diff options
Diffstat (limited to 'src/dev')
92 files changed, 1541 insertions, 0 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil new file mode 100644 index 0000000..b681759 --- /dev/null +++ b/src/dev/nodedev.cil @@ -0,0 +1,116 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nodedev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context nodedev_context (.sys.id .sys.role nodedev lowlevelrange)) + + (type nodedev) + (call .nodedev.type (nodedev))) + + (block except + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (blockinherit file.all_macro_template_chr_files) + + (typeattribute typeattr) + + (typeattributeset typeattr + (and nodedev.typeattr (not (exception.typeattr))))) + + (block exception + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call nodedev.type (typeattr)) + + (call .dev.exception.type (typeattr))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev append_chr_file)) + + (macro appendinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev appendinherited_chr_file)) + + (macro create_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev create_chr_file)) + + (macro delete_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev delete_chr_file)) + + (macro manage_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev manage_chr_file)) + + (macro mapexecute_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev mapexecute_chr_file)) + + (macro read_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev read_chr_file)) + + (macro readinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readinherited_chr_file)) + + (macro readwrite_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwrite_chr_file)) + + (macro readwriteinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwriteinherited_chr_file)) + + (macro relabel_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabel_chr_file)) + + (macro relabelfrom_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelfrom_chr_file)) + + (macro relabelto_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelto_chr_file)) + + (macro rename_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev rename_chr_file)) + + (macro write_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev write_chr_file)) + + (macro writeinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev writeinherited_chr_file))) + + (block template + + (blockabstract template) + + (blockinherit .nodedev.base_template) + (blockinherit .nodedev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr nodedev.typeattr (chr_file (not (audit_access execmod)))))) diff --git a/src/dev/nodedev/apmnodedev.cil b/src/dev/nodedev/apmnodedev.cil new file mode 100644 index 0000000..d13ee45 --- /dev/null +++ b/src/dev/nodedev/apmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block apm + + (filecon "/dev/snapshot" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/autofsnodedev.cil b/src/dev/nodedev/autofsnodedev.cil new file mode 100644 index 0000000..1aea912 --- /dev/null +++ b/src/dev/nodedev/autofsnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block autofs + + (filecon "/dev/autofs" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/btrfscontrolnodedev.cil b/src/dev/nodedev/btrfscontrolnodedev.cil new file mode 100644 index 0000000..e390955 --- /dev/null +++ b/src/dev/nodedev/btrfscontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block btrfscontrol + + (filecon "/dev/btrfs-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cachefilesnodedev.cil b/src/dev/nodedev/cachefilesnodedev.cil new file mode 100644 index 0000000..8b3aba2 --- /dev/null +++ b/src/dev/nodedev/cachefilesnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cachefiles + + (filecon "/dev/cachefiles" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cdcwdmnodedev.cil b/src/dev/nodedev/cdcwdmnodedev.cil new file mode 100644 index 0000000..1c03f7f --- /dev/null +++ b/src/dev/nodedev/cdcwdmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cdcwdm + + (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/clocknodedev.cil b/src/dev/nodedev/clocknodedev.cil new file mode 100644 index 0000000..97a67f7 --- /dev/null +++ b/src/dev/nodedev/clocknodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block clock + + (filecon "/dev/hpet" char nodedev_context) + (filecon "/dev/ptp([0-9]+)?" char nodedev_context) + (filecon "/dev/rtc([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cpunodedev.cil b/src/dev/nodedev/cpunodedev.cil new file mode 100644 index 0000000..07fc918 --- /dev/null +++ b/src/dev/nodedev/cpunodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpu + + (filecon "/dev/cpu/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/crashnodedev.cil b/src/dev/nodedev/crashnodedev.cil new file mode 100644 index 0000000..db1abe9 --- /dev/null +++ b/src/dev/nodedev/crashnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block crash + + (filecon "/dev/crash" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cusenodedev.cil b/src/dev/nodedev/cusenodedev.cil new file mode 100644 index 0000000..ab303b0 --- /dev/null +++ b/src/dev/nodedev/cusenodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cuse + + (filecon "/dev/cuse" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmaheapnodedev.cil b/src/dev/nodedev/dmaheapnodedev.cil new file mode 100644 index 0000000..acaa5e8 --- /dev/null +++ b/src/dev/nodedev/dmaheapnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmaheap + + (filecon "/dev/dma_heap/.*" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmcontrolnodedev.cil b/src/dev/nodedev/dmcontrolnodedev.cil new file mode 100644 index 0000000..687e1e4 --- /dev/null +++ b/src/dev/nodedev/dmcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dmcontrol + + (filecon "/dev/mapper/control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/drinodedev.cil b/src/dev/nodedev/drinodedev.cil new file mode 100644 index 0000000..d215a46 --- /dev/null +++ b/src/dev/nodedev/drinodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dri + + (filecon "/dev/dri/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/drmdpauxnodedev.cil b/src/dev/nodedev/drmdpauxnodedev.cil new file mode 100644 index 0000000..59c5257 --- /dev/null +++ b/src/dev/nodedev/drmdpauxnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block drmdpaux + + (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/eventnodedev.cil b/src/dev/nodedev/eventnodedev.cil new file mode 100644 index 0000000..a8e3ee5 --- /dev/null +++ b/src/dev/nodedev/eventnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block event + + (filecon "/dev/input/event([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil new file mode 100644 index 0000000..47d670c --- /dev/null +++ b/src/dev/nodedev/fbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block fb + + (filecon "/dev/fb([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/gpionodedev.cil b/src/dev/nodedev/gpionodedev.cil new file mode 100644 index 0000000..466fbdb --- /dev/null +++ b/src/dev/nodedev/gpionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block gpio + + (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hiddevnodedev.cil b/src/dev/nodedev/hiddevnodedev.cil new file mode 100644 index 0000000..202a000 --- /dev/null +++ b/src/dev/nodedev/hiddevnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hiddev + + (filecon "/dev/hiddev[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil new file mode 100644 index 0000000..3ca398f --- /dev/null +++ b/src/dev/nodedev/hidrawnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hidraw + + (filecon "/dev/hidraw[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hwrngnodedev.cil b/src/dev/nodedev/hwrngnodedev.cil new file mode 100644 index 0000000..76a14bf --- /dev/null +++ b/src/dev/nodedev/hwrngnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hwrng + + (filecon "/dev/hwrng" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/i2cnodedev.cil b/src/dev/nodedev/i2cnodedev.cil new file mode 100644 index 0000000..e6bd3d0 --- /dev/null +++ b/src/dev/nodedev/i2cnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block i2c + + (filecon "/dev/i2c([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/iionodedev.cil b/src/dev/nodedev/iionodedev.cil new file mode 100644 index 0000000..40e9d4b --- /dev/null +++ b/src/dev/nodedev/iionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iio + + (filecon "/dev/iio:device([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/infinibandnodedev.cil b/src/dev/nodedev/infinibandnodedev.cil new file mode 100644 index 0000000..4b15207 --- /dev/null +++ b/src/dev/nodedev/infinibandnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block infiniband + + (filecon "/dev/infiniband/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil new file mode 100644 index 0000000..c68115a --- /dev/null +++ b/src/dev/nodedev/inputnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block input + + (filecon "/dev/input/js([0-9]+)?" char nodedev_context) + (filecon "/dev/input/mice" char nodedev_context) + (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ipminodedev.cil b/src/dev/nodedev/ipminodedev.cil new file mode 100644 index 0000000..21b4c66 --- /dev/null +++ b/src/dev/nodedev/ipminodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ipmi + + (filecon "/dev/ipmi[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kfdnodedev.cil b/src/dev/nodedev/kfdnodedev.cil new file mode 100644 index 0000000..1b90a69 --- /dev/null +++ b/src/dev/nodedev/kfdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kfd + + (filecon "/dev/kfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kmsgnodedev.cil b/src/dev/nodedev/kmsgnodedev.cil new file mode 100644 index 0000000..3417a9e --- /dev/null +++ b/src/dev/nodedev/kmsgnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kmsg + + (filecon "/dev/kmsg" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ksmnodedev.cil b/src/dev/nodedev/ksmnodedev.cil new file mode 100644 index 0000000..b979ca9 --- /dev/null +++ b/src/dev/nodedev/ksmnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ksm + + (filecon "/dev/ksm" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kvmnodedev.cil b/src/dev/nodedev/kvmnodedev.cil new file mode 100644 index 0000000..8b13d49 --- /dev/null +++ b/src/dev/nodedev/kvmnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block kvm + + (filecon "/dev/kvm" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/lircnodedev.cil b/src/dev/nodedev/lircnodedev.cil new file mode 100644 index 0000000..4a96ea0 --- /dev/null +++ b/src/dev/nodedev/lircnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block lirc + + (filecon "/dev/lirc[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/loopcontrolnodedev.cil b/src/dev/nodedev/loopcontrolnodedev.cil new file mode 100644 index 0000000..e594763 --- /dev/null +++ b/src/dev/nodedev/loopcontrolnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loopcontrol + + (filecon "/dev/loop-control" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/mcelognodedev.cil b/src/dev/nodedev/mcelognodedev.cil new file mode 100644 index 0000000..98ddaf7 --- /dev/null +++ b/src/dev/nodedev/mcelognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mcelog + + (filecon "/dev/mcelog" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/meinodedev.cil b/src/dev/nodedev/meinodedev.cil new file mode 100644 index 0000000..41f9f8d --- /dev/null +++ b/src/dev/nodedev/meinodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mei + + (filecon "/dev/mei([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/memnodedev.cil b/src/dev/nodedev/memnodedev.cil new file mode 100644 index 0000000..cfef06e --- /dev/null +++ b/src/dev/nodedev/memnodedev.cil @@ -0,0 +1,53 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mem + + (filecon "/dev/mem" char nodedev_context) + (filecon "/dev/port" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .nodedev.exception.type (nodedev)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr mem.nodedev (chr_file (append write))))) + +(in dev.unconfined + + (call .mem.readwrite.type (typeattr))) + +(in nodedev.unconfined + + (call .mem.readwrite.type (typeattr))) diff --git a/src/dev/nodedev/modemnodedev.cil b/src/dev/nodedev/modemnodedev.cil new file mode 100644 index 0000000..8fce849 --- /dev/null +++ b/src/dev/nodedev/modemnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block modem + + (filecon "/dev/modem" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ndctlnodedev.cil b/src/dev/nodedev/ndctlnodedev.cil new file mode 100644 index 0000000..b55df2c --- /dev/null +++ b/src/dev/nodedev/ndctlnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ndctl + + (filecon "/dev/ndctl([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil new file mode 100644 index 0000000..e6340a3 --- /dev/null +++ b/src/dev/nodedev/nullnodedev.cil @@ -0,0 +1,13 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange)) + +(block null + + (filecon "/dev/full" char nodedev_context) + (filecon "/dev/null" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/nvramnodedev.cil b/src/dev/nodedev/nvramnodedev.cil new file mode 100644 index 0000000..5a1b581 --- /dev/null +++ b/src/dev/nodedev/nvramnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nvram + + (filecon "/dev/nvram" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pmunodedev.cil b/src/dev/nodedev/pmunodedev.cil new file mode 100644 index 0000000..d27d04d --- /dev/null +++ b/src/dev/nodedev/pmunodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block pmu + + (filecon "/dev/pmu" char nodedev_context) + (filecon "/dev/smu" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pppnodedev.cil b/src/dev/nodedev/pppnodedev.cil new file mode 100644 index 0000000..2a551c2 --- /dev/null +++ b/src/dev/nodedev/pppnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ppp + + (filecon "/dev/ppp" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/printernodedev.cil b/src/dev/nodedev/printernodedev.cil new file mode 100644 index 0000000..2766e4a --- /dev/null +++ b/src/dev/nodedev/printernodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block printer + + (filecon "/dev/lp([0-9]+)?" char nodedev_context) + (filecon "/dev/parport([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ptmxnodedev.cil b/src/dev/nodedev/ptmxnodedev.cil new file mode 100644 index 0000000..8d26226 --- /dev/null +++ b/src/dev/nodedev/ptmxnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ptmx + + (filecon "/dev/ptmx" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/qosnodedev.cil b/src/dev/nodedev/qosnodedev.cil new file mode 100644 index 0000000..b64d46d --- /dev/null +++ b/src/dev/nodedev/qosnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block qos + + (filecon "/dev/cpu_dma_latency" char nodedev_context) + (filecon "/dev/memory_bandwidth" char nodedev_context) + (filecon "/dev/network_latency" char nodedev_context) + (filecon "/dev/network_throughput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/randomnodedev.cil b/src/dev/nodedev/randomnodedev.cil new file mode 100644 index 0000000..c3b1cd6 --- /dev/null +++ b/src/dev/nodedev/randomnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block random + + (filecon "/dev/random" char nodedev_context) + (filecon "/dev/urandom" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil new file mode 100644 index 0000000..712cb21 --- /dev/null +++ b/src/dev/nodedev/rfkillnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rfkill + + (filecon "/dev/rfkill" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/sndnodedev.cil b/src/dev/nodedev/sndnodedev.cil new file mode 100644 index 0000000..85569c3 --- /dev/null +++ b/src/dev/nodedev/sndnodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block snd + + (filecon "/dev/snd/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tpmnodedev.cil b/src/dev/nodedev/tpmnodedev.cil new file mode 100644 index 0000000..98b44a3 --- /dev/null +++ b/src/dev/nodedev/tpmnodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tpm + + (filecon "/dev/tpm([0-9]+)?" char nodedev_context) + (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil new file mode 100644 index 0000000..0380fde --- /dev/null +++ b/src/dev/nodedev/ttynodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tty + + (filecon "/dev/tty" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tuntapnodedev.cil b/src/dev/nodedev/tuntapnodedev.cil new file mode 100644 index 0000000..8e4d249 --- /dev/null +++ b/src/dev/nodedev/tuntapnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block tuntap + + (filecon "/dev/net/tun" char nodedev_context) + (filecon "/dev/tap([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/udmabufnodedev.cil b/src/dev/nodedev/udmabufnodedev.cil new file mode 100644 index 0000000..0404a83 --- /dev/null +++ b/src/dev/nodedev/udmabufnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block udmabuf + + (filecon "/dev/udmabuf" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uffdnodedev.cil b/src/dev/nodedev/uffdnodedev.cil new file mode 100644 index 0000000..c5ec44b --- /dev/null +++ b/src/dev/nodedev/uffdnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in uffd + + (filecon "/dev/userfaultfd" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uhidnodedev.cil b/src/dev/nodedev/uhidnodedev.cil new file mode 100644 index 0000000..d92b7d4 --- /dev/null +++ b/src/dev/nodedev/uhidnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uhid + + (filecon "/dev/uhid" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uinputnodedev.cil b/src/dev/nodedev/uinputnodedev.cil new file mode 100644 index 0000000..194b632 --- /dev/null +++ b/src/dev/nodedev/uinputnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uinput + + (filecon "/dev/uinput" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uionodedev.cil b/src/dev/nodedev/uionodedev.cil new file mode 100644 index 0000000..533bb05 --- /dev/null +++ b/src/dev/nodedev/uionodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block uio + + (filecon "/dev/uio[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbmonnodedev.cil b/src/dev/nodedev/usbmonnodedev.cil new file mode 100644 index 0000000..b11881c --- /dev/null +++ b/src/dev/nodedev/usbmonnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usbmon + + (filecon "/dev/usbmon[0-9]+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil new file mode 100644 index 0000000..2432b6a --- /dev/null +++ b/src/dev/nodedev/usbnodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block usb + + (filecon "/dev/bus/usb/.+" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/v4lnodedev.cil b/src/dev/nodedev/v4lnodedev.cil new file mode 100644 index 0000000..b2fe91f --- /dev/null +++ b/src/dev/nodedev/v4lnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block v4l + + (filecon "/dev/media([0-9]+)?" char nodedev_context) + (filecon "/dev/video([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vfionodedev.cil b/src/dev/nodedev/vfionodedev.cil new file mode 100644 index 0000000..8644d8e --- /dev/null +++ b/src/dev/nodedev/vfionodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vfio + + (filecon "/dev/vfio/.+" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vgaarbiternodedev.cil b/src/dev/nodedev/vgaarbiternodedev.cil new file mode 100644 index 0000000..bbe5fe6 --- /dev/null +++ b/src/dev/nodedev/vgaarbiternodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vgaarbiter + + (filecon "/dev/vga_arbiter" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vhostnodedev.cil b/src/dev/nodedev/vhostnodedev.cil new file mode 100644 index 0000000..305e2be --- /dev/null +++ b/src/dev/nodedev/vhostnodedev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vhost + + (filecon "/dev/vhci" char nodedev_context) + (filecon "/dev/vhost-net" char nodedev_context) + (filecon "/dev/vhost-scsi" char nodedev_context) + (filecon "/dev/vhost-vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vmcinodedev.cil b/src/dev/nodedev/vmcinodedev.cil new file mode 100644 index 0000000..d19746b --- /dev/null +++ b/src/dev/nodedev/vmcinodedev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vmci + + (filecon "/dev/vmci" char nodedev_context) + (filecon "/dev/vsock" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/watchdognodedev.cil b/src/dev/nodedev/watchdognodedev.cil new file mode 100644 index 0000000..120da11 --- /dev/null +++ b/src/dev/nodedev/watchdognodedev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block watchdog + + (filecon "/dev/watchdog([0-9]+)?" char nodedev_context) + + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/zeronodedev.cil b/src/dev/nodedev/zeronodedev.cil new file mode 100644 index 0000000..386966a --- /dev/null +++ b/src/dev/nodedev/zeronodedev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zero + + (filecon "/dev/zero" char nodedev_context) + + (blockinherit .nodedev.template) + + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil new file mode 100644 index 0000000..8611ec6 --- /dev/null +++ b/src/dev/stordev.cil @@ -0,0 +1,188 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block stordev + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) + + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.exception.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context stordev_context (.sys.id .sys.role stordev lowlevelrange)) + + (type stordev) + (call .stordev.type (stordev))) + + (block macro_template_blk_files + + (blockabstract macro_template_blk_files) + + (macro append_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev append_blk_file)) + + (macro appendinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev appendinherited_blk_file)) + + (macro create_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev create_blk_file)) + + (macro delete_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev delete_blk_file)) + + (macro manage_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev manage_blk_file)) + + (macro read_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev read_blk_file)) + + (macro readinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readinherited_blk_file)) + + (macro readwrite_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwrite_blk_file)) + + (macro readwriteinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_blk_file)) + + (macro relabel_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabel_blk_file)) + + (macro relabelfrom_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_blk_file)) + + (macro relabelto_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelto_blk_file)) + + (macro rename_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev rename_blk_file)) + + (macro write_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev write_blk_file)) + + (macro writeinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev writeinherited_blk_file))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev append_chr_file)) + + (macro appendinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev appendinherited_chr_file)) + + (macro create_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev create_chr_file)) + + (macro delete_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev delete_chr_file)) + + (macro manage_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev manage_chr_file)) + + (macro mapexecute_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev mapexecute_chr_file)) + + (macro read_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev read_chr_file)) + + (macro readinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readinherited_chr_file)) + + (macro readwrite_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwrite_chr_file)) + + (macro readwriteinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_chr_file)) + + (macro relabel_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabel_chr_file)) + + (macro relabelfrom_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_chr_file)) + + (macro relabelto_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelto_chr_file)) + + (macro rename_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev rename_chr_file)) + + (macro write_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev write_chr_file)) + + (macro writeinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev writeinherited_chr_file))) + + (block template + + (blockabstract template) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files) + (blockinherit .stordev.macro_template_chr_files)) + + (block read + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr stordev.typeattr (blk_file (read))) + (neverallow not_typeattr stordev.typeattr (chr_file (read)))) + + (block readwrite + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call read.type (typeattr)) + (call write.type (typeattr))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr stordev.typeattr + (blk_file (not (audit_access execmod map)))) + (allow typeattr stordev.typeattr (chr_file (not (audit_access execmod)))) + + (call readwrite.type (typeattr))) + + (block write + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr stordev.typeattr (blk_file (append write))) + (neverallow not_typeattr stordev.typeattr (chr_file (append write))))) + +(in dev.unconfined + + (call .stordev.readwrite.type (typeattr))) diff --git a/src/dev/stordev/dmstordev.cil b/src/dev/stordev/dmstordev.cil new file mode 100644 index 0000000..4a0d4d9 --- /dev/null +++ b/src/dev/stordev/dmstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dm + + (filecon "/dev/dm-[0-9]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/fusestordev.cil b/src/dev/stordev/fusestordev.cil new file mode 100644 index 0000000..da05a57 --- /dev/null +++ b/src/dev/stordev/fusestordev.cil @@ -0,0 +1,11 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block fuse + + (filecon "/dev/fuse" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files) + + (call .rbacsep.exempt.obj.type (stordev))) diff --git a/src/dev/stordev/hdstordev.cil b/src/dev/stordev/hdstordev.cil new file mode 100644 index 0000000..c912513 --- /dev/null +++ b/src/dev/stordev/hdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block hd + + (filecon "/dev/hd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/loopstordev.cil b/src/dev/stordev/loopstordev.cil new file mode 100644 index 0000000..d683738 --- /dev/null +++ b/src/dev/stordev/loopstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loop + + (filecon "/dev/loop.+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mdstordev.cil b/src/dev/stordev/mdstordev.cil new file mode 100644 index 0000000..1aa7d84 --- /dev/null +++ b/src/dev/stordev/mdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block md + + (filecon "/dev/md[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mtdstordev.cil b/src/dev/stordev/mtdstordev.cil new file mode 100644 index 0000000..f8338b8 --- /dev/null +++ b/src/dev/stordev/mtdstordev.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block mtd + + (filecon "/dev/mtd[0-9]+" char stordev_context) + (filecon "/dev/mtd[0-9]+ro" char stordev_context) + (filecon "/dev/mtdblock[0-9]+" block stordev_context) + + (filecon "/dev/ubi[0-9]+_[0-9]+" char stordev_context) + (filecon "/dev/ubi_ctrl" char stordev_context) + (filecon "/dev/ubiblock[0-9]+_[0-9]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/nvmestordev.cil b/src/dev/stordev/nvmestordev.cil new file mode 100644 index 0000000..ce30812 --- /dev/null +++ b/src/dev/stordev/nvmestordev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nvme + + (filecon "/dev/ng[0-9]n[^/]+" char stordev_context) + (filecon "/dev/nvme[0-9]+" char stordev_context) + (filecon "/dev/nvme[0-9]n[^/]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/rawstordev.cil b/src/dev/stordev/rawstordev.cil new file mode 100644 index 0000000..f04b019 --- /dev/null +++ b/src/dev/stordev/rawstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block raw + + (filecon "/dev/raw/.+" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/removablestordev.cil b/src/dev/stordev/removablestordev.cil new file mode 100644 index 0000000..36e8a93 --- /dev/null +++ b/src/dev/stordev/removablestordev.cil @@ -0,0 +1,17 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block removable + + (filecon "/dev/fd[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]rpmb" char stordev_context) + (filecon "/dev/mspblk[0-9]+" block stordev_context) + (filecon "/dev/mspblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]rpmb" char stordev_context) + (filecon "/dev/sr[0-9]+" block stordev_context) + + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/sdstordev.cil b/src/dev/stordev/sdstordev.cil new file mode 100644 index 0000000..822d45e --- /dev/null +++ b/src/dev/stordev/sdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sd + + (filecon "/dev/sd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/sgstordev.cil b/src/dev/stordev/sgstordev.cil new file mode 100644 index 0000000..3592bc3 --- /dev/null +++ b/src/dev/stordev/sgstordev.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block sg + + (filecon "/dev/bsg/.+" char stordev_context) + (filecon "/dev/sg[0-9]+" char stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/vdstordev.cil b/src/dev/stordev/vdstordev.cil new file mode 100644 index 0000000..6dd0904 --- /dev/null +++ b/src/dev/stordev/vdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vd + + (filecon "/dev/vd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/xdstordev.cil b/src/dev/stordev/xdstordev.cil new file mode 100644 index 0000000..43edd14 --- /dev/null +++ b/src/dev/stordev/xdstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block xd + + (filecon "/dev/xd[^/]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/zramstordev.cil b/src/dev/stordev/zramstordev.cil new file mode 100644 index 0000000..6478289 --- /dev/null +++ b/src/dev/stordev/zramstordev.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block zram + + (filecon "/dev/zram[0-9]+" block stordev_context) + + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/termdev.cil b/src/dev/termdev.cil new file mode 100644 index 0000000..93655b3 --- /dev/null +++ b/src/dev/termdev.cil @@ -0,0 +1,43 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block termdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .dev.type (typeattr)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr termdev.typeattr (chr_file (not (audit_access execmod)))))) diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil new file mode 100644 index 0000000..4349a93 --- /dev/null +++ b/src/dev/termdev/ptytermdev.cil @@ -0,0 +1,125 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ptytermdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .devpts.associate_fs (typeattr)) + + (call .termdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context ptytermdev_context (.sys.id .sys.role ptytermdev lowlevelrange)) + + (type ptytermdev) + (call .ptytermdev.type (ptytermdev))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev append_chr_file)) + + (macro appendinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev appendinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) + + (macro create_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev create_chr_file)) + + (macro delete_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev delete_chr_file)) + + (macro manage_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev manage_chr_file)) + + (macro mapexecute_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev mapexecute_chr_file)) + + (macro read_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev read_chr_file)) + + (macro readinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readinherited_chr_file)) + + (macro readwrite_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwrite_chr_file)) + + (macro readwriteinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwriteinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) + + (macro relabel_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabel_chr_file)) + + (macro relabelfrom_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelfrom_chr_file)) + + (macro relabelto_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelto_chr_file)) + + (macro rename_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev rename_chr_file)) + + (macro write_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev write_chr_file)) + + (macro writeinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev writeinherited_chr_file) + (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 ptytermdev IOCTLCONSOLE) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT))) + + (block template + + (blockabstract template) + + (blockinherit .ptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr ptytermdev.typeattr (chr_file (not (execmod mounton)))))) diff --git a/src/dev/termdev/ptytermdev/loginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev.cil new file mode 100644 index 0000000..b9019d4 --- /dev/null +++ b/src/dev/termdev/ptytermdev/loginptytermdev.cil @@ -0,0 +1,55 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loginptytermdev + + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .ptytermdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .ptytermdev.base_template) + + (call .loginptytermdev.type (ptytermdev))) + + (block template + + (blockabstract template) + + (macro ptytermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 ptytermdev chr_file ARG2)) + + (blockinherit .loginptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files))) diff --git a/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil new file mode 100644 index 0000000..598a925 --- /dev/null +++ b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil @@ -0,0 +1,29 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) + +(in ptytermdev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) + +(in sys + + (macro devpts_fs_type_transition_ptytermdev ((type ARG1)) + (call .devpts.fs_type_transition + (ARG1 ptytermdev chr_file "*"))) + + (macro loginptytermdev_all_type_change_ptytermdev ((type ARG1)) + (call .loginptytermdev.all_type_change + (ARG1 ptytermdev))) + + ;; support for unknown login services + (blockinherit .loginptytermdev.template) + + (call devpts_fs_type_transition_ptytermdev (subj))) + +(in termdev.unconfined + + (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr))) diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil new file mode 100644 index 0000000..7400737 --- /dev/null +++ b/src/dev/termdev/serialtermdev.cil @@ -0,0 +1,124 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block serialtermdev + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .termdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (context serialtermdev_context + (.sys.id .sys.role serialtermdev lowlevelrange)) + + (type serialtermdev) + (call .serialtermdev.type (serialtermdev))) + + (block macro_template_chr_files + + (blockabstract macro_template_chr_files) + + (macro append_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev append_chr_file)) + + (macro appendinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev appendinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) + + (macro create_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev create_chr_file)) + + (macro delete_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev delete_chr_file)) + + (macro manage_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev manage_chr_file)) + + (macro mapexecute_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev mapexecute_chr_file)) + + (macro read_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev read_chr_file)) + + (macro readinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readinherited_chr_file)) + + (macro readwrite_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwrite_chr_file)) + + (macro readwriteinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwriteinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) + + (macro relabel_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabel_chr_file)) + + (macro relabelfrom_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelfrom_chr_file)) + + (macro relabelto_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelto_chr_file)) + + (macro rename_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev rename_chr_file)) + + (macro write_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev write_chr_file)) + + (macro writeinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev writeinherited_chr_file) + (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 serialtermdev IOCTLCONSOLE) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT))) + + (block template + + (blockabstract template) + + (blockinherit .serialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files)) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr serialtermdev.typeattr (chr_file (not (execmod mounton)))))) diff --git a/src/dev/termdev/serialtermdev/acmserialtermdev.cil b/src/dev/termdev/serialtermdev/acmserialtermdev.cil new file mode 100644 index 0000000..ca8a1cb --- /dev/null +++ b/src/dev/termdev/serialtermdev/acmserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block acm + + (filecon "/dev/ttyACM[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/consoleserialtermdev.cil b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil new file mode 100644 index 0000000..08b2736 --- /dev/null +++ b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block console + + (filecon "/dev/console" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev.cil new file mode 100644 index 0000000..2580dbe --- /dev/null +++ b/src/dev/termdev/serialtermdev/loginserialtermdev.cil @@ -0,0 +1,55 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block loginserialtermdev + + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) + + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file) + (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE) + (allowx ARG1 typeattr IOCTLCONSOLE) + (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 typeattr IOCTLVT)) + + (typeattribute typeattr) + + (blockinherit .file.all_macro_template_chr_files) + + (call .serialtermdev.type (typeattr)) + + (block base_template + + (blockabstract base_template) + + (blockinherit .serialtermdev.base_template) + + (call .loginserialtermdev.type (serialtermdev))) + + (block template + + (blockabstract template) + + (macro serialtermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 serialtermdev chr_file ARG2)) + + (blockinherit .loginserialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files))) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil new file mode 100644 index 0000000..5919dbe --- /dev/null +++ b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in tty + + (filecon "/dev/tty.+" char serialtermdev_context) + + (blockinherit .loginserialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/msmserialtermdev.cil b/src/dev/termdev/serialtermdev/msmserialtermdev.cil new file mode 100644 index 0000000..1f97fbf --- /dev/null +++ b/src/dev/termdev/serialtermdev/msmserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block msm + + (filecon "/dev/ttyMSM[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/sysserialtermdev.cil b/src/dev/termdev/serialtermdev/sysserialtermdev.cil new file mode 100644 index 0000000..751f057 --- /dev/null +++ b/src/dev/termdev/serialtermdev/sysserialtermdev.cil @@ -0,0 +1,22 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in dev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) + +(in serialtermdev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) + +(in sys + + (macro loginserialtermdev_all_type_change_serialtermdev ((type ARG1)) + (call .loginserialtermdev.all_type_change + (ARG1 serialtermdev))) + + (blockinherit .serialtermdev.template)) + +(in termdev.unconfined + + (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr))) diff --git a/src/dev/termdev/serialtermdev/usbserialtermdev.cil b/src/dev/termdev/serialtermdev/usbserialtermdev.cil new file mode 100644 index 0000000..e11591e --- /dev/null +++ b/src/dev/termdev/serialtermdev/usbserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in usb + + (filecon "/dev/ttyUSB[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/vcsserialtermdev.cil b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil new file mode 100644 index 0000000..5534907 --- /dev/null +++ b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vcs + + (filecon "/dev/vcs[^/]*" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/vportserialtermdev.cil b/src/dev/termdev/serialtermdev/vportserialtermdev.cil new file mode 100644 index 0000000..c998b56 --- /dev/null +++ b/src/dev/termdev/serialtermdev/vportserialtermdev.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block vport + + (filecon "/dev/vport[0-9]p[0-9]+" char serialtermdev_context) + + (blockinherit .serialtermdev.template)) |