diff options
Diffstat (limited to 'src/net')
| -rw-r--r-- | src/net/ibnet.cil | 10 | ||||
| -rw-r--r-- | src/net/ibnet/endportibnet.cil | 62 | ||||
| -rw-r--r-- | src/net/ibnet/pkeyibnet.cil | 62 | ||||
| -rw-r--r-- | src/net/netifnet.cil | 86 | ||||
| -rw-r--r-- | src/net/nodenet.cil | 150 | ||||
| -rw-r--r-- | src/net/packetnet.cil | 162 | ||||
| -rw-r--r-- | src/net/peernet.cil | 90 | ||||
| -rw-r--r-- | src/net/portnet.cil | 130 | ||||
| -rw-r--r-- | src/net/portnet/ephemeralportnet.cil | 38 | ||||
| -rw-r--r-- | src/net/portnet/reservedportnet.cil | 38 | ||||
| -rw-r--r-- | src/net/portnet/unreservedportnet.cil | 46 | ||||
| -rw-r--r-- | src/net/spdnet.cil | 114 |
12 files changed, 494 insertions, 494 deletions
diff --git a/src/net/ibnet.cil b/src/net/ibnet.cil index cda4939..9bef422 100644 --- a/src/net/ibnet.cil +++ b/src/net/ibnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in net @@ -7,9 +7,9 @@ (block ib - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)))) + (typeattribute typeattr)))) diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil index d942909..031f9b9 100644 --- a/src/net/ibnet/endportibnet.cil +++ b/src/net/ibnet/endportibnet.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class infiniband_endport (manage_subnet)) (classorder (unordered infiniband_endport)) (macro managesubnet_invalid_endports ((type ARG1)) - (allow ARG1 invalid (infiniband_endport (manage_subnet)))) + (allow ARG1 invalid (infiniband_endport (manage_subnet)))) (in invalid.unconfined @@ -14,8 +14,8 @@ (in mcs (mlsconstrain (infiniband_endport (manage_subnet)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net.ib @@ -23,53 +23,53 @@ (block endport - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro managesubnet_all_endports ((type ARG1)) - (allow ARG1 typeattr (infiniband_endport (manage_subnet))))) + (macro managesubnet_all_endports ((type ARG1)) + (allow ARG1 typeattr (infiniband_endport (manage_subnet))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context endport_context (.sys.id .sys.role endport .sys.lowlow)) + (context endport_context (.sys.id .sys.role endport .sys.lowlow)) - (type endport) - (call .net.ib.endport.type (endport))) + (type endport) + (call .net.ib.endport.type (endport))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro managesubnet_endports ((type ARG1)) - (allow ARG1 endport (infiniband_endport (manage_subnet))))) + (macro managesubnet_endports ((type ARG1)) + (allow ARG1 endport (infiniband_endport (manage_subnet))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.ib.endport.base_template) - (blockinherit .net.ib.endport.macro_template)) + (blockinherit .net.ib.endport.base_template) + (blockinherit .net.ib.endport.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr endport.typeattr (infiniband_endport (all)))))) + (allow typeattr endport.typeattr (infiniband_endport (all)))))) (in net.ib.unconfined diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil index 4908076..27d38c8 100644 --- a/src/net/ibnet/pkeyibnet.cil +++ b/src/net/ibnet/pkeyibnet.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class infiniband_pkey (access)) (classorder (unordered infiniband_pkey)) (macro access_invalid_pkeys ((type ARG1)) - (allow ARG1 invalid (infiniband_pkey (access)))) + (allow ARG1 invalid (infiniband_pkey (access)))) (in invalid.unconfined @@ -14,8 +14,8 @@ (in mcs (mlsconstrain (infiniband_pkey (access)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net.ib @@ -23,53 +23,53 @@ (block pkey - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro access_all_pkeys ((type ARG1)) - (allow ARG1 typeattr (infiniband_pkey (access))))) + (macro access_all_pkeys ((type ARG1)) + (allow ARG1 typeattr (infiniband_pkey (access))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context pkey_context (.sys.id .sys.role pkey .sys.lowlow)) + (context pkey_context (.sys.id .sys.role pkey .sys.lowlow)) - (type pkey) - (call .net.ib.pkey.type (pkey))) + (type pkey) + (call .net.ib.pkey.type (pkey))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro access_pkeys ((type ARG1)) - (allow ARG1 pkey (infiniband_pkey (access))))) + (macro access_pkeys ((type ARG1)) + (allow ARG1 pkey (infiniband_pkey (access))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.ib.pkey.base_template) - (blockinherit .net.ib.pkey.macro_template)) + (blockinherit .net.ib.pkey.base_template) + (blockinherit .net.ib.pkey.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr pkey.typeattr (infiniband_pkey (all)))))) + (allow typeattr pkey.typeattr (infiniband_pkey (all)))))) (in net.ib.unconfined diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil index af818e1..2a24282 100644 --- a/src/net/netifnet.cil +++ b/src/net/netifnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext netif (sys.id sys.role net.netif sys.lowlow)) @@ -7,18 +7,18 @@ (classorder (unordered netif)) (macro egress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (egress)))) + (allow ARG1 invalid (netif (egress)))) (macro egressingress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (egress ingress)))) + (allow ARG1 invalid (netif (egress ingress)))) (macro ingress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (ingress)))) + (allow ARG1 invalid (netif (ingress)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call net.netif.egressingress_all_netifs (invalid)))) + (call net.netif.egressingress_all_netifs (invalid)))) (in invalid.unconfined @@ -27,8 +27,8 @@ (in mcs (mlsconstrain (netif (egress ingress)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net @@ -36,65 +36,65 @@ (block netif - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro egress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (egress)))) + (macro egress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress)))) - (macro egressingress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (egress ingress)))) + (macro egressingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress ingress)))) - (macro ingress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (ingress))))) + (macro ingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (ingress))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context netif_context (.sys.id .sys.role netif .sys.lowlow)) + (context netif_context (.sys.id .sys.role netif .sys.lowlow)) - (type netif) - (call .net.netif.type (netif))) + (type netif) + (call .net.netif.type (netif))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro egress_netifs ((type ARG1)) - (allow ARG1 netif (netif (egress)))) + (macro egress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress)))) - (macro egressingress_netifs ((type ARG1)) - (allow ARG1 netif (netif (egress ingress)))) + (macro egressingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress ingress)))) - (macro ingress_netifs ((type ARG1)) - (allow ARG1 netif (netif (ingress))))) + (macro ingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (ingress))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.netif.base_template) - (blockinherit .net.netif.macro_template)) + (blockinherit .net.netif.base_template) + (blockinherit .net.netif.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr netif.typeattr (netif (all)))))) + (allow typeattr netif.typeattr (netif (all)))))) (in net.unconfined diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil index 2f1fc55..dec1baa 100644 --- a/src/net/nodenet.cil +++ b/src/net/nodenet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext node (sys.id sys.role net.netnode sys.lowlow)) @@ -7,18 +7,18 @@ (classorder (unordered node)) (macro recvfrom_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (recvfrom)))) + (allow ARG1 invalid (node (recvfrom)))) (macro recvfromsendto_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (recvfrom sendto)))) + (allow ARG1 invalid (node (recvfrom sendto)))) (macro sendto_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (sendto)))) + (allow ARG1 invalid (node (sendto)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call net.netnode.recvfromsendto_all_nodes (invalid)))) + (call net.netnode.recvfromsendto_all_nodes (invalid)))) (in invalid.unconfined @@ -27,10 +27,10 @@ (in mcs (mlsconstrain (node (recvfrom sendto)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -38,107 +38,107 @@ (block netnode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro nodebind_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (node_bind)))) + (macro nodebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (node_bind)))) - (macro nodebind_all_icmp_sockets ((type ARG1)) - (allow ARG1 typeattr (icmp_socket (node_bind)))) + (macro nodebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (node_bind)))) - (macro nodebind_all_rawip_sockets ((type ARG1)) - (allow ARG1 typeattr (rawip_socket (node_bind)))) + (macro nodebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (node_bind)))) - (macro nodebind_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (node_bind)))) + (macro nodebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (node_bind)))) - (macro nodebind_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (node_bind)))) + (macro nodebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (node_bind)))) - (macro nodebind_all_udp_sockets ((type ARG1)) - (allow ARG1 typeattr (udp_socket (node_bind)))) + (macro nodebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (node_bind)))) - (macro recvfrom_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (recvfrom)))) + (macro recvfrom_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom)))) - (macro recvfromsendto_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (recvfrom sendto)))) + (macro recvfromsendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom sendto)))) - (macro sendto_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (sendto))))) + (macro sendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (sendto))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context netnode_context (.sys.id .sys.role netnode .sys.lowlow)) + (context netnode_context (.sys.id .sys.role netnode .sys.lowlow)) - (type netnode) - (call .net.netnode.type (netnode))) + (type netnode) + (call .net.netnode.type (netnode))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro nodebind_netnode_dccp_sockets ((type ARG1)) - (allow ARG1 netnode (dccp_socket (node_bind)))) + (macro nodebind_netnode_dccp_sockets ((type ARG1)) + (allow ARG1 netnode (dccp_socket (node_bind)))) - (macro nodebind_netnode_icmp_sockets ((type ARG1)) - (allow ARG1 netnode (icmp_socket (node_bind)))) + (macro nodebind_netnode_icmp_sockets ((type ARG1)) + (allow ARG1 netnode (icmp_socket (node_bind)))) - (macro nodebind_netnode_rawip_sockets ((type ARG1)) - (allow ARG1 netnode (rawip_socket (node_bind)))) + (macro nodebind_netnode_rawip_sockets ((type ARG1)) + (allow ARG1 netnode (rawip_socket (node_bind)))) - (macro nodebind_netnode_sctp_sockets ((type ARG1)) - (allow ARG1 netnode (sctp_socket (node_bind)))) + (macro nodebind_netnode_sctp_sockets ((type ARG1)) + (allow ARG1 netnode (sctp_socket (node_bind)))) - (macro nodebind_netnode_tcp_sockets ((type ARG1)) - (allow ARG1 netnode (tcp_socket (node_bind)))) + (macro nodebind_netnode_tcp_sockets ((type ARG1)) + (allow ARG1 netnode (tcp_socket (node_bind)))) - (macro nodebind_netnode_udp_sockets ((type ARG1)) - (allow ARG1 netnode (udp_socket (node_bind)))) + (macro nodebind_netnode_udp_sockets ((type ARG1)) + (allow ARG1 netnode (udp_socket (node_bind)))) - (macro recvfrom_nodes ((type ARG1)) - (allow ARG1 netnode (node (recvfrom)))) + (macro recvfrom_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom)))) - (macro recvfromsendto_nodes ((type ARG1)) - (allow ARG1 netnode (node (recvfrom sendto)))) + (macro recvfromsendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom sendto)))) - (macro sendto_nodes ((type ARG1)) - (allow ARG1 netnode (node (sendto))))) + (macro sendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (sendto))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.netnode.base_template) - (blockinherit .net.netnode.macro_template)) + (blockinherit .net.netnode.base_template) + (blockinherit .net.netnode.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr netnode.typeattr (dccp_socket (node_bind))) - (allow typeattr netnode.typeattr (icmp_socket (node_bind))) - (allow typeattr netnode.typeattr (node (all))) - (allow typeattr netnode.typeattr (rawip_socket (node_bind))) - (allow typeattr netnode.typeattr (sctp_socket (node_bind))) - (allow typeattr netnode.typeattr (tcp_socket (node_bind))) - (allow typeattr netnode.typeattr (udp_socket (node_bind)))))) + (allow typeattr netnode.typeattr (dccp_socket (node_bind))) + (allow typeattr netnode.typeattr (icmp_socket (node_bind))) + (allow typeattr netnode.typeattr (node (all))) + (allow typeattr netnode.typeattr (rawip_socket (node_bind))) + (allow typeattr netnode.typeattr (sctp_socket (node_bind))) + (allow typeattr netnode.typeattr (tcp_socket (node_bind))) + (allow typeattr netnode.typeattr (udp_socket (node_bind)))))) (in net.unconfined diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil index afb0225..89f2d37 100644 --- a/src/net/packetnet.cil +++ b/src/net/packetnet.cil @@ -1,50 +1,50 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class packet (forward_in forward_out recv relabelto send)) (classorder (unordered packet)) (macro forward_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_in forward_out)))) + (allow ARG1 invalid (packet (forward_in forward_out)))) (macro forwardin_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_in)))) + (allow ARG1 invalid (packet (forward_in)))) (macro forwardout_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_out)))) + (allow ARG1 invalid (packet (forward_out)))) (macro recv_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (recv)))) + (allow ARG1 invalid (packet (recv)))) (macro recvsend_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (recv send)))) + (allow ARG1 invalid (packet (recv send)))) (macro relabelto_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (relabelto)))) + (allow ARG1 invalid (packet (relabelto)))) (macro send_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (send)))) + (allow ARG1 invalid (packet (send)))) (tunableif invalid_packets - (true + (true - (call forward_invalid_packets (invalidpackets.except.typeattr)) - (call recvsend_invalid_packets (invalidpackets.except.typeattr)))) + (call forward_invalid_packets (invalidpackets.except.typeattr)) + (call recvsend_invalid_packets (invalidpackets.except.typeattr)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call forward_invalid_packets (invalid)) + (call forward_invalid_packets (invalid)) - (call net.packet.forward_all_packets (invalid)))) + (call net.packet.forward_all_packets (invalid)))) (in ibac (constrain (packet (relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -53,23 +53,23 @@ (in mcs (mlsconstrain (packet (relabelto)) - (or (neq t1 constrained.typeattr) - (and (dom h1 h2) (eq l2 h2)))) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) (mlsconstrain (packet (forward_in forward_out send recv)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in rbac (constrain (packet (relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 objchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in net @@ -77,91 +77,91 @@ (block packet - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .mcs.constrained.type (typeattr)) + (call .mcs.constrained.type (typeattr)) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro forward_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_in forward_out)))) + (macro forward_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in forward_out)))) - (macro forwardin_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_in)))) + (macro forwardin_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in)))) - (macro forwardout_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_out)))) + (macro forwardout_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_out)))) - (macro recv_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (recv)))) + (macro recv_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv)))) - (macro recvsend_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (recv send)))) + (macro recvsend_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv send)))) - (macro relabelto_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (relabelto)))) + (macro relabelto_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (relabelto)))) - (macro send_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (send))))) + (macro send_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (send))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context packet_context (.sys.id .sys.role packet .sys.lowlow)) + (context packet_context (.sys.id .sys.role packet .sys.lowlow)) - (type packet) - (call .net.packet.type (packet))) + (type packet) + (call .net.packet.type (packet))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro forward_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_in forward_out)))) + (macro forward_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in forward_out)))) - (macro forwardin_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_in)))) + (macro forwardin_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in)))) - (macro forwardout_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_out)))) + (macro forwardout_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_out)))) - (macro recv_packets ((type ARG1)) - (allow ARG1 packet (packet (recv)))) + (macro recv_packets ((type ARG1)) + (allow ARG1 packet (packet (recv)))) - (macro recvsend_packets ((type ARG1)) - (allow ARG1 packet (packet (recv send)))) + (macro recvsend_packets ((type ARG1)) + (allow ARG1 packet (packet (recv send)))) - (macro relabelto_packets ((type ARG1)) - (allow ARG1 packet (packet (relabelto)))) + (macro relabelto_packets ((type ARG1)) + (allow ARG1 packet (packet (relabelto)))) - (macro send_packets ((type ARG1)) - (allow ARG1 packet (packet (send))))) + (macro send_packets ((type ARG1)) + (allow ARG1 packet (packet (send))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.packet.base_template) - (blockinherit .net.packet.macro_template)) + (blockinherit .net.packet.base_template) + (blockinherit .net.packet.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr packet.typeattr (packet (all)))))) + (allow typeattr packet.typeattr (packet (all)))))) (in net.unconfined diff --git a/src/net/peernet.cil b/src/net/peernet.cil index f3f3564..d0ad803 100644 --- a/src/net/peernet.cil +++ b/src/net/peernet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext netmsg (sys.id sys.role net.peer sys.lowlow)) @@ -7,14 +7,14 @@ (classorder (unordered peer)) (macro recv_invalid_peers ((type ARG1)) - (allow ARG1 invalid (peer (recv)))) + (allow ARG1 invalid (peer (recv)))) (tunableif invalid_peers - (true + (true - (call association_invalid_sctp_sockets - (invalidpeers.except.typeattr)) - (call recv_invalid_peers (invalidpeers.except.typeattr)))) + (call association_invalid_sctp_sockets + (invalidpeers.except.typeattr)) + (call recv_invalid_peers (invalidpeers.except.typeattr)))) (in invalid.unconfined @@ -23,10 +23,10 @@ (in mcs (mlsconstrain (peer (recv)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -34,62 +34,62 @@ (block peer - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .mcs.constrained.type (typeattr)) + (call .mcs.constrained.type (typeattr)) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro recv_all_peers ((type ARG1)) - (allow ARG1 typeattr (peer (recv)))) + (macro recv_all_peers ((type ARG1)) + (allow ARG1 typeattr (peer (recv)))) - (macro association_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (association))))) + (macro association_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (association))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context peer_context (.sys.id .sys.role peer .sys.lowlow)) + (context peer_context (.sys.id .sys.role peer .sys.lowlow)) - (type peer) - (call .net.peer.type (peer))) + (type peer) + (call .net.peer.type (peer))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro recv_peers ((type ARG1)) - (allow ARG1 peer (peer (recv)))) + (macro recv_peers ((type ARG1)) + (allow ARG1 peer (peer (recv)))) - (macro association_peer_sctp_sockets ((type ARG1)) - (allow ARG1 peer (sctp_socket (association))))) + (macro association_peer_sctp_sockets ((type ARG1)) + (allow ARG1 peer (sctp_socket (association))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.peer.base_template) - (blockinherit .net.peer.macro_template)) + (blockinherit .net.peer.base_template) + (blockinherit .net.peer.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr peer.typeattr (peer (all))) - (allow typeattr peer.typeattr (sctp_socket (association)))))) + (allow typeattr peer.typeattr (peer (all))) + (allow typeattr peer.typeattr (sctp_socket (association)))))) (in net.unconfined @@ -98,12 +98,12 @@ (in subj (macro recv_all_peers ((type ARG1)) - (allow ARG1 typeattr (peer (recv))))) + (allow ARG1 typeattr (peer (recv))))) (in subj.macro_template (macro recv_subj_peers ((type ARG1)) - (allow ARG1 subj (peer (recv))))) + (allow ARG1 subj (peer (recv))))) (in subj.unconfined diff --git a/src/net/portnet.cil b/src/net/portnet.cil index 8547217..e1ea2b1 100644 --- a/src/net/portnet.cil +++ b/src/net/portnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext port (sys.id sys.role net.port sys.lowlow)) @@ -9,106 +9,106 @@ (block port - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro namebind_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (name_bind)))) + (macro namebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_bind)))) - (macro namebind_all_icmp_sockets ((type ARG1)) - (allow ARG1 typeattr (icmp_socket (name_bind)))) + (macro namebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (name_bind)))) - (macro namebind_all_rawip_sockets ((type ARG1)) - (allow ARG1 typeattr (rawip_socket (name_bind)))) + (macro namebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (name_bind)))) - (macro namebind_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (name_bind)))) + (macro namebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_bind)))) - (macro namebind_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (name_bind)))) + (macro namebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_bind)))) - (macro namebind_all_udp_sockets ((type ARG1)) - (allow ARG1 typeattr (udp_socket (name_bind)))) + (macro namebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (name_bind)))) - (macro nameconnect_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (name_connect)))) + (macro nameconnect_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_connect)))) - (macro nameconnect_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (name_connect)))) + (macro nameconnect_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_connect)))) - (macro nameconnect_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (name_connect))))) + (macro nameconnect_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_connect))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context port_context (.sys.id .sys.role port .sys.lowlow)) + (context port_context (.sys.id .sys.role port .sys.lowlow)) - (type port) - (call .net.port.type (port))) + (type port) + (call .net.port.type (port))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro namebind_port_dccp_sockets ((type ARG1)) - (allow ARG1 port (dccp_socket (name_bind)))) + (macro namebind_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_bind)))) - (macro namebind_port_icmp_sockets ((type ARG1)) - (allow ARG1 port (icmp_socket (name_bind)))) + (macro namebind_port_icmp_sockets ((type ARG1)) + (allow ARG1 port (icmp_socket (name_bind)))) - (macro namebind_port_rawip_sockets ((type ARG1)) - (allow ARG1 port (rawip_socket (name_bind)))) + (macro namebind_port_rawip_sockets ((type ARG1)) + (allow ARG1 port (rawip_socket (name_bind)))) - (macro namebind_port_sctp_sockets ((type ARG1)) - (allow ARG1 port (sctp_socket (name_bind)))) + (macro namebind_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_bind)))) - (macro namebind_port_tcp_sockets ((type ARG1)) - (allow ARG1 port (tcp_socket (name_bind)))) + (macro namebind_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_bind)))) - (macro namebind_port_udp_sockets ((type ARG1)) - (allow ARG1 port (udp_socket (name_bind)))) + (macro namebind_port_udp_sockets ((type ARG1)) + (allow ARG1 port (udp_socket (name_bind)))) - (macro nameconnect_port_dccp_sockets ((type ARG1)) - (allow ARG1 port (dccp_socket (name_connect)))) + (macro nameconnect_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_connect)))) - (macro nameconnect_port_sctp_sockets ((type ARG1)) - (allow ARG1 port (sctp_socket (name_connect)))) + (macro nameconnect_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_connect)))) - (macro nameconnect_port_tcp_sockets ((type ARG1)) - (allow ARG1 port (tcp_socket (name_connect))))) + (macro nameconnect_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_connect))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.base_template) - (blockinherit .net.port.macro_template)) + (blockinherit .net.port.base_template) + (blockinherit .net.port.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr port.typeattr (dccp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (icmp_socket (name_bind))) - (allow typeattr port.typeattr (rawip_socket (name_bind))) - (allow typeattr port.typeattr (sctp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (tcp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (udp_socket (name_bind)))))) + (allow typeattr port.typeattr (dccp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (icmp_socket (name_bind))) + (allow typeattr port.typeattr (rawip_socket (name_bind))) + (allow typeattr port.typeattr (sctp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (tcp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (udp_socket (name_bind)))))) (in net.unconfined diff --git a/src/net/portnet/ephemeralportnet.cil b/src/net/portnet/ephemeralportnet.cil index 6f8f42e..abdcbb0 100644 --- a/src/net/portnet/ephemeralportnet.cil +++ b/src/net/portnet/ephemeralportnet.cil @@ -1,39 +1,39 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ephemeral - (portcon "dccp" (32768 60999) port_context) - (portcon "sctp" (32768 60999) port_context) - (portcon "tcp" (32768 60999) port_context) - (portcon "udp" (32768 60999) port_context) + (portcon "dccp" (32768 60999) port_context) + (portcon "sctp" (32768 60999) port_context) + (portcon "tcp" (32768 60999) port_context) + (portcon "udp" (32768 60999) port_context) - (blockinherit .net.port.ephemeral.template)) + (blockinherit .net.port.ephemeral.template)) (in net.port (block ephemeral - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.ephemeral.type (port))) + (call .net.port.ephemeral.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.ephemeral.base_template) - (blockinherit .net.port.macro_template)))) + (blockinherit .net.port.ephemeral.base_template) + (blockinherit .net.port.macro_template)))) diff --git a/src/net/portnet/reservedportnet.cil b/src/net/portnet/reservedportnet.cil index b86c9fe..983c993 100644 --- a/src/net/portnet/reservedportnet.cil +++ b/src/net/portnet/reservedportnet.cil @@ -1,39 +1,39 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block reserved - (portcon "dccp" (1 1023) port_context) - (portcon "sctp" (1 1023) port_context) - (portcon "tcp" (1 1023) port_context) - (portcon "udp" (1 1023) port_context) + (portcon "dccp" (1 1023) port_context) + (portcon "sctp" (1 1023) port_context) + (portcon "tcp" (1 1023) port_context) + (portcon "udp" (1 1023) port_context) - (blockinherit .net.port.reserved.template)) + (blockinherit .net.port.reserved.template)) (in net.port (block reserved - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.reserved.type (port))) + (call .net.port.reserved.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.macro_template) - (blockinherit .net.port.reserved.base_template)))) + (blockinherit .net.port.macro_template) + (blockinherit .net.port.reserved.base_template)))) diff --git a/src/net/portnet/unreservedportnet.cil b/src/net/portnet/unreservedportnet.cil index 6359d64..c372493 100644 --- a/src/net/portnet/unreservedportnet.cil +++ b/src/net/portnet/unreservedportnet.cil @@ -1,43 +1,43 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unreserved - (portcon "dccp" (1024 32767) port_context) - (portcon "dccp" (61000 65535) port_context) - (portcon "sctp" (1024 32767) port_context) - (portcon "sctp" (61000 65535) port_context) - (portcon "tcp" (1024 32767) port_context) - (portcon "tcp" (61000 65535) port_context) - (portcon "udp" (1024 32767) port_context) - (portcon "udp" (61000 65535) port_context) + (portcon "dccp" (1024 32767) port_context) + (portcon "dccp" (61000 65535) port_context) + (portcon "sctp" (1024 32767) port_context) + (portcon "sctp" (61000 65535) port_context) + (portcon "tcp" (1024 32767) port_context) + (portcon "tcp" (61000 65535) port_context) + (portcon "udp" (1024 32767) port_context) + (portcon "udp" (61000 65535) port_context) - (blockinherit .net.port.unreserved.template)) + (blockinherit .net.port.unreserved.template)) (in net.port (block unreserved - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.unreserved.type (port))) + (call .net.port.unreserved.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.macro_template) - (blockinherit .net.port.unreserved.base_template)))) + (blockinherit .net.port.macro_template) + (blockinherit .net.port.unreserved.base_template)))) diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil index 668afb1..0d6c02e 100644 --- a/src/net/spdnet.cil +++ b/src/net/spdnet.cil @@ -1,34 +1,34 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class association (polmatch recvfrom sendto setcontext)) (classorder (unordered association)) (macro polmatch_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (polmatch)))) + (allow ARG1 invalid (association (polmatch)))) (macro polmatchsetcontext_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (polmatch setcontext)))) + (allow ARG1 invalid (association (polmatch setcontext)))) (macro recvfrom_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (recvfrom)))) + (allow ARG1 invalid (association (recvfrom)))) (macro recvfromsendto_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (recvfrom sendto)))) + (allow ARG1 invalid (association (recvfrom sendto)))) (macro sendto_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (sendto)))) + (allow ARG1 invalid (association (sendto)))) (macro setcontext_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (setcontext)))) + (allow ARG1 invalid (association (setcontext)))) (tunableif invalid_associations - (true + (true - (call association_invalid_sctp_sockets - (invalidassociations.except.typeattr)) - (call recvfromsendto_invalid_associations - (invalidassociations.except.typeattr)))) + (call association_invalid_sctp_sockets + (invalidassociations.except.typeattr)) + (call recvfromsendto_invalid_associations + (invalidassociations.except.typeattr)))) (in invalid.unconfined @@ -37,10 +37,10 @@ (in mcs (mlsconstrain (association (sendto recvfrom)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -48,65 +48,65 @@ (block spd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro polmatch_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (polmatch)))) + (macro polmatch_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch)))) - (macro polmatchsetcontext_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (polmatch setcontext)))) + (macro polmatchsetcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch setcontext)))) - (macro setcontext_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (setcontext))))) + (macro setcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (setcontext))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context spd_context (.sys.id .sys.role spd .sys.lowlow)) + (context spd_context (.sys.id .sys.role spd .sys.lowlow)) - (type spd) - (call .net.spd.type (spd))) + (type spd) + (call .net.spd.type (spd))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro polmatch_spd_associations ((type ARG1)) - (allow ARG1 spd (association (polmatch)))) + (macro polmatch_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch)))) - (macro polmatchsetcontext_spd_associations ((type ARG1)) - (allow ARG1 spd (association (polmatch setcontext)))) + (macro polmatchsetcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch setcontext)))) - (macro setcontext_spd_associations ((type ARG1)) - (allow ARG1 spd (association (setcontext))))) + (macro setcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (setcontext))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.spd.base_template) - (blockinherit .net.spd.macro_template)) + (blockinherit .net.spd.base_template) + (blockinherit .net.spd.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr spd.typeattr (association (polmatch setcontext)))))) + (allow typeattr spd.typeattr (association (polmatch setcontext)))))) (in net.unconfined @@ -115,24 +115,24 @@ (in subj (macro recvfrom_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (recvfrom)))) + (allow ARG1 typeattr (association (recvfrom)))) (macro recvfromsendto_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (recvfrom sendto)))) + (allow ARG1 typeattr (association (recvfrom sendto)))) (macro sendto_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (sendto))))) + (allow ARG1 typeattr (association (sendto))))) (in subj.macro_template (macro recvfrom_subj_associations ((type ARG1)) - (allow ARG1 subj (association (recvfrom)))) + (allow ARG1 subj (association (recvfrom)))) (macro recvfromsendto_subj_associations ((type ARG1)) - (allow ARG1 subj (association (recvfrom sendto)))) + (allow ARG1 subj (association (recvfrom sendto)))) (macro sendto_subj_associations ((type ARG1)) - (allow ARG1 subj (association (sendto))))) + (allow ARG1 subj (association (sendto))))) (in subj.unconfined |