diff options
Diffstat (limited to 'src/fs/noseclabelfs')
23 files changed, 237 insertions, 0 deletions
diff --git a/src/fs/noseclabelfs/aionoseclabelfs.cil b/src/fs/noseclabelfs/aionoseclabelfs.cil new file mode 100644 index 0000000..b91e583 --- /dev/null +++ b/src/fs/noseclabelfs/aionoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block aio + + (genfscon "aio" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/anoninodenoseclabelfs.cil b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil new file mode 100644 index 0000000..28f5dec --- /dev/null +++ b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block anoninode + + (genfscon "anon_inodefs" "/" fs_context) + + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/autonoseclabelfs.cil b/src/fs/noseclabelfs/autonoseclabelfs.cil new file mode 100644 index 0000000..6a0d922 --- /dev/null +++ b/src/fs/noseclabelfs/autonoseclabelfs.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block auto + + (genfscon "autofs" "/" fs_context) + (genfscon "automount" "/" fs_context) + + (macro getattr_fs_dirs ((type ARG1)) + (allow ARG1 fs (dir (getattr)))) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/bdevnoseclabelfs.cil b/src/fs/noseclabelfs/bdevnoseclabelfs.cil new file mode 100644 index 0000000..dd622d0 --- /dev/null +++ b/src/fs/noseclabelfs/bdevnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bdev + + (genfscon "bdev" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil new file mode 100644 index 0000000..d81fb3d --- /dev/null +++ b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block binfmtmisc + + (genfscon "binfmt_misc" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/bpfnoseclabelfs.cil b/src/fs/noseclabelfs/bpfnoseclabelfs.cil new file mode 100644 index 0000000..0a8cf05 --- /dev/null +++ b/src/fs/noseclabelfs/bpfnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block bpf + + (genfscon "bpf" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/cinoseclabelfs.cil b/src/fs/noseclabelfs/cinoseclabelfs.cil new file mode 100644 index 0000000..41d6da8 --- /dev/null +++ b/src/fs/noseclabelfs/cinoseclabelfs.cil @@ -0,0 +1,14 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ci + + (genfscon "cifs" "/" fs_context) + (genfscon "smbfs" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/confignoseclabelfs.cil b/src/fs/noseclabelfs/confignoseclabelfs.cil new file mode 100644 index 0000000..770f183 --- /dev/null +++ b/src/fs/noseclabelfs/confignoseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block config + + (genfscon "configfs" "/" fs_context) + + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/cpusetnoseclabelfs.cil b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil new file mode 100644 index 0000000..2b68ae6 --- /dev/null +++ b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block cpuset + + (genfscon "cpuset" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/dosnoseclabelfs.cil b/src/fs/noseclabelfs/dosnoseclabelfs.cil new file mode 100644 index 0000000..77eecc8 --- /dev/null +++ b/src/fs/noseclabelfs/dosnoseclabelfs.cil @@ -0,0 +1,21 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block dos + + (genfscon "fat" "/" fs_context) + (genfscon "hfs" "/" fs_context) + (genfscon "hfsplus" "/" fs_context) + (genfscon "msdos" "/" fs_context) + (genfscon "ntfs" "/" fs_context) + (genfscon "ntfs-3g" "/" fs_context) + (genfscon "ntfs3" "/" fs_context) + (genfscon "vfat" "/" fs_context) + (genfscon "exfat" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/drmnoseclabelfs.cil b/src/fs/noseclabelfs/drmnoseclabelfs.cil new file mode 100644 index 0000000..f467da2 --- /dev/null +++ b/src/fs/noseclabelfs/drmnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block drm + + (genfscon "drm" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/efivarnoseclabelfs.cil b/src/fs/noseclabelfs/efivarnoseclabelfs.cil new file mode 100644 index 0000000..45141a4 --- /dev/null +++ b/src/fs/noseclabelfs/efivarnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block efivar + + (genfscon "efivarfs" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/fusenoseclabelfs.cil b/src/fs/noseclabelfs/fusenoseclabelfs.cil new file mode 100644 index 0000000..b2ac9fc --- /dev/null +++ b/src/fs/noseclabelfs/fusenoseclabelfs.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in fuse + + (genfscon "fuse" "/" fs_context) + (genfscon "fuseblk" "/" fs_context) + (genfscon "fusectl" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/iso9660noseclabelfs.cil b/src/fs/noseclabelfs/iso9660noseclabelfs.cil new file mode 100644 index 0000000..eac7922 --- /dev/null +++ b/src/fs/noseclabelfs/iso9660noseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block iso9660 + + (genfscon "iso9660" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsdnoseclabelfs.cil b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil new file mode 100644 index 0000000..fc0fc01 --- /dev/null +++ b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nfsd + + (genfscon "nfsd" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsnoseclabelfs.cil b/src/fs/noseclabelfs/nfsnoseclabelfs.cil new file mode 100644 index 0000000..c8a1f7e --- /dev/null +++ b/src/fs/noseclabelfs/nfsnoseclabelfs.cil @@ -0,0 +1,18 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block nfs + + (genfscon "afs" "/" fs_context) + (genfscon "nfs" "/" fs_context) + (genfscon "nfs4" "/" fs_context) + + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) + + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/nsnoseclabelfs.cil b/src/fs/noseclabelfs/nsnoseclabelfs.cil new file mode 100644 index 0000000..59938c1 --- /dev/null +++ b/src/fs/noseclabelfs/nsnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block ns + + (genfscon "nsfs" "/" fs_context) + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/procnoseclabelfs.cil b/src/fs/noseclabelfs/procnoseclabelfs.cil new file mode 100644 index 0000000..f9711c2 --- /dev/null +++ b/src/fs/noseclabelfs/procnoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block proc + + (genfscon "proc" "/" fs_context) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/removablenoseclabelfs.cil b/src/fs/noseclabelfs/removablenoseclabelfs.cil new file mode 100644 index 0000000..95a7e34 --- /dev/null +++ b/src/fs/noseclabelfs/removablenoseclabelfs.cil @@ -0,0 +1,6 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in removable + + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil new file mode 100644 index 0000000..50db012 --- /dev/null +++ b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block rpcpipe + + (genfscon "rpc_pipefs" "/" fs_context) + + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/securitynoseclabelfs.cil b/src/fs/noseclabelfs/securitynoseclabelfs.cil new file mode 100644 index 0000000..a23e94b --- /dev/null +++ b/src/fs/noseclabelfs/securitynoseclabelfs.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block security + + (genfscon "securityfs" "/" fs_context) + + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/selinuxnoseclabelfs.cil b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil new file mode 100644 index 0000000..d0c7063 --- /dev/null +++ b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(in selinux + + (genfscon "selinuxfs" "/" fs_context) + + (blockinherit .noseclabelfs.template) + + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/udfnoseclabelfs.cil b/src/fs/noseclabelfs/udfnoseclabelfs.cil new file mode 100644 index 0000000..61c8ec2 --- /dev/null +++ b/src/fs/noseclabelfs/udfnoseclabelfs.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-License-Identifier: Unlicense + +(block udf + + (genfscon "udf" "/" fs_context) + + (blockinherit .noseclabelfs.template)) |