diff options
Diffstat (limited to 'src/dev/nodedev')
62 files changed, 585 insertions, 0 deletions
diff --git a/src/dev/nodedev/apmnodedev.cil b/src/dev/nodedev/apmnodedev.cil new file mode 100644 index 0000000..d13ee45 --- /dev/null +++ b/src/dev/nodedev/apmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block apm + + (filecon "/dev/snapshot" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/autofsnodedev.cil b/src/dev/nodedev/autofsnodedev.cil new file mode 100644 index 0000000..1aea912 --- /dev/null +++ b/src/dev/nodedev/autofsnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block autofs + + (filecon "/dev/autofs" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/btrfscontrolnodedev.cil b/src/dev/nodedev/btrfscontrolnodedev.cil new file mode 100644 index 0000000..e390955 --- /dev/null +++ b/src/dev/nodedev/btrfscontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block btrfscontrol + + (filecon "/dev/btrfs-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cachefilesnodedev.cil b/src/dev/nodedev/cachefilesnodedev.cil new file mode 100644 index 0000000..8b3aba2 --- /dev/null +++ b/src/dev/nodedev/cachefilesnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cachefiles + + (filecon "/dev/cachefiles" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cdcwdmnodedev.cil b/src/dev/nodedev/cdcwdmnodedev.cil new file mode 100644 index 0000000..1c03f7f --- /dev/null +++ b/src/dev/nodedev/cdcwdmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cdcwdm + + (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/clocknodedev.cil b/src/dev/nodedev/clocknodedev.cil new file mode 100644 index 0000000..97a67f7 --- /dev/null +++ b/src/dev/nodedev/clocknodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block clock + + (filecon "/dev/hpet" char nodedev_context) + (filecon "/dev/ptp([0-9]+)?" char nodedev_context) + (filecon "/dev/rtc([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cpunodedev.cil b/src/dev/nodedev/cpunodedev.cil new file mode 100644 index 0000000..07fc918 --- /dev/null +++ b/src/dev/nodedev/cpunodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpu + + (filecon "/dev/cpu/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/crashnodedev.cil b/src/dev/nodedev/crashnodedev.cil new file mode 100644 index 0000000..db1abe9 --- /dev/null +++ b/src/dev/nodedev/crashnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block crash + + (filecon "/dev/crash" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cusenodedev.cil b/src/dev/nodedev/cusenodedev.cil new file mode 100644 index 0000000..ab303b0 --- /dev/null +++ b/src/dev/nodedev/cusenodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cuse + + (filecon "/dev/cuse" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmaheapnodedev.cil b/src/dev/nodedev/dmaheapnodedev.cil new file mode 100644 index 0000000..acaa5e8 --- /dev/null +++ b/src/dev/nodedev/dmaheapnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmaheap + + (filecon "/dev/dma_heap/.*" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmcontrolnodedev.cil b/src/dev/nodedev/dmcontrolnodedev.cil new file mode 100644 index 0000000..687e1e4 --- /dev/null +++ b/src/dev/nodedev/dmcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmcontrol + + (filecon "/dev/mapper/control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/drinodedev.cil b/src/dev/nodedev/drinodedev.cil new file mode 100644 index 0000000..d215a46 --- /dev/null +++ b/src/dev/nodedev/drinodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dri + + (filecon "/dev/dri/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/drmdpauxnodedev.cil b/src/dev/nodedev/drmdpauxnodedev.cil new file mode 100644 index 0000000..59c5257 --- /dev/null +++ b/src/dev/nodedev/drmdpauxnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block drmdpaux + + (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/eventnodedev.cil b/src/dev/nodedev/eventnodedev.cil new file mode 100644 index 0000000..a8e3ee5 --- /dev/null +++ b/src/dev/nodedev/eventnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block event + + (filecon "/dev/input/event([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil new file mode 100644 index 0000000..47d670c --- /dev/null +++ b/src/dev/nodedev/fbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block fb + + (filecon "/dev/fb([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/gpionodedev.cil b/src/dev/nodedev/gpionodedev.cil new file mode 100644 index 0000000..466fbdb --- /dev/null +++ b/src/dev/nodedev/gpionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block gpio + + (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hiddevnodedev.cil b/src/dev/nodedev/hiddevnodedev.cil new file mode 100644 index 0000000..202a000 --- /dev/null +++ b/src/dev/nodedev/hiddevnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hiddev + + (filecon "/dev/hiddev[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil new file mode 100644 index 0000000..3ca398f --- /dev/null +++ b/src/dev/nodedev/hidrawnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hidraw + + (filecon "/dev/hidraw[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hwrngnodedev.cil b/src/dev/nodedev/hwrngnodedev.cil new file mode 100644 index 0000000..76a14bf --- /dev/null +++ b/src/dev/nodedev/hwrngnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hwrng + + (filecon "/dev/hwrng" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/i2cnodedev.cil b/src/dev/nodedev/i2cnodedev.cil new file mode 100644 index 0000000..e6bd3d0 --- /dev/null +++ b/src/dev/nodedev/i2cnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block i2c + + (filecon "/dev/i2c([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/iionodedev.cil b/src/dev/nodedev/iionodedev.cil new file mode 100644 index 0000000..40e9d4b --- /dev/null +++ b/src/dev/nodedev/iionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iio + + (filecon "/dev/iio:device([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/infinibandnodedev.cil b/src/dev/nodedev/infinibandnodedev.cil new file mode 100644 index 0000000..4b15207 --- /dev/null +++ b/src/dev/nodedev/infinibandnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block infiniband + + (filecon "/dev/infiniband/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil new file mode 100644 index 0000000..c68115a --- /dev/null +++ b/src/dev/nodedev/inputnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block input + + (filecon "/dev/input/js([0-9]+)?" char nodedev_context) + (filecon "/dev/input/mice" char nodedev_context) + (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ipminodedev.cil b/src/dev/nodedev/ipminodedev.cil new file mode 100644 index 0000000..21b4c66 --- /dev/null +++ b/src/dev/nodedev/ipminodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipmi + + (filecon "/dev/ipmi[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kfdnodedev.cil b/src/dev/nodedev/kfdnodedev.cil new file mode 100644 index 0000000..1b90a69 --- /dev/null +++ b/src/dev/nodedev/kfdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kfd + + (filecon "/dev/kfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kmsgnodedev.cil b/src/dev/nodedev/kmsgnodedev.cil new file mode 100644 index 0000000..3417a9e --- /dev/null +++ b/src/dev/nodedev/kmsgnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kmsg + + (filecon "/dev/kmsg" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ksmnodedev.cil b/src/dev/nodedev/ksmnodedev.cil new file mode 100644 index 0000000..b979ca9 --- /dev/null +++ b/src/dev/nodedev/ksmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ksm + + (filecon "/dev/ksm" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kvmnodedev.cil b/src/dev/nodedev/kvmnodedev.cil new file mode 100644 index 0000000..8b13d49 --- /dev/null +++ b/src/dev/nodedev/kvmnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kvm + + (filecon "/dev/kvm" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/lircnodedev.cil b/src/dev/nodedev/lircnodedev.cil new file mode 100644 index 0000000..4a96ea0 --- /dev/null +++ b/src/dev/nodedev/lircnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lirc + + (filecon "/dev/lirc[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/loopcontrolnodedev.cil b/src/dev/nodedev/loopcontrolnodedev.cil new file mode 100644 index 0000000..e594763 --- /dev/null +++ b/src/dev/nodedev/loopcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loopcontrol + + (filecon "/dev/loop-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/mcelognodedev.cil b/src/dev/nodedev/mcelognodedev.cil new file mode 100644 index 0000000..98ddaf7 --- /dev/null +++ b/src/dev/nodedev/mcelognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mcelog + + (filecon "/dev/mcelog" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/meinodedev.cil b/src/dev/nodedev/meinodedev.cil new file mode 100644 index 0000000..41f9f8d --- /dev/null +++ b/src/dev/nodedev/meinodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mei + + (filecon "/dev/mei([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/memnodedev.cil b/src/dev/nodedev/memnodedev.cil new file mode 100644 index 0000000..cfef06e --- /dev/null +++ b/src/dev/nodedev/memnodedev.cil @@ -0,0 +1,53 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mem + + (filecon "/dev/mem" char nodedev_context) + (filecon "/dev/port" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .nodedev.exception.type (nodedev)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (append write))))) + +(in dev.unconfined + + (call .mem.readwrite.type (typeattr))) + +(in nodedev.unconfined + + (call .mem.readwrite.type (typeattr))) diff --git a/src/dev/nodedev/modemnodedev.cil b/src/dev/nodedev/modemnodedev.cil new file mode 100644 index 0000000..8fce849 --- /dev/null +++ b/src/dev/nodedev/modemnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modem + + (filecon "/dev/modem" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ndctlnodedev.cil b/src/dev/nodedev/ndctlnodedev.cil new file mode 100644 index 0000000..b55df2c --- /dev/null +++ b/src/dev/nodedev/ndctlnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ndctl + + (filecon "/dev/ndctl([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil new file mode 100644 index 0000000..e6340a3 --- /dev/null +++ b/src/dev/nodedev/nullnodedev.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange)) + +(block null + + (filecon "/dev/full" char nodedev_context) + (filecon "/dev/null" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/nvramnodedev.cil b/src/dev/nodedev/nvramnodedev.cil new file mode 100644 index 0000000..5a1b581 --- /dev/null +++ b/src/dev/nodedev/nvramnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nvram + + (filecon "/dev/nvram" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pmunodedev.cil b/src/dev/nodedev/pmunodedev.cil new file mode 100644 index 0000000..d27d04d --- /dev/null +++ b/src/dev/nodedev/pmunodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pmu + + (filecon "/dev/pmu" char nodedev_context) + (filecon "/dev/smu" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pppnodedev.cil b/src/dev/nodedev/pppnodedev.cil new file mode 100644 index 0000000..2a551c2 --- /dev/null +++ b/src/dev/nodedev/pppnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ppp + + (filecon "/dev/ppp" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/printernodedev.cil b/src/dev/nodedev/printernodedev.cil new file mode 100644 index 0000000..2766e4a --- /dev/null +++ b/src/dev/nodedev/printernodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block printer + + (filecon "/dev/lp([0-9]+)?" char nodedev_context) + (filecon "/dev/parport([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ptmxnodedev.cil b/src/dev/nodedev/ptmxnodedev.cil new file mode 100644 index 0000000..8d26226 --- /dev/null +++ b/src/dev/nodedev/ptmxnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ptmx + + (filecon "/dev/ptmx" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/qosnodedev.cil b/src/dev/nodedev/qosnodedev.cil new file mode 100644 index 0000000..b64d46d --- /dev/null +++ b/src/dev/nodedev/qosnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block qos + + (filecon "/dev/cpu_dma_latency" char nodedev_context) + (filecon "/dev/memory_bandwidth" char nodedev_context) + (filecon "/dev/network_latency" char nodedev_context) + (filecon "/dev/network_throughput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/randomnodedev.cil b/src/dev/nodedev/randomnodedev.cil new file mode 100644 index 0000000..c3b1cd6 --- /dev/null +++ b/src/dev/nodedev/randomnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block random + + (filecon "/dev/random" char nodedev_context) + (filecon "/dev/urandom" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil new file mode 100644 index 0000000..712cb21 --- /dev/null +++ b/src/dev/nodedev/rfkillnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rfkill + + (filecon "/dev/rfkill" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/sndnodedev.cil b/src/dev/nodedev/sndnodedev.cil new file mode 100644 index 0000000..85569c3 --- /dev/null +++ b/src/dev/nodedev/sndnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block snd + + (filecon "/dev/snd/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tpmnodedev.cil b/src/dev/nodedev/tpmnodedev.cil new file mode 100644 index 0000000..98b44a3 --- /dev/null +++ b/src/dev/nodedev/tpmnodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tpm + + (filecon "/dev/tpm([0-9]+)?" char nodedev_context) + (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil new file mode 100644 index 0000000..0380fde --- /dev/null +++ b/src/dev/nodedev/ttynodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tty + + (filecon "/dev/tty" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tuntapnodedev.cil b/src/dev/nodedev/tuntapnodedev.cil new file mode 100644 index 0000000..8e4d249 --- /dev/null +++ b/src/dev/nodedev/tuntapnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tuntap + + (filecon "/dev/net/tun" char nodedev_context) + (filecon "/dev/tap([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/udmabufnodedev.cil b/src/dev/nodedev/udmabufnodedev.cil new file mode 100644 index 0000000..0404a83 --- /dev/null +++ b/src/dev/nodedev/udmabufnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block udmabuf + + (filecon "/dev/udmabuf" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uffdnodedev.cil b/src/dev/nodedev/uffdnodedev.cil new file mode 100644 index 0000000..c5ec44b --- /dev/null +++ b/src/dev/nodedev/uffdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in uffd + + (filecon "/dev/userfaultfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uhidnodedev.cil b/src/dev/nodedev/uhidnodedev.cil new file mode 100644 index 0000000..d92b7d4 --- /dev/null +++ b/src/dev/nodedev/uhidnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uhid + + (filecon "/dev/uhid" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uinputnodedev.cil b/src/dev/nodedev/uinputnodedev.cil new file mode 100644 index 0000000..194b632 --- /dev/null +++ b/src/dev/nodedev/uinputnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uinput + + (filecon "/dev/uinput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uionodedev.cil b/src/dev/nodedev/uionodedev.cil new file mode 100644 index 0000000..533bb05 --- /dev/null +++ b/src/dev/nodedev/uionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uio + + (filecon "/dev/uio[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbmonnodedev.cil b/src/dev/nodedev/usbmonnodedev.cil new file mode 100644 index 0000000..b11881c --- /dev/null +++ b/src/dev/nodedev/usbmonnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usbmon + + (filecon "/dev/usbmon[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil new file mode 100644 index 0000000..2432b6a --- /dev/null +++ b/src/dev/nodedev/usbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usb + + (filecon "/dev/bus/usb/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/v4lnodedev.cil b/src/dev/nodedev/v4lnodedev.cil new file mode 100644 index 0000000..b2fe91f --- /dev/null +++ b/src/dev/nodedev/v4lnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block v4l + + (filecon "/dev/media([0-9]+)?" char nodedev_context) + (filecon "/dev/video([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vfionodedev.cil b/src/dev/nodedev/vfionodedev.cil new file mode 100644 index 0000000..8644d8e --- /dev/null +++ b/src/dev/nodedev/vfionodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vfio + + (filecon "/dev/vfio/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vgaarbiternodedev.cil b/src/dev/nodedev/vgaarbiternodedev.cil new file mode 100644 index 0000000..bbe5fe6 --- /dev/null +++ b/src/dev/nodedev/vgaarbiternodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vgaarbiter + + (filecon "/dev/vga_arbiter" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vhostnodedev.cil b/src/dev/nodedev/vhostnodedev.cil new file mode 100644 index 0000000..305e2be --- /dev/null +++ b/src/dev/nodedev/vhostnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vhost + + (filecon "/dev/vhci" char nodedev_context) + (filecon "/dev/vhost-net" char nodedev_context) + (filecon "/dev/vhost-scsi" char nodedev_context) + (filecon "/dev/vhost-vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vmcinodedev.cil b/src/dev/nodedev/vmcinodedev.cil new file mode 100644 index 0000000..d19746b --- /dev/null +++ b/src/dev/nodedev/vmcinodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmci + + (filecon "/dev/vmci" char nodedev_context) + (filecon "/dev/vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/watchdognodedev.cil b/src/dev/nodedev/watchdognodedev.cil new file mode 100644 index 0000000..120da11 --- /dev/null +++ b/src/dev/nodedev/watchdognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block watchdog + + (filecon "/dev/watchdog([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/zeronodedev.cil b/src/dev/nodedev/zeronodedev.cil new file mode 100644 index 0000000..386966a --- /dev/null +++ b/src/dev/nodedev/zeronodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zero + + (filecon "/dev/zero" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) |