattr netnode.typeattr (sctp_socket (node_bind))) + (allow typeattr netnode.typeattr (tcp_socket (node_bind))) + (allow typeattr netnode.typeattr (udp_socket (node_bind)))))) + +(in net.unconfined + + (call .net.netnode.unconfined.type (typeattr))) diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil new file mode 100644 index 0000000..27e828e --- /dev/null +++ b/src/net/packetnet.cil @@ -0,0 +1,168 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class packet (forward_in forward_out recv relabelto send)) +(classorder (unordered packet)) + +(macro forward_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (forward_in forward_out)))) + +(macro forwardin_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (forward_in)))) + +(macro forwardout_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (forward_out)))) + +(macro recv_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (recv)))) + +(macro recvsend_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (recv send)))) + +(macro relabelto_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (relabelto)))) + +(macro send_invalid_packets ((type ARG1)) + (allow ARG1 invalid (packet (send)))) + +(tunableif invalid_packets + (true + + (call forward_invalid_packets (invalidpackets.except.typeattr)) + (call recvsend_invalid_packets (invalidpackets.except.typeattr)))) + +(tunableif (or invalid_associations invalid_peers) + (true + + (call forward_invalid_packets (invalid)) + + (call net.packet.forward_all_packets (invalid)))) + +(in ibac + + (constrain (packet (relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (packet (not relabelto)))) + +(in mcs + + (mlsconstrain (packet (relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) + + (mlsconstrain (packet (forward_in forward_out send recv)) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) + +(in rbac + + (constrain (packet (relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in net + + (blockinherit packet.template) + + (block packet + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .mcs.constrained.type (typeattr)) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro forward_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in forward_out)))) + + (macro forwardin_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in)))) + + (macro forwardout_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_out)))) + + (macro recv_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv)))) + + (macro recvsend_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv send)))) + + (macro relabelto_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (relabelto)))) + + (macro send_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (send))))) + + (block base_template + + (blockabstract base_template) + + (context packet_context (.sys.id .sys.role packet lowlevelrange)) + + (type packet) + (call .net.packet.type (packet))) + + (block macro_template + + (blockabstract macro_template) + + (macro forward_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in forward_out)))) + + (macro forwardin_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in)))) + + (macro forwardout_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_out)))) + + (macro recv_packets ((type ARG1)) + (allow ARG1 packet (packet (recv)))) + + (macro recvsend_packets ((type ARG1)) + (allow ARG1 packet (packet (recv send)))) + + (macro relabelto_packets ((type ARG1)) + (allow ARG1 packet (packet (relabelto)))) + + (macro send_packets ((type ARG1)) + (allow ARG1 packet (packet (send))))) + + (block template + + (blockabstract template) + + (blockinherit .net.packet.base_template) + (blockinherit .net.packet.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr packet.typeattr (packet (all)))))) + +(in net.unconfined + + (call .net.packet.unconfined.type (typeattr))) diff --git a/src/net/peernet.cil b/src/net/peernet.cil new file mode 100644 index 0000000..23225b8 --- /dev/null +++ b/src/net/peernet.cil @@ -0,0 +1,110 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext netmsg (sys.id sys.role net.peer lowlevelrange)) + +(class peer (recv)) +(classorder (unordered peer)) + +(macro recv_invalid_peers ((type ARG1)) + (allow ARG1 invalid (peer (recv)))) + +(tunableif invalid_peers + (true + + (call association_invalid_sctp_sockets + (invalidpeers.except.typeattr)) + (call recv_invalid_peers (invalidpeers.except.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (peer (all)))) + +(in mcs + + (mlsconstrain (peer (recv)) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) + +(in net + + (blockinherit peer.template) + + (block peer + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .mcs.constrained.type (typeattr)) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro recv_all_peers ((type ARG1)) + (allow ARG1 typeattr (peer (recv)))) + + (macro association_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (association))))) + + (block base_template + + (blockabstract base_template) + + (context peer_context (.sys.id .sys.role peer lowlevelrange)) + + (type peer) + (call .net.peer.type (peer))) + + (block macro_template + + (blockabstract macro_template) + + (macro recv_peers ((type ARG1)) + (allow ARG1 peer (peer (recv)))) + + (macro association_peer_sctp_sockets ((type ARG1)) + (allow ARG1 peer (sctp_socket (association))))) + + (block template + + (blockabstract template) + + (blockinherit .net.peer.base_template) + (blockinherit .net.peer.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr peer.typeattr (peer (all))) + (allow typeattr peer.typeattr (sctp_socket (association)))))) + +(in net.unconfined + + (call .net.peer.unconfined.type (typeattr))) + +(in subj + + (macro recv_all_peers ((type ARG1)) + (allow ARG1 typeattr (peer (recv))))) + +(in subj.macro_template + + (macro recv_subj_peers ((type ARG1)) + (allow ARG1 subj (peer (recv))))) + +(in subj.unconfined + + (allow typeattr .subj.typeattr (peer (recv)))) diff --git a/src/net/portnet.cil b/src/net/portnet.cil new file mode 100644 index 0000000..434cf00 --- /dev/null +++ b/src/net/portnet.cil @@ -0,0 +1,115 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext port (sys.id sys.role net.port lowlevelrange)) + +(in net + + (blockinherit port.template) + + (block port + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro namebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_bind)))) + + (macro namebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (name_bind)))) + + (macro namebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (name_bind)))) + + (macro namebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_bind)))) + + (macro namebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_bind)))) + + (macro namebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (name_bind)))) + + (macro nameconnect_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_connect)))) + + (macro nameconnect_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_connect)))) + + (macro nameconnect_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_connect))))) + + (block base_template + + (blockabstract base_template) + + (context port_context (.sys.id .sys.role port lowlevelrange)) + + (type port) + (call .net.port.type (port))) + + (block macro_template + + (blockabstract macro_template) + + (macro namebind_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_bind)))) + + (macro namebind_port_icmp_sockets ((type ARG1)) + (allow ARG1 port (icmp_socket (name_bind)))) + + (macro namebind_port_rawip_sockets ((type ARG1)) + (allow ARG1 port (rawip_socket (name_bind)))) + + (macro namebind_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_bind)))) + + (macro namebind_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_bind)))) + + (macro namebind_port_udp_sockets ((type ARG1)) + (allow ARG1 port (udp_socket (name_bind)))) + + (macro nameconnect_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_connect)))) + + (macro nameconnect_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_connect)))) + + (macro nameconnect_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_connect))))) + + (block template + + (blockabstract template) + + (blockinherit .net.port.base_template) + (blockinherit .net.port.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr port.typeattr (dccp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (icmp_socket (name_bind))) + (allow typeattr port.typeattr (rawip_socket (name_bind))) + (allow typeattr port.typeattr (sctp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (tcp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (udp_socket (name_bind)))))) + +(in net.unconfined + + (call .net.port.unconfined.type (typeattr))) diff --git a/src/net/portnet/ephemeralportnet.cil b/src/net/portnet/ephemeralportnet.cil new file mode 100644 index 0000000..d49ca15 --- /dev/null +++ b/src/net/portnet/ephemeralportnet.cil @@ -0,0 +1,39 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ephemeral + + (portcon "dccp" (32768 60999) port_context) + (portcon "sctp" (32768 60999) port_context) + (portcon "tcp" (32768 60999) port_context) + (portcon "udp" (32768 60999) port_context) + + (blockinherit .net.port.ephemeral.template)) + +(in net.port + + (block ephemeral + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit .net.port.all_macro_template) + + (typeattribute typeattr) + + (call .net.port.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .net.port.base_template) + + (call .net.port.ephemeral.type (port))) + + (block template + + (blockabstract template) + + (blockinherit .net.port.ephemeral.base_template) + (blockinherit .net.port.macro_template)))) diff --git a/src/net/portnet/reservedportnet.cil b/src/net/portnet/reservedportnet.cil new file mode 100644 index 0000000..6ab315b --- /dev/null +++ b/src/net/portnet/reservedportnet.cil @@ -0,0 +1,39 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block reserved + + (portcon "dccp" (1 1023) port_context) + (portcon "sctp" (1 1023) port_context) + (portcon "tcp" (1 1023) port_context) + (portcon "udp" (1 1023) port_context) + + (blockinherit .net.port.reserved.template)) + +(in net.port + + (block reserved + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit .net.port.all_macro_template) + + (typeattribute typeattr) + + (call .net.port.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .net.port.base_template) + + (call .net.port.reserved.type (port))) + + (block template + + (blockabstract template) + + (blockinherit .net.port.macro_template) + (blockinherit .net.port.reserved.base_template)))) diff --git a/src/net/portnet/unreservedportnet.cil b/src/net/portnet/unreservedportnet.cil new file mode 100644 index 0000000..24efa73 --- /dev/null +++ b/src/net/portnet/unreservedportnet.cil @@ -0,0 +1,43 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block unreserved + + (portcon "dccp" (1024 32767) port_context) + (portcon "dccp" (61000 65535) port_context) + (portcon "sctp" (1024 32767) port_context) + (portcon "sctp" (61000 65535) port_context) + (portcon "tcp" (1024 32767) port_context) + (portcon "tcp" (61000 65535) port_context) + (portcon "udp" (1024 32767) port_context) + (portcon "udp" (61000 65535) port_context) + + (blockinherit .net.port.unreserved.template)) + +(in net.port + + (block unreserved + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit .net.port.all_macro_template) + + (typeattribute typeattr) + + (call .net.port.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .net.port.base_template) + + (call .net.port.unreserved.type (port))) + + (block template + + (blockabstract template) + + (blockinherit .net.port.macro_template) + (blockinherit .net.port.unreserved.base_template)))) diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil new file mode 100644 index 0000000..fdaa0ad --- /dev/null +++ b/src/net/spdnet.cil @@ -0,0 +1,139 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(class association (polmatch recvfrom sendto setcontext)) +(classorder (unordered association)) + +(macro polmatch_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (polmatch)))) + +(macro polmatchsetcontext_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (polmatch setcontext)))) + +(macro recvfrom_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (recvfrom)))) + +(macro recvfromsendto_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (recvfrom sendto)))) + +(macro sendto_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (sendto)))) + +(macro setcontext_invalid_associations ((type ARG1)) + (allow ARG1 invalid (association (setcontext)))) + +(tunableif invalid_associations + (true + + (call association_invalid_sctp_sockets + (invalidassociations.except.typeattr)) + (call recvfromsendto_invalid_associations + (invalidassociations.except.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (association (not (setcontext))))) + +(in mcs + + (mlsconstrain (association (sendto recvfrom)) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) + +(in net + + (blockinherit spd.template) + + (block spd + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit all_macro_template) + + (call .obj.type (typeattr)) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro polmatch_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch)))) + + (macro polmatchsetcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch setcontext)))) + + (macro setcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (setcontext))))) + + (block base_template + + (blockabstract base_template) + + (context spd_context (.sys.id .sys.role spd lowlevelrange)) + + (type spd) + (call .net.spd.type (spd))) + + (block macro_template + + (blockabstract macro_template) + + (macro polmatch_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch)))) + + (macro polmatchsetcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch setcontext)))) + + (macro setcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (setcontext))))) + + (block template + + (blockabstract template) + + (blockinherit .net.spd.base_template) + (blockinherit .net.spd.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr spd.typeattr (association (polmatch setcontext)))))) + +(in net.unconfined + + (call .net.spd.unconfined.type (typeattr))) + +(in subj + + (macro recvfrom_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (recvfrom)))) + + (macro recvfromsendto_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (recvfrom sendto)))) + + (macro sendto_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (sendto))))) + +(in subj.macro_template + + (macro recvfrom_subj_associations ((type ARG1)) + (allow ARG1 subj (association (recvfrom)))) + + (macro recvfromsendto_subj_associations ((type ARG1)) + (allow ARG1 subj (association (recvfrom sendto)))) + + (macro sendto_subj_associations ((type ARG1)) + (allow ARG1 subj (association (sendto))))) + +(in subj.unconfined + + (allow typeattr .subj.typeattr (association (recvfrom sendto)))) diff --git a/src/selinux.cil b/src/selinux.cil new file mode 100644 index 0000000..7408ddc --- /dev/null +++ b/src/selinux.cil @@ -0,0 +1,107 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext security (sys.id sys.role selinux lowlevelrange)) + +(class security + (check_context compute_av compute_create compute_member compute_relabel + compute_user load_policy read_policy setbool + setcheckreqprot setenforce setsecparam validate_trans)) +(classorder (unordered security)) + +(macro checkcontext_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (check_context)))) + +(macro computeav_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (compute_av)))) + +(macro computecreate_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (compute_create)))) + +(macro computemember_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (compute_member)))) + +(macro computerelabel_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (compute_relabel)))) + +(macro computeuser_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (compute_user)))) + +(macro loadpolicy_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (load_policy)))) + +(macro readpolicy_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (read_policy)))) + +(macro setbool_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (setbool)))) + +(macro setcheckreqprot_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (setcheckreqprot)))) + +(macro setenforce_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (setenforce)))) + +(macro setsecparam_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (setsecparam)))) + +(macro validatetrans_selinux_security ((type ARG1)) + (allow ARG1 selinux (security (validate_trans)))) + +(type selinux) +(roletype sys.role selinux) + +(block selinux + + (block loadpolicy + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr .selinux (security (load_policy)))) + + (block setenforce + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr .selinux (security (setenforce)))) + + (block setsecparam + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr .selinux (security (setsecparam)))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr .selinux (security (all))) + + (call loadpolicy.type (typeattr)) + (call setenforce.type (typeattr)) + (call setsecparam.type (typeattr)))) + +(in unconfined + + (call .selinux.unconfined.type (typeattr))) diff --git a/src/selinux/booleanfile.cil b/src/selinux/booleanfile.cil new file mode 100644 index 0000000..9cde7eb --- /dev/null +++ b/src/selinux/booleanfile.cil @@ -0,0 +1,93 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block booleanfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context booleanfile_context (.sys.id .sys.role booleanfile lowlevelrange)) + + (type booleanfile) + (call .booleanfile.type (booleanfile))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile append_file)) + + (macro appendinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile appendinherited_file)) + + (macro create_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile create_file)) + + (macro delete_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile delete_file)) + + (macro execute_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile execute_file)) + + (macro manage_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile manage_file)) + + (macro mapexecute_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile mapexecute_file)) + + (macro mounton_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile mounton_file)) + + (macro read_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile read_file)) + + (macro readinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readinherited_file)) + + (macro readwrite_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readwrite_file)) + + (macro readwriteinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readwriteinherited_file)) + + (macro rename_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile rename_file)) + + (macro write_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile write_file)) + + (macro writeinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .booleanfile.base_template) + (blockinherit .booleanfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr booleanfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) + +(in selinux.unconfined + + (call .booleanfile.unconfined.type (typeattr))) diff --git a/src/selinux/booleanfile/invalidassociationsbooleanfile.cil b/src/selinux/booleanfile/invalidassociationsbooleanfile.cil new file mode 100644 index 0000000..1eaf3c0 --- /dev/null +++ b/src/selinux/booleanfile/invalidassociationsbooleanfile.cil @@ -0,0 +1,35 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(tunable invalid_associations true) + +(block invalid_associations + + (genfscon "selinuxfs" "/booleans/invalid_associations" booleanfile_context) + + (blockinherit .booleanfile.template)) + +(block invalidassociations + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and invalidassociations.typeattr + (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) diff --git a/src/selinux/booleanfile/invalidpacketsbooleanfile.cil b/src/selinux/booleanfile/invalidpacketsbooleanfile.cil new file mode 100644 index 0000000..9b638a0 --- /dev/null +++ b/src/selinux/booleanfile/invalidpacketsbooleanfile.cil @@ -0,0 +1,34 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(tunable invalid_packets true) + +(block invalid_packets + + (genfscon "selinuxfs" "/booleans/invalid_packets" booleanfile_context) + + (blockinherit .booleanfile.template)) + +(block invalidpackets + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and invalidpackets.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) diff --git a/src/selinux/booleanfile/invalidpeersbooleanfile.cil b/src/selinux/booleanfile/invalidpeersbooleanfile.cil new file mode 100644 index 0000000..3a0b6cd --- /dev/null +++ b/src/selinux/booleanfile/invalidpeersbooleanfile.cil @@ -0,0 +1,34 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(tunable invalid_peers true) + +(block invalid_peers + + (genfscon "selinuxfs" "/booleans/invalid_peers" booleanfile_context) + + (blockinherit .booleanfile.template)) + +(block invalidpeers + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and invalidpeers.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) diff --git a/src/subj.cil b/src/subj.cil new file mode 100644 index 0000000..716d307 --- /dev/null +++ b/src/subj.cil @@ -0,0 +1,240 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(classmap state (ps read)) +(classmapping state read read_file) +(classmapping state read read_lnk_file) +(classmapping state read list_dir) +(classmapping state ps (process (getattr))) +(classmapping state ps (state (read))) + +(block subj + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit all_macro_template) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow typeattr not_typeattr (process (dyntransition transition))) + (neverallow typeattr not_typeattr + (process2 (nnp_transition nosuid_transition))) + + (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh))) + + (block all_macro_template + + (blockabstract all_macro_template) + + (macro getrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getrlimit)))) + + (macro getsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getsched)))) + + (macro nnptransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nnp_transition)))) + + (macro noatsecure_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (noatsecure)))) + + (macro nosuidtransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nosuid_transition)))) + + (macro ps_all_states ((type ARG1)) + (allow ARG1 typeattr (state (ps)))) + + (macro ptrace_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (ptrace)))) + + (macro read_all_states ((type ARG1)) + (allow ARG1 typeattr (state (read)))) + + (macro readinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readinherited_fifo_file)) + + (macro readwriteinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_fifo_file)) + + (macro rlimitinh_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (rlimitinh)))) + + (macro setrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setrlimit)))) + + (macro setsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setsched)))) + + (macro sigchld_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigchld)))) + + (macro sigkill_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigkill)))) + + (macro signal_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signal)))) + + (macro signull_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signull)))) + + (macro sigstop_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigstop)))) + + (macro transition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (transition)))) + + (macro writeinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_fifo_file))) + + (block base_template + + (blockabstract base_template) + + (type subj) + (call .subj.type (subj))) + + (block entry + + (macro entrypoint_all_files ((type ARG1)) + (allow ARG1 typeattr (file (entrypoint)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit .file.all_macro_template_files) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow subj.typeattr not_typeattr (file (entrypoint)))) + + (block execheap + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (process (execheap)))) + + (block execstack + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (process (execstack)))) + + (block macro_template + + (blockabstract macro_template) + + (macro getrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getrlimit)))) + + (macro getsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getsched)))) + + (macro nnptransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nnp_transition)))) + + (macro noatsecure_subj_processes ((type ARG1)) + (allow ARG1 subj (process (noatsecure)))) + + (macro nosuidtransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nosuid_transition)))) + + (macro ps_subj_states ((type ARG1)) + (allow ARG1 subj (state (ps)))) + + (macro ptrace_subj_processes ((type ARG1)) + (allow ARG1 subj (process (ptrace)))) + + (macro read_subj_states ((type ARG1)) + (allow ARG1 subj (state (read)))) + + (macro readinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readinherited_fifo_file)) + + (macro readwriteinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readwriteinherited_fifo_file)) + + (macro rlimitinh_subj_processes ((type ARG1)) + (allow ARG1 subj (process (rlimitinh)))) + + (macro setrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setrlimit)))) + + (macro setsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setsched)))) + + (macro sigchld_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigchld)))) + + (macro sigkill_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigkill)))) + + (macro signal_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signal)))) + + (macro signull_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signull)))) + + (macro sigstop_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigstop)))) + + (macro transition_subj_processes ((type ARG1)) + (allow ARG1 subj (process (transition)))) + + (macro writeinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj writeinherited_fifo_file))) + + (block template + + (blockabstract template) + + (blockinherit .subj.base_template) + (blockinherit .subj.macro_template)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr subj.entry.typeattr (file (entrypoint))) + + (allow typeattr subj.typeattr (process (all))) + ;; nosuid_transition should not be needed and indicates + ;; misconfiguration. when used properly it is worth blocking this + ;; access to prevent domain transitions on untrusted removeable + ;; storage. just be sure to alway's mount untrusted remote storage + ;; with nosuid, because otherwise this does not work. + (allow typeattr subj.typeattr (process2 (not nosuid_transition))) + + (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton)))) + (allow typeattr subj.typeattr list_dir) + (allow typeattr subj.typeattr mounton_file) + (allow typeattr subj.typeattr read_lnk_file) + (allow typeattr subj.typeattr readwrite_file) + + (call execheap.type (typeattr)) + (call execstack.type (typeattr)))) + +(in unconfined + + (call .subj.unconfined.type (typeattr))) diff --git a/src/sys.cil b/src/sys.cil new file mode 100644 index 0000000..feb4c6d --- /dev/null +++ b/src/sys.cil @@ -0,0 +1,21 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext kernel (sys.id sys.role sys.subj lowlevelrange)) + +(block sys + + (role role) + (roletype role subj) + + (user id) + (userrole id role) + + (userlevel id systemlow) + (userrange id lowhighlevelrange) + + (blockinherit .subj.template) + + (call .obj.role (role)) + + (call .unconfined.type (subj))) diff --git a/src/sys/bpffile.cil b/src/sys/bpffile.cil new file mode 100644 index 0000000..7c1bbcf --- /dev/null +++ b/src/sys/bpffile.cil @@ -0,0 +1,144 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bpffile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .bpf.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context bpffile_context (.sys.id .sys.role bpffile lowlevelrange)) + + (type bpffile) + (call .bpffile.type (bpffile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile addname_dir)) + + (macro create_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile create_dir)) + + (macro delete_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile delete_dir)) + + (macro deletename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile deletename_dir)) + + (macro list_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile list_dir)) + + (macro listinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile listinherited_dir)) + + (macro manage_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile manage_dir)) + + (macro mounton_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile mounton_dir)) + + (macro readwrite_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwrite_dir)) + + (macro readwriteinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_dir)) + + (macro rename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile rename_dir)) + + (macro search_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile search_dir)) + + (macro write_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile write_dir)) + + (macro writeinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_bpffile_files ((type ARG1)) + (allow ARG1 bpffile append_file)) + + (macro appendinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile appendinherited_file)) + + (macro create_bpffile_files ((type ARG1)) + (allow ARG1 bpffile create_file)) + + (macro delete_bpffile_files ((type ARG1)) + (allow ARG1 bpffile delete_file)) + + (macro execute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile execute_file)) + + (macro manage_bpffile_files ((type ARG1)) + (allow ARG1 bpffile manage_file)) + + (macro mapexecute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mapexecute_file)) + + (macro mounton_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mounton_file)) + + (macro read_bpffile_files ((type ARG1)) + (allow ARG1 bpffile read_file)) + + (macro readinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readinherited_file)) + + (macro readwrite_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwrite_file)) + + (macro readwriteinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_file)) + + (macro rename_bpffile_files ((type ARG1)) + (allow ARG1 bpffile rename_file)) + + (macro write_bpffile_files ((type ARG1)) + (allow ARG1 bpffile write_file)) + + (macro writeinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .bpffile.base_template) + (blockinherit .bpffile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr bpffile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr bpffile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .bpffile.unconfined.type (typeattr))) diff --git a/src/sys/cgroupfile.cil b/src/sys/cgroupfile.cil new file mode 100644 index 0000000..cedbf4c --- /dev/null +++ b/src/sys/cgroupfile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cgroupfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .cgroup.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context cgroupfile_context (.sys.id .sys.role cgroupfile lowlevelrange)) + + (type cgroupfile) + (call .cgroupfile.type (cgroupfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile addname_dir)) + + (macro create_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile create_dir)) + + (macro delete_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile delete_dir)) + + (macro deletename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile deletename_dir)) + + (macro list_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile list_dir)) + + (macro listinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile listinherited_dir)) + + (macro manage_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile manage_dir)) + + (macro mounton_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile mounton_dir)) + + (macro readwrite_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwrite_dir)) + + (macro readwriteinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_dir)) + + (macro rename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile rename_dir)) + + (macro search_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile search_dir)) + + (macro write_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile write_dir)) + + (macro writeinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile append_file)) + + (macro appendinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile appendinherited_file)) + + (macro create_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile create_file)) + + (macro delete_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile delete_file)) + + (macro execute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile execute_file)) + + (macro manage_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile manage_file)) + + (macro mapexecute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mapexecute_file)) + + (macro mounton_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mounton_file)) + + (macro read_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile read_file)) + + (macro readinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readinherited_file)) + + (macro readwrite_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwrite_file)) + + (macro readwriteinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_file)) + + (macro rename_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile rename_file)) + + (macro write_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile write_file)) + + (macro writeinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .cgroupfile.base_template) + (blockinherit .cgroupfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr cgroupfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr cgroupfile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .cgroupfile.unconfined.type (typeattr))) diff --git a/src/sys/debugfile.cil b/src/sys/debugfile.cil new file mode 100644 index 0000000..cfd15a5 --- /dev/null +++ b/src/sys/debugfile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block debugfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .debug.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context debugfile_context (.sys.id .sys.role debugfile lowlevelrange)) + + (type debugfile) + (call .debugfile.type (debugfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile addname_dir)) + + (macro create_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile create_dir)) + + (macro delete_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile delete_dir)) + + (macro deletename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile deletename_dir)) + + (macro list_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile list_dir)) + + (macro listinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile listinherited_dir)) + + (macro manage_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile manage_dir)) + + (macro mounton_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile mounton_dir)) + + (macro readwrite_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwrite_dir)) + + (macro readwriteinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_dir)) + + (macro rename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile rename_dir)) + + (macro search_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile search_dir)) + + (macro write_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile write_dir)) + + (macro writeinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_debugfile_files ((type ARG1)) + (allow ARG1 debugfile append_file)) + + (macro appendinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile appendinherited_file)) + + (macro create_debugfile_files ((type ARG1)) + (allow ARG1 debugfile create_file)) + + (macro delete_debugfile_files ((type ARG1)) + (allow ARG1 debugfile delete_file)) + + (macro execute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile execute_file)) + + (macro manage_debugfile_files ((type ARG1)) + (allow ARG1 debugfile manage_file)) + + (macro mapexecute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mapexecute_file)) + + (macro mounton_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mounton_file)) + + (macro read_debugfile_files ((type ARG1)) + (allow ARG1 debugfile read_file)) + + (macro readinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readinherited_file)) + + (macro readwrite_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwrite_file)) + + (macro readwriteinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_file)) + + (macro rename_debugfile_files ((type ARG1)) + (allow ARG1 debugfile rename_file)) + + (macro write_debugfile_files ((type ARG1)) + (allow ARG1 debugfile write_file)) + + (macro writeinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .debugfile.base_template) + (blockinherit .debugfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr debugfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr debugfile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .debugfile.unconfined.type (typeattr))) diff --git a/src/sys/procfile.cil b/src/sys/procfile.cil new file mode 100644 index 0000000..2b81c2e --- /dev/null +++ b/src/sys/procfile.cil @@ -0,0 +1,193 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block procfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context procfile_context (.sys.id .sys.role procfile lowlevelrange)) + + (type procfile) + (call .procfile.type (procfile))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and procfile.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call procfile.type (typeattr))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_procfile_dirs ((type ARG1)) + (allow ARG1 procfile addname_dir)) + + (macro create_procfile_dirs ((type ARG1)) + (allow ARG1 procfile create_dir)) + + (macro delete_procfile_dirs ((type ARG1)) + (allow ARG1 procfile delete_dir)) + + (macro deletename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile deletename_dir)) + + (macro list_procfile_dirs ((type ARG1)) + (allow ARG1 procfile list_dir)) + + (macro listinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile listinherited_dir)) + + (macro manage_procfile_dirs ((type ARG1)) + (allow ARG1 procfile manage_dir)) + + (macro mounton_procfile_dirs ((type ARG1)) + (allow ARG1 procfile mounton_dir)) + + (macro readwrite_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwrite_dir)) + + (macro readwriteinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwriteinherited_dir)) + + (macro rename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile rename_dir)) + + (macro search_procfile_dirs ((type ARG1)) + (allow ARG1 procfile search_dir)) + + (macro write_procfile_dirs ((type ARG1)) + (allow ARG1 procfile write_dir)) + + (macro writeinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_procfile_files ((type ARG1)) + (allow ARG1 procfile append_file)) + + (macro appendinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile appendinherited_file)) + + (macro create_procfile_files ((type ARG1)) + (allow ARG1 procfile create_file)) + + (macro delete_procfile_files ((type ARG1)) + (allow ARG1 procfile delete_file)) + + (macro execute_procfile_files ((type ARG1)) + (allow ARG1 procfile execute_file)) + + (macro manage_procfile_files ((type ARG1)) + (allow ARG1 procfile manage_file)) + + (macro mapexecute_procfile_files ((type ARG1)) + (allow ARG1 procfile mapexecute_file)) + + (macro mounton_procfile_files ((type ARG1)) + (allow ARG1 procfile mounton_file)) + + (macro read_procfile_files ((type ARG1)) + (allow ARG1 procfile read_file)) + + (macro readinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readinherited_file)) + + (macro readwrite_procfile_files ((type ARG1)) + (allow ARG1 procfile readwrite_file)) + + (macro readwriteinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readwriteinherited_file)) + + (macro rename_procfile_files ((type ARG1)) + (allow ARG1 procfile rename_file)) + + (macro write_procfile_files ((type ARG1)) + (allow ARG1 procfile write_file)) + + (macro writeinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile create_lnk_file)) + + (macro delete_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile delete_lnk_file)) + + (macro manage_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile manage_lnk_file)) + + (macro read_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile read_lnk_file)) + + (macro readwrite_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile readwrite_lnk_file)) + + (macro rename_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile rename_lnk_file)) + + (macro write_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr procfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .procfile.unconfined.type (typeattr))) diff --git a/src/sys/procfile/acpiprocfile.cil b/src/sys/procfile/acpiprocfile.cil new file mode 100644 index 0000000..ce00061 --- /dev/null +++ b/src/sys/procfile/acpiprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block acpi + + (genfscon "proc" "/acpi" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/asoundprocfile.cil b/src/sys/procfile/asoundprocfile.cil new file mode 100644 index 0000000..1b6342b --- /dev/null +++ b/src/sys/procfile/asoundprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block asound + + (genfscon "proc" "/asound" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/bootconfigprocfile.cil b/src/sys/procfile/bootconfigprocfile.cil new file mode 100644 index 0000000..695b76f --- /dev/null +++ b/src/sys/procfile/bootconfigprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bootconfig + + (genfscon "proc" "/bootconfig" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/buddyinfoprocfile.cil b/src/sys/procfile/buddyinfoprocfile.cil new file mode 100644 index 0000000..0cdf4f9 --- /dev/null +++ b/src/sys/procfile/buddyinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block buddyinfo + + (genfscon "proc" "/buddyinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/busprocfile.cil b/src/sys/procfile/busprocfile.cil new file mode 100644 index 0000000..04a16b9 --- /dev/null +++ b/src/sys/procfile/busprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in bus + + (genfscon "proc" "/bus" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cgroupsprocfile.cil b/src/sys/procfile/cgroupsprocfile.cil new file mode 100644 index 0000000..71a8153 --- /dev/null +++ b/src/sys/procfile/cgroupsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cgroups + + (genfscon "proc" "/cgroups" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cmdlineprocfile.cil b/src/sys/procfile/cmdlineprocfile.cil new file mode 100644 index 0000000..92e7081 --- /dev/null +++ b/src/sys/procfile/cmdlineprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cmdline + + (genfscon "proc" "/cmdline" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/consolesprocfile.cil b/src/sys/procfile/consolesprocfile.cil new file mode 100644 index 0000000..61d9689 --- /dev/null +++ b/src/sys/procfile/consolesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block consoles + + (genfscon "proc" "/consoles" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuinfoprocfile.cil b/src/sys/procfile/cpuinfoprocfile.cil new file mode 100644 index 0000000..1afb35d --- /dev/null +++ b/src/sys/procfile/cpuinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpuinfo + + (genfscon "proc" "/cpuinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuprocfile.cil b/src/sys/procfile/cpuprocfile.cil new file mode 100644 index 0000000..96b54e5 --- /dev/null +++ b/src/sys/procfile/cpuprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in cpu + + (genfscon "proc" "/cpu" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cryptoprocfile.cil b/src/sys/procfile/cryptoprocfile.cil new file mode 100644 index 0000000..711842a --- /dev/null +++ b/src/sys/procfile/cryptoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in crypto + + (genfscon "proc" "/crypto" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/devicesprocfile.cil b/src/sys/procfile/devicesprocfile.cil new file mode 100644 index 0000000..83d417f --- /dev/null +++ b/src/sys/procfile/devicesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in devices + + (genfscon "proc" "/devices" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/diskstatsprocfile.cil b/src/sys/procfile/diskstatsprocfile.cil new file mode 100644 index 0000000..91e750b --- /dev/null +++ b/src/sys/procfile/diskstatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block diskstats + + (genfscon "proc" "/diskstats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dmaprocfile.cil b/src/sys/procfile/dmaprocfile.cil new file mode 100644 index 0000000..3403e9b --- /dev/null +++ b/src/sys/procfile/dmaprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dma + + (genfscon "proc" "/dma" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/driverprocfile.cil b/src/sys/procfile/driverprocfile.cil new file mode 100644 index 0000000..532d389 --- /dev/null +++ b/src/sys/procfile/driverprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block driver + + (genfscon "proc" "/driver" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dynamicdebugprocfile.cil b/src/sys/procfile/dynamicdebugprocfile.cil new file mode 100644 index 0000000..a811c2d --- /dev/null +++ b/src/sys/procfile/dynamicdebugprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dynamicdebug + + (genfscon "proc" "/dynamic_debug" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.base_template)) diff --git a/src/sys/procfile/execdomainsprocfile.cil b/src/sys/procfile/execdomainsprocfile.cil new file mode 100644 index 0000000..177f33a --- /dev/null +++ b/src/sys/procfile/execdomainsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block execdomains + + (genfscon "proc" "/execdomains" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fbprocfile.cil b/src/sys/procfile/fbprocfile.cil new file mode 100644 index 0000000..9f7e75b --- /dev/null +++ b/src/sys/procfile/fbprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fb + + (genfscon "proc" "/fb" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/filesystemsprocfile.cil b/src/sys/procfile/filesystemsprocfile.cil new file mode 100644 index 0000000..b39c3ed --- /dev/null +++ b/src/sys/procfile/filesystemsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block filesystems + + (genfscon "proc" "/filesystems" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fsprocfile.cil b/src/sys/procfile/fsprocfile.cil new file mode 100644 index 0000000..5b46976 --- /dev/null +++ b/src/sys/procfile/fsprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "proc" "/fs" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/interruptsprocfile.cil b/src/sys/procfile/interruptsprocfile.cil new file mode 100644 index 0000000..31eccc3 --- /dev/null +++ b/src/sys/procfile/interruptsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block interrupts + + (genfscon "proc" "/interrupts" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/iomemprocfile.cil b/src/sys/procfile/iomemprocfile.cil new file mode 100644 index 0000000..cc16761 --- /dev/null +++ b/src/sys/procfile/iomemprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iomem + + (genfscon "proc" "/iomem" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ioportsprocfile.cil b/src/sys/procfile/ioportsprocfile.cil new file mode 100644 index 0000000..03852ce --- /dev/null +++ b/src/sys/procfile/ioportsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ioports + + (genfscon "proc" "/ioports" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/irqprocfile.cil b/src/sys/procfile/irqprocfile.cil new file mode 100644 index 0000000..fdd4e92 --- /dev/null +++ b/src/sys/procfile/irqprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block irq + + (genfscon "proc" "/irq" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/jffs2bbcprocfile.cil b/src/sys/procfile/jffs2bbcprocfile.cil new file mode 100644 index 0000000..7b8d78c --- /dev/null +++ b/src/sys/procfile/jffs2bbcprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block jffs2bbc + + (genfscon "proc" "/jffs2_bbc" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kallsymsprocfile.cil b/src/sys/procfile/kallsymsprocfile.cil new file mode 100644 index 0000000..33e3ee1 --- /dev/null +++ b/src/sys/procfile/kallsymsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kallsyms + + (genfscon "proc" "/kallsyms" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kcoreprocfile.cil b/src/sys/procfile/kcoreprocfile.cil new file mode 100644 index 0000000..c367f51 --- /dev/null +++ b/src/sys/procfile/kcoreprocfile.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kcore + + (genfscon "proc" "/kcore" procfile_context) + + (blockinherit .procfile.template) + + (call .procfile.exception.type (procfile)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr procfile (file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr procfile (file (append write))))) + +(in procfile.unconfined + + (call .kcore.readwrite.type (typeattr))) diff --git a/src/sys/procfile/keysprocfile.cil b/src/sys/procfile/keysprocfile.cil new file mode 100644 index 0000000..a41791c --- /dev/null +++ b/src/sys/procfile/keysprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block keys + + (genfscon "proc" "/keys" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/keyusersprocfile.cil b/src/sys/procfile/keyusersprocfile.cil new file mode 100644 index 0000000..4c7617b --- /dev/null +++ b/src/sys/procfile/keyusersprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block keyusers + + (genfscon "proc" "/key-users" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kmsgprocfile.cil b/src/sys/procfile/kmsgprocfile.cil new file mode 100644 index 0000000..bb5f80e --- /dev/null +++ b/src/sys/procfile/kmsgprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kmsg + + (genfscon "proc" "/kmsg" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpagecgroupprocfile.cil b/src/sys/procfile/kpagecgroupprocfile.cil new file mode 100644 index 0000000..45ed0cf --- /dev/null +++ b/src/sys/procfile/kpagecgroupprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpagecgroup + + (genfscon "proc" "/kpagecgroup" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpagecountprocfile.cil b/src/sys/procfile/kpagecountprocfile.cil new file mode 100644 index 0000000..cfdfe4b --- /dev/null +++ b/src/sys/procfile/kpagecountprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpagecount + + (genfscon "proc" "/kpagecount" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpageflagsprocfile.cil b/src/sys/procfile/kpageflagsprocfile.cil new file mode 100644 index 0000000..10cf173 --- /dev/null +++ b/src/sys/procfile/kpageflagsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kpageflags + + (genfscon "proc" "/kpageflags" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/latencystatsprocfile.cil b/src/sys/procfile/latencystatsprocfile.cil new file mode 100644 index 0000000..f195b17 --- /dev/null +++ b/src/sys/procfile/latencystatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block latencystats + + (genfscon "proc" "/latency_stats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/loadavgprocfile.cil b/src/sys/procfile/loadavgprocfile.cil new file mode 100644 index 0000000..9ac128e --- /dev/null +++ b/src/sys/procfile/loadavgprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loadavg + + (genfscon "proc" "/loadavg" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepchainsprocfile.cil b/src/sys/procfile/lockdepchainsprocfile.cil new file mode 100644 index 0000000..6a1def1 --- /dev/null +++ b/src/sys/procfile/lockdepchainsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdepchains + + (genfscon "proc" "/lockdep_chains" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepprocfile.cil b/src/sys/procfile/lockdepprocfile.cil new file mode 100644 index 0000000..f40bda0 --- /dev/null +++ b/src/sys/procfile/lockdepprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdep + + (genfscon "proc" "/lockdep" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepstatsprocfile.cil b/src/sys/procfile/lockdepstatsprocfile.cil new file mode 100644 index 0000000..4be05b3 --- /dev/null +++ b/src/sys/procfile/lockdepstatsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockdepstats + + (genfscon "proc" "/lockdep_stats" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/locksprocfile.cil b/src/sys/procfile/locksprocfile.cil new file mode 100644 index 0000000..05d40af --- /dev/null +++ b/src/sys/procfile/locksprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block locks + + (genfscon "proc" "/locks" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockstatprocfile.cil b/src/sys/procfile/lockstatprocfile.cil new file mode 100644 index 0000000..18dc93f --- /dev/null +++ b/src/sys/procfile/lockstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lockstat + + (genfscon "proc" "/lock_stat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mdstatprocfile.cil b/src/sys/procfile/mdstatprocfile.cil new file mode 100644 index 0000000..46b78ea --- /dev/null +++ b/src/sys/procfile/mdstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mdstat + + (genfscon "proc" "/mdstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/meminfoprocfile.cil b/src/sys/procfile/meminfoprocfile.cil new file mode 100644 index 0000000..9136178 --- /dev/null +++ b/src/sys/procfile/meminfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block meminfo + + (genfscon "proc" "/meminfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/miscprocfile.cil b/src/sys/procfile/miscprocfile.cil new file mode 100644 index 0000000..497c140 --- /dev/null +++ b/src/sys/procfile/miscprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block misc + + (genfscon "proc" "/misc" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/modulesprocfile.cil b/src/sys/procfile/modulesprocfile.cil new file mode 100644 index 0000000..542ae2a --- /dev/null +++ b/src/sys/procfile/modulesprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modules + + (genfscon "proc" "/modules" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mptprocfile.cil b/src/sys/procfile/mptprocfile.cil new file mode 100644 index 0000000..c471afb --- /dev/null +++ b/src/sys/procfile/mptprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mpt + + (genfscon "proc" "/mpt" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mtdprocfile.cil b/src/sys/procfile/mtdprocfile.cil new file mode 100644 index 0000000..83b3e57 --- /dev/null +++ b/src/sys/procfile/mtdprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in mtd + + (genfscon "proc" "/mtd" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mtrrprocfile.cil b/src/sys/procfile/mtrrprocfile.cil new file mode 100644 index 0000000..40dd60f --- /dev/null +++ b/src/sys/procfile/mtrrprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mtrr + + (genfscon "proc" "/mtrr" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/netprocfile.cil b/src/sys/procfile/netprocfile.cil new file mode 100644 index 0000000..0cf3d3d --- /dev/null +++ b/src/sys/procfile/netprocfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in net + + (genfscon "proc" "/net" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.macro_template_lnk_files) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/pagetypeinfoprocfile.cil b/src/sys/procfile/pagetypeinfoprocfile.cil new file mode 100644 index 0000000..1ffef39 --- /dev/null +++ b/src/sys/procfile/pagetypeinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pagetypeinfo + + (genfscon "proc" "/pagetypeinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/partitionsprocfile.cil b/src/sys/procfile/partitionsprocfile.cil new file mode 100644 index 0000000..32d7878 --- /dev/null +++ b/src/sys/procfile/partitionsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block partitions + + (genfscon "proc" "/partitions" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/pressureprocfile.cil b/src/sys/procfile/pressureprocfile.cil new file mode 100644 index 0000000..bc62a65 --- /dev/null +++ b/src/sys/procfile/pressureprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pressure + + (genfscon "proc" "/pressure" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scheddebugprocfile.cil b/src/sys/procfile/scheddebugprocfile.cil new file mode 100644 index 0000000..d56d8ea --- /dev/null +++ b/src/sys/procfile/scheddebugprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block scheddebug + + (genfscon "proc" "/sched_debug" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/schedstatprocfile.cil b/src/sys/procfile/schedstatprocfile.cil new file mode 100644 index 0000000..1849ea8 --- /dev/null +++ b/src/sys/procfile/schedstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block schedstat + + (genfscon "proc" "/schedstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scsiprocfile.cil b/src/sys/procfile/scsiprocfile.cil new file mode 100644 index 0000000..c27e5e6 --- /dev/null +++ b/src/sys/procfile/scsiprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block scsi + + (genfscon "proc" "/scsi" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/slabinfoprocfile.cil b/src/sys/procfile/slabinfoprocfile.cil new file mode 100644 index 0000000..39991de --- /dev/null +++ b/src/sys/procfile/slabinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block slabinfo + + (genfscon "proc" "/slabinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/softirqsprocfile.cil b/src/sys/procfile/softirqsprocfile.cil new file mode 100644 index 0000000..72ded46 --- /dev/null +++ b/src/sys/procfile/softirqsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block softirqs + + (genfscon "proc" "/softirqs" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/statprocfile.cil b/src/sys/procfile/statprocfile.cil new file mode 100644 index 0000000..75ce983 --- /dev/null +++ b/src/sys/procfile/statprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block stat + + (genfscon "proc" "/stat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/swapsprocfile.cil b/src/sys/procfile/swapsprocfile.cil new file mode 100644 index 0000000..3a7cabf --- /dev/null +++ b/src/sys/procfile/swapsprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block swaps + + (genfscon "proc" "/swaps" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysctlfile.cil b/src/sys/procfile/sysctlfile.cil new file mode 100644 index 0000000..b0e9787 --- /dev/null +++ b/src/sys/procfile/sysctlfile.cil @@ -0,0 +1,138 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysctlfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .procfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context sysctlfile_context (.sys.id .sys.role sysctlfile lowlevelrange)) + + (type sysctlfile) + (call .sysctlfile.type (sysctlfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile addname_dir)) + + (macro create_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile create_dir)) + + (macro delete_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile delete_dir)) + + (macro deletename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile deletename_dir)) + + (macro list_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile list_dir)) + + (macro listinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile listinherited_dir)) + + (macro manage_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile manage_dir)) + + (macro mounton_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile mounton_dir)) + + (macro readwrite_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwrite_dir)) + + (macro readwriteinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_dir)) + + (macro rename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile rename_dir)) + + (macro search_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile search_dir)) + + (macro write_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile write_dir)) + + (macro writeinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile append_file)) + + (macro appendinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile appendinherited_file)) + + (macro create_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile create_file)) + + (macro delete_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile delete_file)) + + (macro execute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile execute_file)) + + (macro manage_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile manage_file)) + + (macro mapexecute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mapexecute_file)) + + (macro mounton_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mounton_file)) + + (macro read_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile read_file)) + + (macro readinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readinherited_file)) + + (macro readwrite_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwrite_file)) + + (macro readwriteinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_file)) + + (macro rename_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile rename_file)) + + (macro write_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile write_file)) + + (macro writeinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr sysctlfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr sysctlfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) diff --git a/src/sys/procfile/sysctlfile/abisysctlfile.cil b/src/sys/procfile/sysctlfile/abisysctlfile.cil new file mode 100644 index 0000000..0bf5be5 --- /dev/null +++ b/src/sys/procfile/sysctlfile/abisysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block abi + + (genfscon "proc" "/sys/abi" sysctlfile_context) + + (blockinherit .sysctlfile.abi.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block abi + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.abi.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.abi.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/cryptosysctlfile.cil b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil new file mode 100644 index 0000000..d56af1f --- /dev/null +++ b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block crypto + + (genfscon "proc" "/sys/crypto" sysctlfile_context) + + (blockinherit .sysctlfile.crypto.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block crypto + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.crypto.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.crypto.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/debugsysctlfile.cil b/src/sys/procfile/sysctlfile/debugsysctlfile.cil new file mode 100644 index 0000000..8d23149 --- /dev/null +++ b/src/sys/procfile/sysctlfile/debugsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block debug + + (genfscon "proc" "/sys/debug" sysctlfile_context) + + (blockinherit .sysctlfile.debug.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block debug + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.debug.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.debug.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/devsysctlfile.cil b/src/sys/procfile/sysctlfile/devsysctlfile.cil new file mode 100644 index 0000000..87edae1 --- /dev/null +++ b/src/sys/procfile/sysctlfile/devsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev + + (genfscon "proc" "/sys/dev" sysctlfile_context) + + (blockinherit .sysctlfile.dev.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.dev.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.dev.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/fssysctlfile.cil b/src/sys/procfile/sysctlfile/fssysctlfile.cil new file mode 100644 index 0000000..878092f --- /dev/null +++ b/src/sys/procfile/sysctlfile/fssysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "proc" "/sys/fs" sysctlfile_context) + + (blockinherit .sysctlfile.fs.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block fs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.fs.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.fs.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil new file mode 100644 index 0000000..ad66127 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kernel + + (genfscon "proc" "/sys/kernel" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) + +(in sysctlfile + + (block kernel + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.kernel.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.kernel.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil new file mode 100644 index 0000000..b27163e --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block caplastcap + + (genfscon "proc" "/sys/kernel/cap_last_cap" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil new file mode 100644 index 0000000..7ef9105 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block corepattern + + (genfscon "proc" "/sys/kernel/core_pattern" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil new file mode 100644 index 0000000..8f95bf8 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block corepipelimit + + (genfscon "proc" "/sys/kernel/core_pipe_limit" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil new file mode 100644 index 0000000..9bcd7cd --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block firmwareconfig + + (genfscon "proc" "/sys/kernel/firmware_config" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil new file mode 100644 index 0000000..d4a8ca6 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hostname + + (genfscon "proc" "/sys/kernel/hostname" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil new file mode 100644 index 0000000..f65c9db --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in keys + + (genfscon "proc" "/sys/kernel/keys" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil new file mode 100644 index 0000000..7928e56 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modprobe + + (genfscon "proc" "/sys/kernel/modprobe" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil new file mode 100644 index 0000000..b39aa80 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nslastpid + + (genfscon "proc" "/sys/kernel/ns_last_pid" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil new file mode 100644 index 0000000..9eab507 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block osrelease + + (genfscon "proc" "/sys/kernel/osrelease" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil new file mode 100644 index 0000000..4517c76 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block overflowuid + + (genfscon "proc" "/sys/kernel/overflowgid" sysctlfile_context) + (genfscon "proc" "/sys/kernel/overflowuid" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil new file mode 100644 index 0000000..168e06a --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pidmax + + (genfscon "proc" "/sys/kernel/pid_max" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil new file mode 100644 index 0000000..bf5e36b --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block poweroffcmd + + (genfscon "proc" "/sys/kernel/poweroff_cmd" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil new file mode 100644 index 0000000..bc96692 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pty + + (genfscon "proc" "/sys/kernel/pty" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil new file mode 100644 index 0000000..493ed6f --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kernel + + (genfscon "proc" "/sys/kernel/randomize_va_space" sysctlfile_context)) + +(in random + + (genfscon "proc" "/sys/kernel/random" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil new file mode 100644 index 0000000..b9f2878 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block seccomp + + (genfscon "proc" "/sys/kernel/seccomp" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil new file mode 100644 index 0000000..5d31bf8 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block threadsmax + + (genfscon "proc" "/sys/kernel/threads-max" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil new file mode 100644 index 0000000..e848922 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usermodehelper + + (genfscon "proc" "/sys/kernel/usermodehelper" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil new file mode 100644 index 0000000..a958a40 --- /dev/null +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block yama + + (genfscon "proc" "/sys/kernel/yama" sysctlfile_context) + + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile.cil new file mode 100644 index 0000000..1917846 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in net + + (genfscon "proc" "/sys/net" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) + +(in sysctlfile + + (block net + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.net.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.net.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil new file mode 100644 index 0000000..432152a --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block core + + (genfscon "proc" "/sys/net/core" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil new file mode 100644 index 0000000..02cc2de --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipv4 + + (genfscon "proc" "/sys/net/ipv4" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil new file mode 100644 index 0000000..3aae3b9 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipv6 + + (genfscon "proc" "/sys/net/ipv6" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil new file mode 100644 index 0000000..0668458 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mptcp + + (genfscon "proc" "/sys/net/mptcp" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil new file mode 100644 index 0000000..d4ba916 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block netfilter + + (genfscon "proc" "/sys/net/netfilter" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil new file mode 100644 index 0000000..bd60a46 --- /dev/null +++ b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block unix + + (genfscon "proc" "/sys/net/unix" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil new file mode 100644 index 0000000..1b297b7 --- /dev/null +++ b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sunrpc + + (genfscon "proc" "/sys/sunrpc" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.sunrpc.template)) + +(in sysctlfile + + (block sunrpc + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.sunrpc.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.macro_template_files) + (blockinherit .sysctlfile.sunrpc.base_template)))) diff --git a/src/sys/procfile/sysctlfile/usersysctlfile.cil b/src/sys/procfile/sysctlfile/usersysctlfile.cil new file mode 100644 index 0000000..4b04c86 --- /dev/null +++ b/src/sys/procfile/sysctlfile/usersysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block user + + (genfscon "proc" "/sys/user" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.user.template)) + +(in sysctlfile + + (block user + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.user.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.user.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile.cil new file mode 100644 index 0000000..b88afd2 --- /dev/null +++ b/src/sys/procfile/sysctlfile/vmsysctlfile.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vm + + (genfscon "proc" "/sys/vm" sysctlfile_context) + + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.vm.template)) + +(in sysctlfile + + (block vm + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .sysctlfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysctlfile.base_template) + + (call .sysctlfile.vm.type (sysctlfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysctlfile.vm.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil new file mode 100644 index 0000000..2ecb737 --- /dev/null +++ b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block overcommitmemory + + (genfscon "proc" "/sys/vm/overcommit_memory" sysctlfile_context) + + (blockinherit .sysctlfile.vm.template)) diff --git a/src/sys/procfile/sysctlprocfile.cil b/src/sys/procfile/sysctlprocfile.cil new file mode 100644 index 0000000..79507b3 --- /dev/null +++ b/src/sys/procfile/sysctlprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysctl + + (genfscon "proc" "/sys" procfile_context) + + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysrqtriggerprocfile.cil b/src/sys/procfile/sysrqtriggerprocfile.cil new file mode 100644 index 0000000..2950729 --- /dev/null +++ b/src/sys/procfile/sysrqtriggerprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysrqtrigger + + (genfscon "proc" "/sysrq-trigger" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysvipcprocfile.cil b/src/sys/procfile/sysvipcprocfile.cil new file mode 100644 index 0000000..838e9eb --- /dev/null +++ b/src/sys/procfile/sysvipcprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysvipc + + (genfscon "proc" "/sysvipc" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/timerlistprocfile.cil b/src/sys/procfile/timerlistprocfile.cil new file mode 100644 index 0000000..5f4819c --- /dev/null +++ b/src/sys/procfile/timerlistprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block timerlist + + (genfscon "proc" "/timer_list" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ttyprocfile.cil b/src/sys/procfile/ttyprocfile.cil new file mode 100644 index 0000000..33372b5 --- /dev/null +++ b/src/sys/procfile/ttyprocfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in tty + + (genfscon "proc" "/tty" procfile_context) + + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/uptimeprocfile.cil b/src/sys/procfile/uptimeprocfile.cil new file mode 100644 index 0000000..c7eb400 --- /dev/null +++ b/src/sys/procfile/uptimeprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uptime + + (genfscon "proc" "/uptime" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/versionprocfile.cil b/src/sys/procfile/versionprocfile.cil new file mode 100644 index 0000000..3d89ba6 --- /dev/null +++ b/src/sys/procfile/versionprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block version + + (genfscon "proc" "/version" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmallocprocfile.cil b/src/sys/procfile/vmallocprocfile.cil new file mode 100644 index 0000000..581a4eb --- /dev/null +++ b/src/sys/procfile/vmallocprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmallocinfo + + (genfscon "proc" "/vmallocinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmstatprocfile.cil b/src/sys/procfile/vmstatprocfile.cil new file mode 100644 index 0000000..b72e9a6 --- /dev/null +++ b/src/sys/procfile/vmstatprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmstat + + (genfscon "proc" "/vmstat" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/zoneinfoprocfile.cil b/src/sys/procfile/zoneinfoprocfile.cil new file mode 100644 index 0000000..48cf543 --- /dev/null +++ b/src/sys/procfile/zoneinfoprocfile.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zoneinfo + + (genfscon "proc" "/zoneinfo" procfile_context) + + (blockinherit .procfile.template)) diff --git a/src/sys/pstorefile.cil b/src/sys/pstorefile.cil new file mode 100644 index 0000000..b987c04 --- /dev/null +++ b/src/sys/pstorefile.cil @@ -0,0 +1,141 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pstorefile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .pstore.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context pstorefile_context (.sys.id .sys.role pstorefile lowlevelrange)) + + (type pstorefile) + (call .pstorefile.type (pstorefile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile addname_dir)) + + (macro create_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile create_dir)) + + (macro delete_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile delete_dir)) + + (macro deletename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile deletename_dir)) + + (macro list_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile list_dir)) + + (macro listinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile listinherited_dir)) + + (macro manage_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile manage_dir)) + + (macro mounton_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile mounton_dir)) + + (macro readwrite_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwrite_dir)) + + (macro readwriteinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_dir)) + + (macro rename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile rename_dir)) + + (macro search_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile search_dir)) + + (macro write_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile write_dir)) + + (macro writeinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile append_file)) + + (macro appendinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile appendinherited_file)) + + (macro create_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile create_file)) + + (macro delete_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile delete_file)) + + (macro execute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile execute_file)) + + (macro manage_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile manage_file)) + + (macro mapexecute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mapexecute_file)) + + (macro mounton_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mounton_file)) + + (macro read_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile read_file)) + + (macro readinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readinherited_file)) + + (macro readwrite_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwrite_file)) + + (macro readwriteinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_file)) + + (macro rename_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile rename_file)) + + (macro write_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile write_file)) + + (macro writeinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .pstorefile.base_template) + (blockinherit .pstorefile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr pstorefile.typeattr (dir (not execmod))) + (allow typeattr pstorefile.typeattr (file (not (entrypoint execmod)))))) + +(in sys.unconfined + + (call .pstorefile.unconfined.type (typeattr))) diff --git a/src/sys/securityfile.cil b/src/sys/securityfile.cil new file mode 100644 index 0000000..1924a9a --- /dev/null +++ b/src/sys/securityfile.cil @@ -0,0 +1,182 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block securityfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (call .security.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context securityfile_context + (.sys.id .sys.role securityfile lowlevelrange)) + + (type securityfile) + (call .securityfile.type (securityfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile addname_dir)) + + (macro create_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile create_dir)) + + (macro delete_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile delete_dir)) + + (macro deletename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile deletename_dir)) + + (macro list_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile list_dir)) + + (macro listinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile listinherited_dir)) + + (macro manage_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile manage_dir)) + + (macro mounton_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile mounton_dir)) + + (macro readwrite_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwrite_dir)) + + (macro readwriteinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_dir)) + + (macro rename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile rename_dir)) + + (macro search_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile search_dir)) + + (macro write_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile write_dir)) + + (macro writeinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_securityfile_files ((type ARG1)) + (allow ARG1 securityfile append_file)) + + (macro appendinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile appendinherited_file)) + + (macro create_securityfile_files ((type ARG1)) + (allow ARG1 securityfile create_file)) + + (macro delete_securityfile_files ((type ARG1)) + (allow ARG1 securityfile delete_file)) + + (macro execute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile execute_file)) + + (macro manage_securityfile_files ((type ARG1)) + (allow ARG1 securityfile manage_file)) + + (macro mapexecute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mapexecute_file)) + + (macro mounton_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mounton_file)) + + (macro read_securityfile_files ((type ARG1)) + (allow ARG1 securityfile read_file)) + + (macro readinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readinherited_file)) + + (macro readwrite_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwrite_file)) + + (macro readwriteinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_file)) + + (macro rename_securityfile_files ((type ARG1)) + (allow ARG1 securityfile rename_file)) + + (macro write_securityfile_files ((type ARG1)) + (allow ARG1 securityfile write_file)) + + (macro writeinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile create_lnk_file)) + + (macro delete_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile delete_lnk_file)) + + (macro manage_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile manage_lnk_file)) + + (macro read_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile read_lnk_file)) + + (macro readwrite_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile readwrite_lnk_file)) + + (macro relabel_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabel_lnk_file)) + + (macro relabelfrom_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelfrom_lnk_file)) + + (macro relabelto_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelto_lnk_file)) + + (macro rename_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile rename_lnk_file)) + + (macro write_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .securityfile.base_template) + (blockinherit .securityfile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr securityfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) + +(in sys.unconfined + + (call .securityfile.unconfined.type (typeattr))) diff --git a/src/sys/sysfile.cil b/src/sys/sysfile.cil new file mode 100644 index 0000000..b7f93cf --- /dev/null +++ b/src/sys/sysfile.cil @@ -0,0 +1,172 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sysfile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .obj.type (typeattr)) + + (call .sys.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context sysfile_context (.sys.id .sys.role sysfile lowlevelrange)) + + (type sysfile) + (call .sysfile.type (sysfile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile addname_dir)) + + (macro create_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile create_dir)) + + (macro delete_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile delete_dir)) + + (macro deletename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile deletename_dir)) + + (macro list_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile list_dir)) + + (macro listinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile listinherited_dir)) + + (macro manage_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile manage_dir)) + + (macro mounton_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile mounton_dir)) + + (macro readwrite_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwrite_dir)) + + (macro readwriteinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_dir)) + + (macro rename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile rename_dir)) + + (macro search_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile search_dir)) + + (macro write_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile write_dir)) + + (macro writeinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_sysfile_files ((type ARG1)) + (allow ARG1 sysfile append_file)) + + (macro appendinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile appendinherited_file)) + + (macro create_sysfile_files ((type ARG1)) + (allow ARG1 sysfile create_file)) + + (macro delete_sysfile_files ((type ARG1)) + (allow ARG1 sysfile delete_file)) + + (macro execute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile execute_file)) + + (macro manage_sysfile_files ((type ARG1)) + (allow ARG1 sysfile manage_file)) + + (macro mapexecute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mapexecute_file)) + + (macro mounton_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mounton_file)) + + (macro read_sysfile_files ((type ARG1)) + (allow ARG1 sysfile read_file)) + + (macro readinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readinherited_file)) + + (macro readwrite_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwrite_file)) + + (macro readwriteinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_file)) + + (macro rename_sysfile_files ((type ARG1)) + (allow ARG1 sysfile rename_file)) + + (macro write_sysfile_files ((type ARG1)) + (allow ARG1 sysfile write_file)) + + (macro writeinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile writeinherited_file))) + + (block macro_template_lnk_files + + (blockabstract macro_template_lnk_files) + + (macro create_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile create_lnk_file)) + + (macro delete_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile delete_lnk_file)) + + (macro manage_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile manage_lnk_file)) + + (macro read_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile read_lnk_file)) + + (macro readwrite_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile readwrite_lnk_file)) + + (macro rename_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile rename_lnk_file)) + + (macro write_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile write_lnk_file))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.base_template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_files) + (blockinherit .sysfile.macro_template_lnk_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr sysfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr sysfile.typeattr + (file (not (audit_access entrypoint execmod)))) + (allow typeattr sysfile.typeattr + (lnk_file (not (audit_access execmod map mounton)))))) + +(in sys.unconfined + + (call .sysfile.unconfined.type (typeattr))) diff --git a/src/sys/sysfile/blocksysfile.cil b/src/sys/sysfile/blocksysfile.cil new file mode 100644 index 0000000..b7c154e --- /dev/null +++ b/src/sys/sysfile/blocksysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block block + + (genfscon "sysfs" "/block" sysfile_context) + + (blockinherit .sysfile.block.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block block + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.block.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.block.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/bussysfile.cil b/src/sys/sysfile/bussysfile.cil new file mode 100644 index 0000000..241d233 --- /dev/null +++ b/src/sys/sysfile/bussysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bus + + (genfscon "sysfs" "/bus" sysfile_context) + + (blockinherit .sysfile.bus.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block bus + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.bus.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.bus.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile.cil b/src/sys/sysfile/classsysfile.cil new file mode 100644 index 0000000..888006b --- /dev/null +++ b/src/sys/sysfile/classsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block class + + (genfscon "sysfs" "/class" sysfile_context) + + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block class + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.class.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.class.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil new file mode 100644 index 0000000..ad852db --- /dev/null +++ b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zramcontrol + + (genfscon "sysfs" "/class/zram-control" sysfile_context) + + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/devicessysfile.cil b/src/sys/sysfile/devicessysfile.cil new file mode 100644 index 0000000..45f1f3a --- /dev/null +++ b/src/sys/sysfile/devicessysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block devices + + (genfscon "sysfs" "/devices" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block devices + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.devices.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.devices.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil new file mode 100644 index 0000000..107d0a4 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in cpu + + (genfscon "sysfs" "/devices/system/cpu" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil new file mode 100644 index 0000000..b25eb11 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block memory + + (genfscon "sysfs" "/devices/system/memory" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil new file mode 100644 index 0000000..9ff1dd4 --- /dev/null +++ b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block node + + (genfscon "sysfs" "/devices/system/node" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil new file mode 100644 index 0000000..a99223f --- /dev/null +++ b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in zram + + (genfscon "sysfs" "/devices/virtual/block/zram" sysfile_context) + + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devsysfile.cil b/src/sys/sysfile/devsysfile.cil new file mode 100644 index 0000000..7c3e609 --- /dev/null +++ b/src/sys/sysfile/devsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev + + (genfscon "sysfs" "/dev" sysfile_context) + + (blockinherit .sysfile.dev.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block dev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.dev.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.dev.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/firmwaresysfile.cil b/src/sys/sysfile/firmwaresysfile.cil new file mode 100644 index 0000000..e5241b4 --- /dev/null +++ b/src/sys/sysfile/firmwaresysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block firmware + + (genfscon "sysfs" "/firmware" sysfile_context) + + (blockinherit .sysfile.firmware.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block firmware + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.firmware.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.firmware.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile.cil b/src/sys/sysfile/fssysfile.cil new file mode 100644 index 0000000..ee4f259 --- /dev/null +++ b/src/sys/sysfile/fssysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fs + + (genfscon "sysfs" "/fs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block fs + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.fs.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.fs.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile/btrfssysfile.cil b/src/sys/sysfile/fssysfile/btrfssysfile.cil new file mode 100644 index 0000000..536e355 --- /dev/null +++ b/src/sys/sysfile/fssysfile/btrfssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block btrfs + + (genfscon "sysfs" "/fs/btrfs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/ext4fssysfile.cil b/src/sys/sysfile/fssysfile/ext4fssysfile.cil new file mode 100644 index 0000000..c79e258 --- /dev/null +++ b/src/sys/sysfile/fssysfile/ext4fssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ext4 + + (genfscon "sysfs" "/fs/ext4" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/f2fssysfile.cil b/src/sys/sysfile/fssysfile/f2fssysfile.cil new file mode 100644 index 0000000..f95f2c9 --- /dev/null +++ b/src/sys/sysfile/fssysfile/f2fssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block f2fs + + (genfscon "sysfs" "/fs/f2fs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/fusefssysfile.cil b/src/sys/sysfile/fssysfile/fusefssysfile.cil new file mode 100644 index 0000000..9fc7381 --- /dev/null +++ b/src/sys/sysfile/fssysfile/fusefssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fuse + + (genfscon "sysfs" "/fs/fuse" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/xfssysfile.cil b/src/sys/sysfile/fssysfile/xfssysfile.cil new file mode 100644 index 0000000..ac0986f --- /dev/null +++ b/src/sys/sysfile/fssysfile/xfssysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block xfs + + (genfscon "sysfs" "/fs/xfs" sysfile_context) + + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/hypervisorsysfile.cil b/src/sys/sysfile/hypervisorsysfile.cil new file mode 100644 index 0000000..750559f --- /dev/null +++ b/src/sys/sysfile/hypervisorsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hypervisor + + (genfscon "sysfs" "/hypervisor" sysfile_context) + + (blockinherit .sysfile.hypervisor.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block hypervisor + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.hypervisor.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.hypervisor.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile.cil b/src/sys/sysfile/kernelsysfile.cil new file mode 100644 index 0000000..e719923 --- /dev/null +++ b/src/sys/sysfile/kernelsysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in kernel + + (genfscon "sysfs" "/kernel" sysfile_context) + + (blockinherit .sysfile.kernel.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) + +(in sysfile + + (block kernel + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.kernel.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.kernel.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil new file mode 100644 index 0000000..a37ac55 --- /dev/null +++ b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in ksm + + (genfscon "sysfs" "/kernel/mm/ksm" sysfile_context) + + (blockinherit .sysfile.kernel.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/modulesysfile.cil b/src/sys/sysfile/modulesysfile.cil new file mode 100644 index 0000000..6a2f95d --- /dev/null +++ b/src/sys/sysfile/modulesysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block module + + (genfscon "sysfs" "/module" sysfile_context) + + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.module.template)) + +(in sysfile + + (block module + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.module.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.module.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/powersysfile.cil b/src/sys/sysfile/powersysfile.cil new file mode 100644 index 0000000..47bb32a --- /dev/null +++ b/src/sys/sysfile/powersysfile.cil @@ -0,0 +1,40 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block power + + (genfscon "sysfs" "/power" sysfile_context) + + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.power.template)) + +(in sysfile + + (block power + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + + (call .sysfile.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .sysfile.base_template) + + (call .sysfile.power.type (sysfile))) + + (block template + + (blockabstract template) + + (blockinherit .sysfile.power.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/tracefile.cil b/src/sys/tracefile.cil new file mode 100644 index 0000000..4c7c94c --- /dev/null +++ b/src/sys/tracefile.cil @@ -0,0 +1,142 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tracefile + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + + (call .obj.type (typeattr)) + + (call .trace.associate_fs (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context tracefile_context (.sys.id .sys.role tracefile lowlevelrange)) + + (type tracefile) + (call .tracefile.type (tracefile))) + + (block macro_template_dirs + + (blockabstract macro_template_dirs) + + (macro addname_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile addname_dir)) + + (macro create_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile create_dir)) + + (macro delete_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile delete_dir)) + + (macro deletename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile deletename_dir)) + + (macro list_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile list_dir)) + + (macro listinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile listinherited_dir)) + + (macro manage_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile manage_dir)) + + (macro mounton_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile mounton_dir)) + + (macro readwrite_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwrite_dir)) + + (macro readwriteinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_dir)) + + (macro rename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile rename_dir)) + + (macro search_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile search_dir)) + + (macro write_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile write_dir)) + + (macro writeinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile writeinherited_dir))) + + (block macro_template_files + + (blockabstract macro_template_files) + + (macro append_tracefile_files ((type ARG1)) + (allow ARG1 tracefile append_file)) + + (macro appendinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile appendinherited_file)) + + (macro create_tracefile_files ((type ARG1)) + (allow ARG1 tracefile create_file)) + + (macro delete_tracefile_files ((type ARG1)) + (allow ARG1 tracefile delete_file)) + + (macro execute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile execute_file)) + + (macro manage_tracefile_files ((type ARG1)) + (allow ARG1 tracefile manage_file)) + + (macro mapexecute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mapexecute_file)) + + (macro mounton_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mounton_file)) + + (macro read_tracefile_files ((type ARG1)) + (allow ARG1 tracefile read_file)) + + (macro readinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readinherited_file)) + + (macro readwrite_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwrite_file)) + + (macro readwriteinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_file)) + + (macro rename_tracefile_files ((type ARG1)) + (allow ARG1 tracefile rename_file)) + + (macro write_tracefile_files ((type ARG1)) + (allow ARG1 tracefile write_file)) + + (macro writeinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile writeinherited_file))) + + (block template + + (blockabstract template) + + (blockinherit .tracefile.base_template) + (blockinherit .tracefile.macro_template_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr tracefile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr tracefile.typeattr + (file (not (audit_access entrypoint execmod)))))) + +(in sys.unconfined + + (call .tracefile.unconfined.type (typeattr))) diff --git a/src/unlabeled.cil b/src/unlabeled.cil new file mode 100644 index 0000000..1703472 --- /dev/null +++ b/src/unlabeled.cil @@ -0,0 +1,382 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext file (sys.id sys.role unlabeled lowlevelrange)) + +(macro addname_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled addname_dir)) + +(macro append_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled append_blk_file)) + +(macro append_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled append_chr_file)) + +(macro append_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled append_fifo_file)) + +(macro append_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled append_file)) + +(macro appendinherited_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled appendinherited_blk_file)) + +(macro appendinherited_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled appendinherited_chr_file)) + +(macro appendinherited_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled appendinherited_fifo_file)) + +(macro appendinherited_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled appendinherited_file)) + +(macro create_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (create)))) + +(macro create_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled create_blk_file)) + +(macro create_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled create_chr_file)) + +(macro create_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled create_dir)) + +(macro create_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled create_fifo_file)) + +(macro create_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled create_file)) + +(macro create_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled create_lnk_file)) + +(macro create_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled create_sock_file)) + +(macro delete_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (delete)))) + +(macro delete_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled delete_blk_file)) + +(macro delete_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled delete_chr_file)) + +(macro delete_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled delete_dir)) + +(macro delete_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled delete_fifo_file)) + +(macro delete_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled delete_file)) + +(macro delete_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled delete_lnk_file)) + +(macro delete_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled delete_sock_file)) + +(macro deletename_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled deletename_dir)) + +(macro execute_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled execute_file)) + +(macro list_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled list_dir)) + +(macro listinherited_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled listinherited_dir)) + +(macro manage_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (manage)))) + +(macro manage_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled manage_blk_file)) + +(macro manage_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled manage_chr_file)) + +(macro manage_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled manage_dir)) + +(macro manage_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled manage_fifo_file)) + +(macro manage_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled manage_file)) + +(macro manage_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled manage_lnk_file)) + +(macro manage_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled manage_sock_file)) + +(macro mapexecute_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled mapexecute_chr_file)) + +(macro mapexecute_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled mapexecute_file)) + +(macro mounton_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled mounton_dir)) + +(macro mounton_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled mounton_file)) + +(macro read_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (read)))) + +(macro read_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled read_blk_file)) + +(macro read_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled read_chr_file)) + +(macro read_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled read_fifo_file)) + +(macro read_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled read_file)) + +(macro read_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled read_lnk_file)) + +(macro read_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled read_sock_file)) + +(macro readinherited_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled readinherited_blk_file)) + +(macro readinherited_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled readinherited_chr_file)) + +(macro readinherited_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled readinherited_fifo_file)) + +(macro readinherited_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled readinherited_file)) + +(macro readinherited_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled readinherited_sock_file)) + +(macro readwrite_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (readwrite)))) + +(macro readwrite_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_blk_file)) + +(macro readwrite_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_chr_file)) + +(macro readwrite_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled readwrite_dir)) + +(macro readwrite_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_fifo_file)) + +(macro readwrite_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_file)) + +(macro readwrite_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_lnk_file)) + +(macro readwrite_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled readwrite_sock_file)) + +(macro readwriteinherited_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_blk_file)) + +(macro readwriteinherited_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_chr_file)) + +(macro readwriteinherited_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_dir)) + +(macro readwriteinherited_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_fifo_file)) + +(macro readwriteinherited_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_file)) + +(macro readwriteinherited_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled readwriteinherited_sock_file)) + +(macro relabel_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (relabel)))) + +(macro relabel_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled relabel_blk_file)) + +(macro relabel_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled relabel_chr_file)) + +(macro relabel_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled relabel_dir)) + +(macro relabel_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled relabel_fifo_file)) + +(macro relabel_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled relabel_file)) + +(macro relabel_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled relabel_lnk_file)) + +(macro relabel_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled relabel_sock_file)) + +(macro relabelfrom_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (relabelfrom)))) + +(macro relabelfrom_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_blk_file)) + +(macro relabelfrom_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_chr_file)) + +(macro relabelfrom_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_dir)) + +(macro relabelfrom_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_fifo_file)) + +(macro relabelfrom_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_file)) + +(macro relabelfrom_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_lnk_file)) + +(macro relabelfrom_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled relabelfrom_sock_file)) + +(macro relabelto_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (relabelto)))) + +(macro relabelto_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_blk_file)) + +(macro relabelto_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_chr_file)) + +(macro relabelto_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled relabelto_dir)) + +(macro relabelto_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_fifo_file)) + +(macro relabelto_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_file)) + +(macro relabelto_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_lnk_file)) + +(macro relabelto_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled relabelto_sock_file)) + +(macro rename_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (rename)))) + +(macro rename_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled rename_blk_file)) + +(macro rename_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled rename_chr_file)) + +(macro rename_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled rename_dir)) + +(macro rename_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled rename_fifo_file)) + +(macro rename_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled rename_file)) + +(macro rename_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled rename_lnk_file)) + +(macro rename_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled rename_sock_file)) + +(macro search_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled search_dir)) + +(macro unlabeled_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 unlabeled ARG3 ARG4 ARG2) + (call addname_unlabeled_dirs (ARG1))) + +(macro write_unlabeled ((type ARG1)) + (allow ARG1 unlabeled (files (write)))) + +(macro write_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled write_blk_file)) + +(macro write_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled write_chr_file)) + +(macro write_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled write_dir)) + +(macro write_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled write_fifo_file)) + +(macro write_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled write_file)) + +(macro write_unlabeled_lnk_files ((type ARG1)) + (allow ARG1 unlabeled write_lnk_file)) + +(macro write_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled write_sock_file)) + +(macro writeinherited_unlabeled_blk_files ((type ARG1)) + (allow ARG1 unlabeled writeinherited_blk_file)) + +(macro writeinherited_unlabeled_chr_files ((type ARG1)) + (allow ARG1 unlabeled writeinherited_chr_file)) + +(macro writeinherited_unlabeled_dirs ((type ARG1)) + (allow ARG1 unlabeled writeinherited_dir)) + +(macro writeinherited_unlabeled_fifo_files ((type ARG1)) + (allow ARG1 unlabeled writeinherited_fifo_file)) + +(macro writeinherited_unlabeled_files ((type ARG1)) + (allow ARG1 unlabeled writeinherited_file)) + +(macro writeinherited_unlabeled_sock_files ((type ARG1)) + (allow ARG1 unlabeled writeinherited_sock_file)) + +(type unlabeled) +(roletype sys.role unlabeled) + +(call .xattr.associate_fs (unlabeled)) + +(block unlabeled + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr .unlabeled + (blk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (chr_file (not (audit_access execmod mounton relabelto)))) + (allow typeattr .unlabeled (dir (not (audit_access execmod relabelto)))) + (allow typeattr .unlabeled + (fifo_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (file (not (audit_access entrypoint execmod relabelto)))) + (allow typeattr .unlabeled + (lnk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (sock_file (not (audit_access execmod map mounton relabelto)))))) + +(in unconfined + + (call .unlabeled.unconfined.type (typeattr))) |