diff options
Diffstat (limited to 'src')
369 files changed, 6606 insertions, 6606 deletions
diff --git a/src/anoninode.cil b/src/anoninode.cil index 1ff9206..0cf33a5 100644 --- a/src/anoninode.cil +++ b/src/anoninode.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class anon_inode ()) @@ -29,221 +29,221 @@ (classpermission write_anon_inode) (classpermissionset append_anon_inode - (anon_inode (append getattr ioctl lock open))) + (anon_inode (append getattr ioctl lock open))) (classpermissionset create_anon_inode (anon_inode (create getattr))) (classpermissionset delete_anon_inode (anon_inode (getattr unlink))) (classpermissionset manage_anon_inode - (anon_inode (append create getattr ioctl link lock open read - rename setattr unlink write))) + (anon_inode (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset mapexecute_anon_inode (anon_inode (execute map))) (classpermissionset mounton_anon_inode (anon_inode (getattr mounton))) (classpermissionset read_anon_inode (anon_inode (getattr ioctl lock open read))) (classpermissionset readwrite_anon_inode - (anon_inode (append getattr ioctl lock open read write))) + (anon_inode (append getattr ioctl lock open read write))) (classpermissionset relabel_anon_inode - (anon_inode (getattr relabelfrom relabelto))) + (anon_inode (getattr relabelfrom relabelto))) (classpermissionset relabelfrom_anon_inode (anon_inode (getattr relabelfrom))) (classpermissionset relabelto_anon_inode (anon_inode (getattr relabelto))) (classpermissionset rename_anon_inode (anon_inode (getattr rename))) (classpermissionset write_anon_inode - (anon_inode (append getattr ioctl lock open write))) + (anon_inode (append getattr ioctl lock open write))) (defaultrole anon_inode source) (macro append_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid append_anon_inode)) + (allow ARG1 .invalid append_anon_inode)) (macro create_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid create_anon_inode)) + (allow ARG1 .invalid create_anon_inode)) (macro delete_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid delete_anon_inode)) + (allow ARG1 .invalid delete_anon_inode)) (macro manage_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid manage_anon_inode)) + (allow ARG1 .invalid manage_anon_inode)) (macro mapexecute_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid mapexecute_anon_inode)) + (allow ARG1 .invalid mapexecute_anon_inode)) (macro mounton_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid mounton_anon_inode)) + (allow ARG1 .invalid mounton_anon_inode)) (macro read_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid read_anon_inode)) + (allow ARG1 .invalid read_anon_inode)) (macro readwrite_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid readwrite_anon_inode)) + (allow ARG1 .invalid readwrite_anon_inode)) (macro relabel_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid relabel_anon_inode)) + (allow ARG1 .invalid relabel_anon_inode)) (macro relabelfrom_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid relabelfrom_anon_inode)) + (allow ARG1 .invalid relabelfrom_anon_inode)) (macro relabelto_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid relabelto_anon_inode)) + (allow ARG1 .invalid relabelto_anon_inode)) (macro rename_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid rename_anon_inode)) + (allow ARG1 .invalid rename_anon_inode)) (macro write_invalid_anon_inodes ((type ARG1)) - (allow ARG1 .invalid write_anon_inode)) + (allow ARG1 .invalid write_anon_inode)) (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template_anon_inodes) + (blockinherit all_macro_template_anon_inodes) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template_anon_inodes + (block all_macro_template_anon_inodes - (blockabstract all_macro_template_anon_inodes) + (blockabstract all_macro_template_anon_inodes) - (macro append_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr append_anon_inode)) + (macro append_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr append_anon_inode)) - (macro create_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr create_anon_inode)) + (macro create_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr create_anon_inode)) - (macro delete_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr delete_anon_inode)) + (macro delete_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr delete_anon_inode)) - (macro manage_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr manage_anon_inode)) + (macro manage_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr manage_anon_inode)) - (macro mapexecute_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr mapexecute_anon_inode)) + (macro mapexecute_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr mapexecute_anon_inode)) - (macro mounton_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr mounton_anon_inode)) + (macro mounton_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr mounton_anon_inode)) - (macro read_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr read_anon_inode)) + (macro read_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr read_anon_inode)) - (macro readwrite_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr readwrite_anon_inode)) + (macro readwrite_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr readwrite_anon_inode)) - (macro relabel_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr relabel_anon_inode)) + (macro relabel_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabel_anon_inode)) - (macro relabelfrom_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr relabelfrom_anon_inode)) + (macro relabelfrom_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabelfrom_anon_inode)) - (macro relabelto_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr relabelto_anon_inode)) + (macro relabelto_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr relabelto_anon_inode)) - (macro rename_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr rename_anon_inode)) + (macro rename_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr rename_anon_inode)) - (macro write_all_anon_inodes ((type ARG1)) - (allow ARG1 typeattr write_anon_inode))) + (macro write_all_anon_inodes ((type ARG1)) + (allow ARG1 typeattr write_anon_inode))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (type anon_inode) - (call .anon_inode.type (anon_inode))) + (type anon_inode) + (call .anon_inode.type (anon_inode))) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit anon_inode.all_macro_template_anon_inodes) + (blockinherit anon_inode.all_macro_template_anon_inodes) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and anon_inode.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr + (and anon_inode.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call anon_inode.type (typeattr))) + (call anon_inode.type (typeattr))) - (block macro_template_anon_inodes + (block macro_template_anon_inodes - (blockabstract macro_template_anon_inodes) + (blockabstract macro_template_anon_inodes) - (macro append_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode append_anon_inode)) + (macro append_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode append_anon_inode)) - (macro create_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode create_anon_inode)) + (macro create_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode create_anon_inode)) - (macro delete_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode delete_anon_inode)) + (macro delete_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode delete_anon_inode)) - (macro manage_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode manage_anon_inode)) + (macro manage_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode manage_anon_inode)) - (macro mapexecute_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode mapexecute_anon_inode)) + (macro mapexecute_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode mapexecute_anon_inode)) - (macro mounton_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode mounton_anon_inode)) + (macro mounton_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode mounton_anon_inode)) - (macro read_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode read_anon_inode)) + (macro read_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode read_anon_inode)) - (macro readwrite_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode readwrite_anon_inode)) + (macro readwrite_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode readwrite_anon_inode)) - (macro relabel_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode relabel_anon_inode)) + (macro relabel_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabel_anon_inode)) - (macro relabelfrom_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode relabelfrom_anon_inode)) + (macro relabelfrom_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabelfrom_anon_inode)) - (macro relabelto_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode relabelto_anon_inode)) + (macro relabelto_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode relabelto_anon_inode)) - (macro rename_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode rename_anon_inode)) + (macro rename_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode rename_anon_inode)) - (macro self_type_transition ((type ARG1)(type ARG2)(name ARG3)) - (typetransition ARG1 ARG1 anon_inode ARG3 ARG2)) + (macro self_type_transition ((type ARG1)(type ARG2)(name ARG3)) + (typetransition ARG1 ARG1 anon_inode ARG3 ARG2)) - (macro write_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode write_anon_inode))) + (macro write_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode write_anon_inode))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.base_template) - (blockinherit .anon_inode.macro_template_anon_inodes)) + (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.macro_template_anon_inodes)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr anon_inode.typeattr - (anon_inode (not (audit_access execmod mounton)))))) + (allow typeattr anon_inode.typeattr + (anon_inode (not (audit_access execmod mounton)))))) (in invalid.unconfined (allow typeattr .invalid - (anon_inode (not (audit_access create execmod mounton))))) + (anon_inode (not (audit_access create execmod mounton))))) (in subj.unconfined (allow typeattr self (anon_inode (create))) (allow typeattr subj.typeattr - (anon_inode (not (audit_access create execmod mounton))))) + (anon_inode (not (audit_access create execmod mounton))))) (in unconfined diff --git a/src/anoninode/iouringanoninode.cil b/src/anoninode/iouringanoninode.cil index 246f712..8c0e23c 100644 --- a/src/anoninode/iouringanoninode.cil +++ b/src/anoninode/iouringanoninode.cil @@ -1,43 +1,43 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block iouring - (blockinherit anon_inode.template) + (blockinherit anon_inode.template) - (block anon_inode + (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .anon_inode.all_macro_template_anon_inodes) + (blockinherit .anon_inode.all_macro_template_anon_inodes) - (call .anon_inode.type (typeattr)) + (call .anon_inode.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.base_template) - (call .iouring.anon_inode.type (anon_inode))) + (call .iouring.anon_inode.type (anon_inode))) - (block template + (block template - (macro map_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode (anon_inode (map)))) + (macro map_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode (anon_inode (map)))) - (macro self_type_transition_anon_inode ((type ARG1)) - (call self_type_transition - (ARG1 anon_inode "[io_uring]"))) + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[io_uring]"))) - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.macro_template_anon_inodes) + (blockinherit .anon_inode.macro_template_anon_inodes) - (blockinherit .iouring.anon_inode.base_template)))) + (blockinherit .iouring.anon_inode.base_template)))) (in anon_inode.unconfined diff --git a/src/anoninode/kvmgmemanoninode.cil b/src/anoninode/kvmgmemanoninode.cil index ef8ed90..13ecdb2 100644 --- a/src/anoninode/kvmgmemanoninode.cil +++ b/src/anoninode/kvmgmemanoninode.cil @@ -1,45 +1,45 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in kvm (block gmem - (blockinherit anon_inode.template) + (blockinherit anon_inode.template) - (block anon_inode + (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .anon_inode.all_macro_template_anon_inodes) + (blockinherit .anon_inode.all_macro_template_anon_inodes) - (call .anon_inode.type (typeattr)) + (call .anon_inode.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.base_template) - (call .kvm.gmem.anon_inode.type (anon_inode))) + (call .kvm.gmem.anon_inode.type (anon_inode))) - (block template + (block template - (macro map_anon_inode_anon_inodes ((type ARG1)) - (allow ARG1 anon_inode (anon_inode (map)))) + (macro map_anon_inode_anon_inodes ((type ARG1)) + (allow ARG1 anon_inode (anon_inode (map)))) - (macro self_type_transition_anon_inode ((type ARG1)) - (call self_type_transition - (ARG1 anon_inode "[kvm-gmem]"))) + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[kvm-gmem]"))) - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.macro_template_anon_inodes) + (blockinherit .anon_inode.macro_template_anon_inodes) - (blockinherit .kvm.gmem.anon_inode.base_template))))) + (blockinherit .kvm.gmem.anon_inode.base_template))))) (in anon_inode.unconfined diff --git a/src/anoninode/perfeventanoninode.cil b/src/anoninode/perfeventanoninode.cil index dd3e9a0..2724967 100644 --- a/src/anoninode/perfeventanoninode.cil +++ b/src/anoninode/perfeventanoninode.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block perfevent - (blockinherit anon_inode.template) + (blockinherit anon_inode.template) - (block anon_inode + (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .anon_inode.all_macro_template_anon_inodes) + (blockinherit .anon_inode.all_macro_template_anon_inodes) - (call .anon_inode.type (typeattr)) + (call .anon_inode.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.base_template) - (call .perfevent.anon_inode.type (anon_inode))) + (call .perfevent.anon_inode.type (anon_inode))) - (block template + (block template - (macro self_type_transition_anon_inode ((type ARG1)) - (call self_type_transition - (ARG1 anon_inode "[perf_event]"))) + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[perf_event]"))) - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.macro_template_anon_inodes) + (blockinherit .anon_inode.macro_template_anon_inodes) - (blockinherit .perfevent.anon_inode.base_template)))) + (blockinherit .perfevent.anon_inode.base_template)))) (in anon_inode.unconfined diff --git a/src/anoninode/secretmemanoninode.cil b/src/anoninode/secretmemanoninode.cil index 5c41465..6dfa9c0 100644 --- a/src/anoninode/secretmemanoninode.cil +++ b/src/anoninode/secretmemanoninode.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block secretmem - (blockinherit anon_inode.template) + (blockinherit anon_inode.template) - (block anon_inode + (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .anon_inode.all_macro_template_anon_inodes) + (blockinherit .anon_inode.all_macro_template_anon_inodes) - (call .anon_inode.type (typeattr)) + (call .anon_inode.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.base_template) - (call .secretmem.anon_inode.type (anon_inode))) + (call .secretmem.anon_inode.type (anon_inode))) - (block template + (block template - (macro self_type_transition_anon_inode ((type ARG1)) - (call self_type_transition - (ARG1 anon_inode "[secretmem]"))) + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[secretmem]"))) - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.macro_template_anon_inodes) + (blockinherit .anon_inode.macro_template_anon_inodes) - (blockinherit .secretmem.anon_inode.base_template)))) + (blockinherit .secretmem.anon_inode.base_template)))) (in anon_inode.unconfined diff --git a/src/anoninode/uffdanoninode.cil b/src/anoninode/uffdanoninode.cil index 1e9de58..b77e80a 100644 --- a/src/anoninode/uffdanoninode.cil +++ b/src/anoninode/uffdanoninode.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block uffd - (blockinherit anon_inode.template) + (blockinherit anon_inode.template) - (block anon_inode + (block anon_inode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .anon_inode.all_macro_template_anon_inodes) + (blockinherit .anon_inode.all_macro_template_anon_inodes) - (call .anon_inode.type (typeattr)) + (call .anon_inode.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .anon_inode.base_template) + (blockinherit .anon_inode.base_template) - (call .uffd.anon_inode.type (anon_inode))) + (call .uffd.anon_inode.type (anon_inode))) - (block template + (block template - (macro self_type_transition_anon_inode ((type ARG1)) - (call self_type_transition - (ARG1 anon_inode "[userfaultfd]"))) + (macro self_type_transition_anon_inode ((type ARG1)) + (call self_type_transition + (ARG1 anon_inode "[userfaultfd]"))) - (blockabstract template) + (blockabstract template) - (blockinherit .anon_inode.macro_template_anon_inodes) + (blockinherit .anon_inode.macro_template_anon_inodes) - (blockinherit .uffd.anon_inode.base_template)))) + (blockinherit .uffd.anon_inode.base_template)))) (in anon_inode.unconfined diff --git a/src/dev.cil b/src/dev.cil index 5600328..bc39e64 100644 --- a/src/dev.cil +++ b/src/dev.cil @@ -1,47 +1,47 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_blk_files) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .devtmp.associate_fs (typeattr)) + (call .devtmp.associate_fs (typeattr)) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .file.all_macro_template_blk_files) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr (and dev.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr (and dev.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call dev.type (typeattr))) + (call dev.type (typeattr))) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in unconfined diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil index 9f15845..831b79d 100644 --- a/src/dev/nodedev.cil +++ b/src/dev/nodedev.cil @@ -1,119 +1,119 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nodedev - (macro mounton_all_chr_files ((type ARG1)) - (allow ARG1 typeattr mounton_chr_file)) + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .dev.type (typeattr)) + (call .dev.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context nodedev_context (.sys.id .sys.role nodedev .sys.lowlow)) + (context nodedev_context (.sys.id .sys.role nodedev .sys.lowlow)) - (type nodedev) - (call .nodedev.type (nodedev))) + (type nodedev) + (call .nodedev.type (nodedev))) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_chr_files) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and nodedev.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr + (and nodedev.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call nodedev.type (typeattr)) + (call nodedev.type (typeattr)) - (call .dev.exception.type (typeattr))) + (call .dev.exception.type (typeattr))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev append_chr_file)) + (macro append_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev append_chr_file)) - (macro appendinherited_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev appendinherited_chr_file)) + (macro appendinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev appendinherited_chr_file)) - (macro create_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev create_chr_file)) + (macro create_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev create_chr_file)) - (macro delete_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev delete_chr_file)) + (macro delete_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev delete_chr_file)) - (macro manage_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev manage_chr_file)) + (macro manage_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev manage_chr_file)) - (macro mapexecute_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev mapexecute_chr_file)) + (macro mapexecute_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev mapexecute_chr_file)) - (macro read_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev read_chr_file)) + (macro read_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev read_chr_file)) - (macro readinherited_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev readinherited_chr_file)) + (macro readinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readinherited_chr_file)) - (macro readwrite_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev readwrite_chr_file)) + (macro readwrite_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwrite_chr_file)) - (macro readwriteinherited_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev readwriteinherited_chr_file)) + (macro readwriteinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev readwriteinherited_chr_file)) - (macro relabel_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev relabel_chr_file)) + (macro relabel_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabel_chr_file)) - (macro relabelfrom_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev relabelfrom_chr_file)) + (macro relabelfrom_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelfrom_chr_file)) - (macro relabelto_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev relabelto_chr_file)) + (macro relabelto_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev relabelto_chr_file)) - (macro rename_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev rename_chr_file)) + (macro rename_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev rename_chr_file)) - (macro write_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev write_chr_file)) + (macro write_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev write_chr_file)) - (macro writeinherited_nodedev_chr_files ((type ARG1)) - (allow ARG1 nodedev writeinherited_chr_file))) + (macro writeinherited_nodedev_chr_files ((type ARG1)) + (allow ARG1 nodedev writeinherited_chr_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .nodedev.base_template) - (blockinherit .nodedev.macro_template_chr_files)) + (blockinherit .nodedev.base_template) + (blockinherit .nodedev.macro_template_chr_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr nodedev.typeattr (chr_file (not (audit_access execmod)))))) + (allow typeattr nodedev.typeattr (chr_file (not (audit_access execmod)))))) (in dev.unconfined diff --git a/src/dev/nodedev/apmnodedev.cil b/src/dev/nodedev/apmnodedev.cil index fe00665..8a42c43 100644 --- a/src/dev/nodedev/apmnodedev.cil +++ b/src/dev/nodedev/apmnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block apm - (filecon "/dev/snapshot" char nodedev_context) + (filecon "/dev/snapshot" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/autofsnodedev.cil b/src/dev/nodedev/autofsnodedev.cil index 7ade530..fa4f94d 100644 --- a/src/dev/nodedev/autofsnodedev.cil +++ b/src/dev/nodedev/autofsnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block autofs - (filecon "/dev/autofs" char nodedev_context) + (filecon "/dev/autofs" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/btrfscontrolnodedev.cil b/src/dev/nodedev/btrfscontrolnodedev.cil index 5b2c703..815ce29 100644 --- a/src/dev/nodedev/btrfscontrolnodedev.cil +++ b/src/dev/nodedev/btrfscontrolnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block btrfscontrol - (filecon "/dev/btrfs-control" char nodedev_context) + (filecon "/dev/btrfs-control" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cachefilesnodedev.cil b/src/dev/nodedev/cachefilesnodedev.cil index 2279143..3487d92 100644 --- a/src/dev/nodedev/cachefilesnodedev.cil +++ b/src/dev/nodedev/cachefilesnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cachefiles - (filecon "/dev/cachefiles" char nodedev_context) + (filecon "/dev/cachefiles" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cdcwdmnodedev.cil b/src/dev/nodedev/cdcwdmnodedev.cil index d48537e..faf0ad4 100644 --- a/src/dev/nodedev/cdcwdmnodedev.cil +++ b/src/dev/nodedev/cdcwdmnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cdcwdm - (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context) + (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/clocknodedev.cil b/src/dev/nodedev/clocknodedev.cil index 07a27cb..32a2125 100644 --- a/src/dev/nodedev/clocknodedev.cil +++ b/src/dev/nodedev/clocknodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block clock - (filecon "/dev/hpet" char nodedev_context) - (filecon "/dev/ptp([0-9]+)?" char nodedev_context) - (filecon "/dev/rtc([0-9]+)?" char nodedev_context) + (filecon "/dev/hpet" char nodedev_context) + (filecon "/dev/ptp([0-9]+)?" char nodedev_context) + (filecon "/dev/rtc([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cpunodedev.cil b/src/dev/nodedev/cpunodedev.cil index 7da4970..5dc3b80 100644 --- a/src/dev/nodedev/cpunodedev.cil +++ b/src/dev/nodedev/cpunodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cpu - (filecon "/dev/cpu/.+" char nodedev_context) + (filecon "/dev/cpu/.+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/crashnodedev.cil b/src/dev/nodedev/crashnodedev.cil index 34a80bc..2c01e95 100644 --- a/src/dev/nodedev/crashnodedev.cil +++ b/src/dev/nodedev/crashnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block crash - (filecon "/dev/crash" char nodedev_context) + (filecon "/dev/crash" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/cusenodedev.cil b/src/dev/nodedev/cusenodedev.cil index 6003d5a..e982d2a 100644 --- a/src/dev/nodedev/cusenodedev.cil +++ b/src/dev/nodedev/cusenodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cuse - (filecon "/dev/cuse" char nodedev_context) + (filecon "/dev/cuse" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmaheapnodedev.cil b/src/dev/nodedev/dmaheapnodedev.cil index bc81698..8bc9082 100644 --- a/src/dev/nodedev/dmaheapnodedev.cil +++ b/src/dev/nodedev/dmaheapnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dmaheap - (filecon "/dev/dma_heap/.*" char nodedev_context) + (filecon "/dev/dma_heap/.*" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/dmcontrolnodedev.cil b/src/dev/nodedev/dmcontrolnodedev.cil index 6250540..13bd86b 100644 --- a/src/dev/nodedev/dmcontrolnodedev.cil +++ b/src/dev/nodedev/dmcontrolnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dmcontrol - (filecon "/dev/mapper/control" char nodedev_context) + (filecon "/dev/mapper/control" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/drinodedev.cil b/src/dev/nodedev/drinodedev.cil index 8087d00..0fdafdf 100644 --- a/src/dev/nodedev/drinodedev.cil +++ b/src/dev/nodedev/drinodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dri - (filecon "/dev/dri/.+" char nodedev_context) + (filecon "/dev/dri/.+" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/drmdpauxnodedev.cil b/src/dev/nodedev/drmdpauxnodedev.cil index 95b5770..a6776a3 100644 --- a/src/dev/nodedev/drmdpauxnodedev.cil +++ b/src/dev/nodedev/drmdpauxnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block drmdpaux - (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context) + (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/eventnodedev.cil b/src/dev/nodedev/eventnodedev.cil index 33aaf98..45c607c 100644 --- a/src/dev/nodedev/eventnodedev.cil +++ b/src/dev/nodedev/eventnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block event - (filecon "/dev/input/event([0-9]+)?" char nodedev_context) + (filecon "/dev/input/event([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil index b166b94..4f3cbae 100644 --- a/src/dev/nodedev/fbnodedev.cil +++ b/src/dev/nodedev/fbnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block fb - (filecon "/dev/fb([0-9]+)?" char nodedev_context) + (filecon "/dev/fb([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/gpionodedev.cil b/src/dev/nodedev/gpionodedev.cil index 0dff783..e4c8141 100644 --- a/src/dev/nodedev/gpionodedev.cil +++ b/src/dev/nodedev/gpionodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block gpio - (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context) + (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hiddevnodedev.cil b/src/dev/nodedev/hiddevnodedev.cil index d694f2d..3caa674 100644 --- a/src/dev/nodedev/hiddevnodedev.cil +++ b/src/dev/nodedev/hiddevnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hiddev - (filecon "/dev/hiddev[0-9]+" char nodedev_context) + (filecon "/dev/hiddev[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil index a745fe4..ca52c95 100644 --- a/src/dev/nodedev/hidrawnodedev.cil +++ b/src/dev/nodedev/hidrawnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hidraw - (filecon "/dev/hidraw[0-9]+" char nodedev_context) + (filecon "/dev/hidraw[0-9]+" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/hwrngnodedev.cil b/src/dev/nodedev/hwrngnodedev.cil index 4bfca56..ec12816 100644 --- a/src/dev/nodedev/hwrngnodedev.cil +++ b/src/dev/nodedev/hwrngnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hwrng - (filecon "/dev/hwrng" char nodedev_context) + (filecon "/dev/hwrng" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/i2cnodedev.cil b/src/dev/nodedev/i2cnodedev.cil index a961872..facc74c 100644 --- a/src/dev/nodedev/i2cnodedev.cil +++ b/src/dev/nodedev/i2cnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block i2c - (filecon "/dev/i2c-([0-9]+)?" char nodedev_context) + (filecon "/dev/i2c-([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/iionodedev.cil b/src/dev/nodedev/iionodedev.cil index f6341f3..68c184c 100644 --- a/src/dev/nodedev/iionodedev.cil +++ b/src/dev/nodedev/iionodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block iio - (filecon "/dev/iio:device([0-9]+)?" char nodedev_context) + (filecon "/dev/iio:device([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/infinibandnodedev.cil b/src/dev/nodedev/infinibandnodedev.cil index c490c59..2146287 100644 --- a/src/dev/nodedev/infinibandnodedev.cil +++ b/src/dev/nodedev/infinibandnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block infiniband - (filecon "/dev/infiniband/.+" char nodedev_context) + (filecon "/dev/infiniband/.+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil index b764399..9da00af 100644 --- a/src/dev/nodedev/inputnodedev.cil +++ b/src/dev/nodedev/inputnodedev.cil @@ -1,13 +1,13 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block input - (filecon "/dev/input/js([0-9]+)?" char nodedev_context) - (filecon "/dev/input/mice" char nodedev_context) - (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) - (filecon "/dev/psaux" char nodedev_context) + (filecon "/dev/input/js([0-9]+)?" char nodedev_context) + (filecon "/dev/input/mice" char nodedev_context) + (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context) + (filecon "/dev/psaux" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/ipminodedev.cil b/src/dev/nodedev/ipminodedev.cil index 8dca3dc..22eca5e 100644 --- a/src/dev/nodedev/ipminodedev.cil +++ b/src/dev/nodedev/ipminodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ipmi - (filecon "/dev/ipmi[0-9]+" char nodedev_context) + (filecon "/dev/ipmi[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kfdnodedev.cil b/src/dev/nodedev/kfdnodedev.cil index ad493ff..9a3b6db 100644 --- a/src/dev/nodedev/kfdnodedev.cil +++ b/src/dev/nodedev/kfdnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kfd - (filecon "/dev/kfd" char nodedev_context) + (filecon "/dev/kfd" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kmsgnodedev.cil b/src/dev/nodedev/kmsgnodedev.cil index cf1fde9..14acf6b 100644 --- a/src/dev/nodedev/kmsgnodedev.cil +++ b/src/dev/nodedev/kmsgnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kmsg - (filecon "/dev/kmsg" char nodedev_context) + (filecon "/dev/kmsg" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ksmnodedev.cil b/src/dev/nodedev/ksmnodedev.cil index 87b153c..dc9cb2d 100644 --- a/src/dev/nodedev/ksmnodedev.cil +++ b/src/dev/nodedev/ksmnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ksm - (filecon "/dev/ksm" char nodedev_context) + (filecon "/dev/ksm" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/kvmnodedev.cil b/src/dev/nodedev/kvmnodedev.cil index 40d5f01..5c94761 100644 --- a/src/dev/nodedev/kvmnodedev.cil +++ b/src/dev/nodedev/kvmnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kvm - (filecon "/dev/kvm" char nodedev_context) + (filecon "/dev/kvm" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/lircnodedev.cil b/src/dev/nodedev/lircnodedev.cil index 3c6298c..7dd0175 100644 --- a/src/dev/nodedev/lircnodedev.cil +++ b/src/dev/nodedev/lircnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lirc - (filecon "/dev/lirc[0-9]+" char nodedev_context) + (filecon "/dev/lirc[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/loopcontrolnodedev.cil b/src/dev/nodedev/loopcontrolnodedev.cil index 4a88ff7..36e7062 100644 --- a/src/dev/nodedev/loopcontrolnodedev.cil +++ b/src/dev/nodedev/loopcontrolnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block loopcontrol - (filecon "/dev/loop-control" char nodedev_context) + (filecon "/dev/loop-control" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/mcelognodedev.cil b/src/dev/nodedev/mcelognodedev.cil index 22e88e0..78f3396 100644 --- a/src/dev/nodedev/mcelognodedev.cil +++ b/src/dev/nodedev/mcelognodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mcelog - (filecon "/dev/mcelog" char nodedev_context) + (filecon "/dev/mcelog" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/meinodedev.cil b/src/dev/nodedev/meinodedev.cil index e353179..cca51d0 100644 --- a/src/dev/nodedev/meinodedev.cil +++ b/src/dev/nodedev/meinodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mei - (filecon "/dev/mei([0-9]+)?" char nodedev_context) + (filecon "/dev/mei([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/memnodedev.cil b/src/dev/nodedev/memnodedev.cil index 00290a3..f0cd387 100644 --- a/src/dev/nodedev/memnodedev.cil +++ b/src/dev/nodedev/memnodedev.cil @@ -1,48 +1,48 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mem - (filecon "/dev/mem" char nodedev_context) - (filecon "/dev/port" char nodedev_context) + (filecon "/dev/mem" char nodedev_context) + (filecon "/dev/port" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .nodedev.exception.type (nodedev)) + (call .nodedev.exception.type (nodedev)) - (block read + (block read - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr mem.nodedev (chr_file (read)))) + (neverallow not_typeattr mem.nodedev (chr_file (read)))) - (block readwrite + (block readwrite - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call read.type (typeattr)) - (call write.type (typeattr))) + (call read.type (typeattr)) + (call write.type (typeattr))) - (block write + (block write - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr mem.nodedev (chr_file (append write))))) + (neverallow not_typeattr mem.nodedev (chr_file (append write))))) (in nodedev.unconfined diff --git a/src/dev/nodedev/modemnodedev.cil b/src/dev/nodedev/modemnodedev.cil index d2b393e..8db5673 100644 --- a/src/dev/nodedev/modemnodedev.cil +++ b/src/dev/nodedev/modemnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block modem - (filecon "/dev/modem" char nodedev_context) + (filecon "/dev/modem" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ndctlnodedev.cil b/src/dev/nodedev/ndctlnodedev.cil index 0b5fe55..d4f0a12 100644 --- a/src/dev/nodedev/ndctlnodedev.cil +++ b/src/dev/nodedev/ndctlnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ndctl - (filecon "/dev/ndctl([0-9]+)?" char nodedev_context) + (filecon "/dev/ndctl([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil index 16b913e..85d6f4a 100644 --- a/src/dev/nodedev/nullnodedev.cil +++ b/src/dev/nodedev/nullnodedev.cil @@ -1,13 +1,13 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext devnull (sys.id sys.role null.nodedev sys.lowlow)) (block null - (filecon "/dev/full" char nodedev_context) - (filecon "/dev/null" char nodedev_context) + (filecon "/dev/full" char nodedev_context) + (filecon "/dev/null" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/nvramnodedev.cil b/src/dev/nodedev/nvramnodedev.cil index a4fb697..e5fde4b 100644 --- a/src/dev/nodedev/nvramnodedev.cil +++ b/src/dev/nodedev/nvramnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nvram - (filecon "/dev/nvram" char nodedev_context) + (filecon "/dev/nvram" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pmunodedev.cil b/src/dev/nodedev/pmunodedev.cil index 150cc2e..4758d61 100644 --- a/src/dev/nodedev/pmunodedev.cil +++ b/src/dev/nodedev/pmunodedev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pmu - (filecon "/dev/pmu" char nodedev_context) - (filecon "/dev/smu" char nodedev_context) + (filecon "/dev/pmu" char nodedev_context) + (filecon "/dev/smu" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/pppnodedev.cil b/src/dev/nodedev/pppnodedev.cil index 740151a..f911e88 100644 --- a/src/dev/nodedev/pppnodedev.cil +++ b/src/dev/nodedev/pppnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ppp - (filecon "/dev/ppp" char nodedev_context) + (filecon "/dev/ppp" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/printernodedev.cil b/src/dev/nodedev/printernodedev.cil index 4c189a6..db1d9cd 100644 --- a/src/dev/nodedev/printernodedev.cil +++ b/src/dev/nodedev/printernodedev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block printer - (filecon "/dev/lp([0-9]+)?" char nodedev_context) - (filecon "/dev/parport([0-9]+)?" char nodedev_context) + (filecon "/dev/lp([0-9]+)?" char nodedev_context) + (filecon "/dev/parport([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ptmxnodedev.cil b/src/dev/nodedev/ptmxnodedev.cil index a9a9266..1c5ec3d 100644 --- a/src/dev/nodedev/ptmxnodedev.cil +++ b/src/dev/nodedev/ptmxnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ptmx - (filecon "/dev/ptmx" char nodedev_context) + (filecon "/dev/ptmx" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/qosnodedev.cil b/src/dev/nodedev/qosnodedev.cil index 7aa14ed..383be27 100644 --- a/src/dev/nodedev/qosnodedev.cil +++ b/src/dev/nodedev/qosnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block qos - (filecon "/dev/cpu_dma_latency" char nodedev_context) - (filecon "/dev/memory_bandwidth" char nodedev_context) - (filecon "/dev/network_latency" char nodedev_context) - (filecon "/dev/network_throughput" char nodedev_context) + (filecon "/dev/cpu_dma_latency" char nodedev_context) + (filecon "/dev/memory_bandwidth" char nodedev_context) + (filecon "/dev/network_latency" char nodedev_context) + (filecon "/dev/network_throughput" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/randomnodedev.cil b/src/dev/nodedev/randomnodedev.cil index 7e5c931..3025b7e 100644 --- a/src/dev/nodedev/randomnodedev.cil +++ b/src/dev/nodedev/randomnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block random - (filecon "/dev/random" char nodedev_context) - (filecon "/dev/urandom" char nodedev_context) + (filecon "/dev/random" char nodedev_context) + (filecon "/dev/urandom" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil index dfc6076..50236fa 100644 --- a/src/dev/nodedev/rfkillnodedev.cil +++ b/src/dev/nodedev/rfkillnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rfkill - (filecon "/dev/rfkill" char nodedev_context) + (filecon "/dev/rfkill" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/sndnodedev.cil b/src/dev/nodedev/sndnodedev.cil index a9d21c4..056ad32 100644 --- a/src/dev/nodedev/sndnodedev.cil +++ b/src/dev/nodedev/sndnodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block snd - (filecon "/dev/snd/.+" char nodedev_context) + (filecon "/dev/snd/.+" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/tpmnodedev.cil b/src/dev/nodedev/tpmnodedev.cil index 9507b9f..1d7e1f5 100644 --- a/src/dev/nodedev/tpmnodedev.cil +++ b/src/dev/nodedev/tpmnodedev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block tpm - (filecon "/dev/tpm([0-9]+)?" char nodedev_context) - (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context) + (filecon "/dev/tpm([0-9]+)?" char nodedev_context) + (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil index f93ea9c..b027817 100644 --- a/src/dev/nodedev/ttynodedev.cil +++ b/src/dev/nodedev/ttynodedev.cil @@ -1,19 +1,19 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block tty - (filecon "/dev/tty" char nodedev_context) + (filecon "/dev/tty" char nodedev_context) - (macro tioclinux_nodedev_chr_files ((type ARG1)) - (allowx ARG1 nodedev TIOCLINUX)) + (macro tioclinux_nodedev_chr_files ((type ARG1)) + (allowx ARG1 nodedev TIOCLINUX)) - (macro tiocsti_nodedev_chr_files ((type ARG1)) - (allowx ARG1 nodedev TIOCSTI)) + (macro tiocsti_nodedev_chr_files ((type ARG1)) + (allowx ARG1 nodedev TIOCSTI)) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) ;; TIOCLINUX, subcode=TIOCL_GETMOUSEREPORTING (in after tty.append_nodedev_chr_files diff --git a/src/dev/nodedev/tuntapnodedev.cil b/src/dev/nodedev/tuntapnodedev.cil index a0dbdd2..ff79007 100644 --- a/src/dev/nodedev/tuntapnodedev.cil +++ b/src/dev/nodedev/tuntapnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block tuntap - (filecon "/dev/net/tun" char nodedev_context) - (filecon "/dev/tap([0-9]+)?" char nodedev_context) + (filecon "/dev/net/tun" char nodedev_context) + (filecon "/dev/tap([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/udmabufnodedev.cil b/src/dev/nodedev/udmabufnodedev.cil index 097d3c1..4117bab 100644 --- a/src/dev/nodedev/udmabufnodedev.cil +++ b/src/dev/nodedev/udmabufnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block udmabuf - (filecon "/dev/udmabuf" char nodedev_context) + (filecon "/dev/udmabuf" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uffdnodedev.cil b/src/dev/nodedev/uffdnodedev.cil index a172e7e..88b8a84 100644 --- a/src/dev/nodedev/uffdnodedev.cil +++ b/src/dev/nodedev/uffdnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in uffd - (filecon "/dev/userfaultfd" char nodedev_context) + (filecon "/dev/userfaultfd" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uhidnodedev.cil b/src/dev/nodedev/uhidnodedev.cil index d5e9de9..846ef4a 100644 --- a/src/dev/nodedev/uhidnodedev.cil +++ b/src/dev/nodedev/uhidnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block uhid - (filecon "/dev/uhid" char nodedev_context) + (filecon "/dev/uhid" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uinputnodedev.cil b/src/dev/nodedev/uinputnodedev.cil index 2961ef4..5247516 100644 --- a/src/dev/nodedev/uinputnodedev.cil +++ b/src/dev/nodedev/uinputnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block uinput - (filecon "/dev/uinput" char nodedev_context) + (filecon "/dev/uinput" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/uionodedev.cil b/src/dev/nodedev/uionodedev.cil index e4db6f8..0a9e527 100644 --- a/src/dev/nodedev/uionodedev.cil +++ b/src/dev/nodedev/uionodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block uio - (filecon "/dev/uio[0-9]+" char nodedev_context) + (filecon "/dev/uio[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbmonnodedev.cil b/src/dev/nodedev/usbmonnodedev.cil index 4bb0fa5..e93f9d1 100644 --- a/src/dev/nodedev/usbmonnodedev.cil +++ b/src/dev/nodedev/usbmonnodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block usbmon - (filecon "/dev/usbmon[0-9]+" char nodedev_context) + (filecon "/dev/usbmon[0-9]+" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil index b341a12..765fbcb 100644 --- a/src/dev/nodedev/usbnodedev.cil +++ b/src/dev/nodedev/usbnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block usb - (filecon "/dev/bus/usb/.+" char nodedev_context) - (filecon "/dev/usb.+" char nodedev_context) + (filecon "/dev/bus/usb/.+" char nodedev_context) + (filecon "/dev/usb.+" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/v4lnodedev.cil b/src/dev/nodedev/v4lnodedev.cil index 3ae3eaf..a40af0d 100644 --- a/src/dev/nodedev/v4lnodedev.cil +++ b/src/dev/nodedev/v4lnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block v4l - (filecon "/dev/media([0-9]+)?" char nodedev_context) - (filecon "/dev/video([0-9]+)?" char nodedev_context) + (filecon "/dev/media([0-9]+)?" char nodedev_context) + (filecon "/dev/video([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vfionodedev.cil b/src/dev/nodedev/vfionodedev.cil index f554d63..111f25b 100644 --- a/src/dev/nodedev/vfionodedev.cil +++ b/src/dev/nodedev/vfionodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vfio - (filecon "/dev/vfio/.+" char nodedev_context) + (filecon "/dev/vfio/.+" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/nodedev/vgaarbiternodedev.cil b/src/dev/nodedev/vgaarbiternodedev.cil index 3649a85..487ab3d 100644 --- a/src/dev/nodedev/vgaarbiternodedev.cil +++ b/src/dev/nodedev/vgaarbiternodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vgaarbiter - (filecon "/dev/vga_arbiter" char nodedev_context) + (filecon "/dev/vga_arbiter" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vhostnodedev.cil b/src/dev/nodedev/vhostnodedev.cil index 002d32d..bb340cd 100644 --- a/src/dev/nodedev/vhostnodedev.cil +++ b/src/dev/nodedev/vhostnodedev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vhost - (filecon "/dev/vhci" char nodedev_context) - (filecon "/dev/vhost-net" char nodedev_context) - (filecon "/dev/vhost-scsi" char nodedev_context) - (filecon "/dev/vhost-vsock" char nodedev_context) + (filecon "/dev/vhci" char nodedev_context) + (filecon "/dev/vhost-net" char nodedev_context) + (filecon "/dev/vhost-scsi" char nodedev_context) + (filecon "/dev/vhost-vsock" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/vmcinodedev.cil b/src/dev/nodedev/vmcinodedev.cil index ddbd28f..6d51386 100644 --- a/src/dev/nodedev/vmcinodedev.cil +++ b/src/dev/nodedev/vmcinodedev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vmci - (filecon "/dev/vmci" char nodedev_context) - (filecon "/dev/vsock" char nodedev_context) + (filecon "/dev/vmci" char nodedev_context) + (filecon "/dev/vsock" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/watchdognodedev.cil b/src/dev/nodedev/watchdognodedev.cil index 0644673..9492cc1 100644 --- a/src/dev/nodedev/watchdognodedev.cil +++ b/src/dev/nodedev/watchdognodedev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block watchdog - (filecon "/dev/watchdog([0-9]+)?" char nodedev_context) + (filecon "/dev/watchdog([0-9]+)?" char nodedev_context) - (blockinherit .nodedev.template)) + (blockinherit .nodedev.template)) diff --git a/src/dev/nodedev/zeronodedev.cil b/src/dev/nodedev/zeronodedev.cil index 2ba9fbd..14e958e 100644 --- a/src/dev/nodedev/zeronodedev.cil +++ b/src/dev/nodedev/zeronodedev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block zero - (filecon "/dev/zero" char nodedev_context) + (filecon "/dev/zero" char nodedev_context) - (blockinherit .nodedev.template) + (blockinherit .nodedev.template) - (call .rbacsep.exempt.obj.type (nodedev))) + (call .rbacsep.exempt.obj.type (nodedev))) diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil index c395450..27eccd0 100644 --- a/src/dev/stordev.cil +++ b/src/dev/stordev.cil @@ -1,187 +1,187 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block stordev - (macro mounton_all_chr_files ((type ARG1)) - (allow ARG1 typeattr mounton_chr_file)) + (macro mounton_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mounton_chr_file)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_blk_files) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) - (call .dev.exception.type (typeattr)) + (call .dev.exception.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context stordev_context (.sys.id .sys.role stordev .sys.lowlow)) + (context stordev_context (.sys.id .sys.role stordev .sys.lowlow)) - (type stordev) - (call .stordev.type (stordev))) + (type stordev) + (call .stordev.type (stordev))) - (block macro_template_blk_files + (block macro_template_blk_files - (blockabstract macro_template_blk_files) + (blockabstract macro_template_blk_files) - (macro append_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev append_blk_file)) + (macro append_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev append_blk_file)) - (macro appendinherited_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev appendinherited_blk_file)) + (macro appendinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev appendinherited_blk_file)) - (macro create_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev create_blk_file)) + (macro create_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev create_blk_file)) - (macro delete_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev delete_blk_file)) + (macro delete_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev delete_blk_file)) - (macro manage_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev manage_blk_file)) + (macro manage_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev manage_blk_file)) - (macro read_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev read_blk_file)) + (macro read_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev read_blk_file)) - (macro readinherited_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev readinherited_blk_file)) + (macro readinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readinherited_blk_file)) - (macro readwrite_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev readwrite_blk_file)) + (macro readwrite_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwrite_blk_file)) - (macro readwriteinherited_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev readwriteinherited_blk_file)) + (macro readwriteinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_blk_file)) - (macro relabel_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev relabel_blk_file)) + (macro relabel_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabel_blk_file)) - (macro relabelfrom_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev relabelfrom_blk_file)) + (macro relabelfrom_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_blk_file)) - (macro relabelto_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev relabelto_blk_file)) + (macro relabelto_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev relabelto_blk_file)) - (macro rename_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev rename_blk_file)) + (macro rename_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev rename_blk_file)) - (macro write_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev write_blk_file)) + (macro write_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev write_blk_file)) - (macro writeinherited_stordev_blk_files ((type ARG1)) - (allow ARG1 stordev writeinherited_blk_file))) + (macro writeinherited_stordev_blk_files ((type ARG1)) + (allow ARG1 stordev writeinherited_blk_file))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev append_chr_file)) + (macro append_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev append_chr_file)) - (macro appendinherited_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev appendinherited_chr_file)) + (macro appendinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev appendinherited_chr_file)) - (macro create_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev create_chr_file)) + (macro create_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev create_chr_file)) - (macro delete_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev delete_chr_file)) + (macro delete_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev delete_chr_file)) - (macro manage_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev manage_chr_file)) + (macro manage_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev manage_chr_file)) - (macro mapexecute_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev mapexecute_chr_file)) + (macro mapexecute_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev mapexecute_chr_file)) - (macro read_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev read_chr_file)) + (macro read_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev read_chr_file)) - (macro readinherited_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev readinherited_chr_file)) + (macro readinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readinherited_chr_file)) - (macro readwrite_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev readwrite_chr_file)) + (macro readwrite_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwrite_chr_file)) - (macro readwriteinherited_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev readwriteinherited_chr_file)) + (macro readwriteinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev readwriteinherited_chr_file)) - (macro relabel_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev relabel_chr_file)) + (macro relabel_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabel_chr_file)) - (macro relabelfrom_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev relabelfrom_chr_file)) + (macro relabelfrom_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelfrom_chr_file)) - (macro relabelto_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev relabelto_chr_file)) + (macro relabelto_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev relabelto_chr_file)) - (macro rename_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev rename_chr_file)) + (macro rename_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev rename_chr_file)) - (macro write_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev write_chr_file)) + (macro write_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev write_chr_file)) - (macro writeinherited_stordev_chr_files ((type ARG1)) - (allow ARG1 stordev writeinherited_chr_file))) + (macro writeinherited_stordev_chr_files ((type ARG1)) + (allow ARG1 stordev writeinherited_chr_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files) - (blockinherit .stordev.macro_template_chr_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files) + (blockinherit .stordev.macro_template_chr_files)) - (block read + (block read - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr stordev.typeattr (blk_file (read))) - (neverallow not_typeattr stordev.typeattr (chr_file (read)))) + (neverallow not_typeattr stordev.typeattr (blk_file (read))) + (neverallow not_typeattr stordev.typeattr (chr_file (read)))) - (block readwrite + (block readwrite - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call read.type (typeattr)) - (call write.type (typeattr))) + (call read.type (typeattr)) + (call write.type (typeattr))) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr stordev.typeattr - (blk_file (not (audit_access execmod map)))) - (allow typeattr stordev.typeattr (chr_file (not (audit_access execmod)))) + (allow typeattr stordev.typeattr + (blk_file (not (audit_access execmod map)))) + (allow typeattr stordev.typeattr (chr_file (not (audit_access execmod)))) - (call readwrite.type (typeattr))) + (call readwrite.type (typeattr))) - (block write + (block write - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr stordev.typeattr (blk_file (append write))) - (neverallow not_typeattr stordev.typeattr (chr_file (append write))))) + (neverallow not_typeattr stordev.typeattr (blk_file (append write))) + (neverallow not_typeattr stordev.typeattr (chr_file (append write))))) (in dev.unconfined diff --git a/src/dev/stordev/dmstordev.cil b/src/dev/stordev/dmstordev.cil index 96c8e7b..1b86a0b 100644 --- a/src/dev/stordev/dmstordev.cil +++ b/src/dev/stordev/dmstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dm - (filecon "/dev/dm-[0-9]+" block stordev_context) + (filecon "/dev/dm-[0-9]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/fusestordev.cil b/src/dev/stordev/fusestordev.cil index d912075..2430c62 100644 --- a/src/dev/stordev/fusestordev.cil +++ b/src/dev/stordev/fusestordev.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block fuse - (filecon "/dev/fuse" char stordev_context) + (filecon "/dev/fuse" char stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_chr_files) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files) - (call .rbacsep.exempt.obj.type (stordev))) + (call .rbacsep.exempt.obj.type (stordev))) diff --git a/src/dev/stordev/hdstordev.cil b/src/dev/stordev/hdstordev.cil index 5e52008..6ba3a16 100644 --- a/src/dev/stordev/hdstordev.cil +++ b/src/dev/stordev/hdstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hd - (filecon "/dev/hd[^/]+" block stordev_context) + (filecon "/dev/hd[^/]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/loopstordev.cil b/src/dev/stordev/loopstordev.cil index 4b09f56..227fdc0 100644 --- a/src/dev/stordev/loopstordev.cil +++ b/src/dev/stordev/loopstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block loop - (filecon "/dev/loop.+" block stordev_context) + (filecon "/dev/loop.+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mdstordev.cil b/src/dev/stordev/mdstordev.cil index ece93a3..d1fc966 100644 --- a/src/dev/stordev/mdstordev.cil +++ b/src/dev/stordev/mdstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block md - (filecon "/dev/md[^/]+" block stordev_context) + (filecon "/dev/md[^/]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/mtdstordev.cil b/src/dev/stordev/mtdstordev.cil index d96c312..6decb83 100644 --- a/src/dev/stordev/mtdstordev.cil +++ b/src/dev/stordev/mtdstordev.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mtd - (filecon "/dev/mtd[0-9]+" char stordev_context) - (filecon "/dev/mtd[0-9]+ro" char stordev_context) - (filecon "/dev/mtdblock[0-9]+" block stordev_context) + (filecon "/dev/mtd[0-9]+" char stordev_context) + (filecon "/dev/mtd[0-9]+ro" char stordev_context) + (filecon "/dev/mtdblock[0-9]+" block stordev_context) - (filecon "/dev/ubi[0-9]+_[0-9]+" char stordev_context) - (filecon "/dev/ubi_ctrl" char stordev_context) - (filecon "/dev/ubiblock[0-9]+_[0-9]+" block stordev_context) + (filecon "/dev/ubi[0-9]+_[0-9]+" char stordev_context) + (filecon "/dev/ubi_ctrl" char stordev_context) + (filecon "/dev/ubiblock[0-9]+_[0-9]+" block stordev_context) - (blockinherit .stordev.template)) + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/nvmestordev.cil b/src/dev/stordev/nvmestordev.cil index edc5002..ff87afb 100644 --- a/src/dev/stordev/nvmestordev.cil +++ b/src/dev/stordev/nvmestordev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nvme - (filecon "/dev/ng[0-9]n[^/]+" char stordev_context) - (filecon "/dev/nvme[0-9]+" char stordev_context) - (filecon "/dev/nvme[0-9]n[^/]+" block stordev_context) + (filecon "/dev/ng[0-9]n[^/]+" char stordev_context) + (filecon "/dev/nvme[0-9]+" char stordev_context) + (filecon "/dev/nvme[0-9]n[^/]+" block stordev_context) - (blockinherit .stordev.template)) + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/rawstordev.cil b/src/dev/stordev/rawstordev.cil index 136b189..2b6c53a 100644 --- a/src/dev/stordev/rawstordev.cil +++ b/src/dev/stordev/rawstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block raw - (filecon "/dev/raw/.+" char stordev_context) + (filecon "/dev/raw/.+" char stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_chr_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/removablestordev.cil b/src/dev/stordev/removablestordev.cil index 5e0dd6f..1f42c44 100644 --- a/src/dev/stordev/removablestordev.cil +++ b/src/dev/stordev/removablestordev.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block removable - (filecon "/dev/fd[^/]+" block stordev_context) - (filecon "/dev/mmcblk[0-9]+" block stordev_context) - (filecon "/dev/mmcblk[0-9]boot[^/]+" block stordev_context) - (filecon "/dev/mmcblk[0-9]p[^/]+" block stordev_context) - (filecon "/dev/mmcblk[0-9]rpmb" char stordev_context) - (filecon "/dev/mspblk[0-9]+" block stordev_context) - (filecon "/dev/mspblk[0-9]boot[^/]+" block stordev_context) - (filecon "/dev/mspblk[0-9]p[^/]+" block stordev_context) - (filecon "/dev/mspblk[0-9]rpmb" char stordev_context) - (filecon "/dev/sr[0-9]+" block stordev_context) + (filecon "/dev/fd[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mmcblk[0-9]rpmb" char stordev_context) + (filecon "/dev/mspblk[0-9]+" block stordev_context) + (filecon "/dev/mspblk[0-9]boot[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]p[^/]+" block stordev_context) + (filecon "/dev/mspblk[0-9]rpmb" char stordev_context) + (filecon "/dev/sr[0-9]+" block stordev_context) - (blockinherit .stordev.template)) + (blockinherit .stordev.template)) diff --git a/src/dev/stordev/sdstordev.cil b/src/dev/stordev/sdstordev.cil index 6a933e8..9bc1004 100644 --- a/src/dev/stordev/sdstordev.cil +++ b/src/dev/stordev/sdstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sd - (filecon "/dev/sd[^/]+" block stordev_context) + (filecon "/dev/sd[^/]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/sgstordev.cil b/src/dev/stordev/sgstordev.cil index 96a3784..25e436c 100644 --- a/src/dev/stordev/sgstordev.cil +++ b/src/dev/stordev/sgstordev.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sg - (filecon "/dev/bsg/.+" char stordev_context) - (filecon "/dev/sg[0-9]+" char stordev_context) + (filecon "/dev/bsg/.+" char stordev_context) + (filecon "/dev/sg[0-9]+" char stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_chr_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_chr_files)) diff --git a/src/dev/stordev/vdstordev.cil b/src/dev/stordev/vdstordev.cil index a7a4628..03e4fe6 100644 --- a/src/dev/stordev/vdstordev.cil +++ b/src/dev/stordev/vdstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vd - (filecon "/dev/vd[^/]+" block stordev_context) + (filecon "/dev/vd[^/]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/xdstordev.cil b/src/dev/stordev/xdstordev.cil index 8865dba..70283c3 100644 --- a/src/dev/stordev/xdstordev.cil +++ b/src/dev/stordev/xdstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block xd - (filecon "/dev/xd[^/]+" block stordev_context) + (filecon "/dev/xd[^/]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/stordev/zramstordev.cil b/src/dev/stordev/zramstordev.cil index 1d790ac..751878b 100644 --- a/src/dev/stordev/zramstordev.cil +++ b/src/dev/stordev/zramstordev.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block zram - (filecon "/dev/zram[0-9]+" block stordev_context) + (filecon "/dev/zram[0-9]+" block stordev_context) - (blockinherit .stordev.base_template) - (blockinherit .stordev.macro_template_blk_files)) + (blockinherit .stordev.base_template) + (blockinherit .stordev.macro_template_blk_files)) diff --git a/src/dev/termdev.cil b/src/dev/termdev.cil index 877f4dd..79e9124 100644 --- a/src/dev/termdev.cil +++ b/src/dev/termdev.cil @@ -1,23 +1,23 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block termdev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .dev.type (typeattr)) + (call .dev.type (typeattr)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in dev.unconfined diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil index 353eca2..dd0ed89 100644 --- a/src/dev/termdev/ptytermdev.cil +++ b/src/dev/termdev/ptytermdev.cil @@ -1,104 +1,104 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ptytermdev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .devpts.associate_fs (typeattr)) + (call .devpts.associate_fs (typeattr)) - (call .termdev.type (typeattr)) + (call .termdev.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context ptytermdev_context (.sys.id .sys.role ptytermdev .sys.lowlow)) + (context ptytermdev_context (.sys.id .sys.role ptytermdev .sys.lowlow)) - (type ptytermdev) - (call .ptytermdev.type (ptytermdev))) + (type ptytermdev) + (call .ptytermdev.type (ptytermdev))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev append_chr_file)) + (macro append_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev append_chr_file)) - (macro appendinherited_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev appendinherited_chr_file) - (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 ptytermdev IOCTLVT)) + (macro appendinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev appendinherited_chr_file) + (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) - (macro create_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev create_chr_file)) + (macro create_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev create_chr_file)) - (macro delete_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev delete_chr_file)) + (macro delete_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev delete_chr_file)) - (macro manage_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev manage_chr_file)) + (macro manage_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev manage_chr_file)) - (macro mapexecute_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev mapexecute_chr_file)) + (macro mapexecute_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev mapexecute_chr_file)) - (macro read_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev read_chr_file)) + (macro read_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev read_chr_file)) - (macro readinherited_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev readinherited_chr_file)) + (macro readinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readinherited_chr_file)) - (macro readwrite_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev readwrite_chr_file)) + (macro readwrite_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwrite_chr_file)) - (macro readwriteinherited_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev readwriteinherited_chr_file) - (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 ptytermdev IOCTLVT)) + (macro readwriteinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev readwriteinherited_chr_file) + (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT)) - (macro relabel_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev relabel_chr_file)) + (macro relabel_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabel_chr_file)) - (macro relabelfrom_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev relabelfrom_chr_file)) + (macro relabelfrom_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelfrom_chr_file)) - (macro relabelto_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev relabelto_chr_file)) + (macro relabelto_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev relabelto_chr_file)) - (macro rename_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev rename_chr_file)) + (macro rename_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev rename_chr_file)) - (macro write_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev write_chr_file)) + (macro write_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev write_chr_file)) - (macro writeinherited_ptytermdev_chr_files ((type ARG1)) - (allow ARG1 ptytermdev writeinherited_chr_file) - (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 ptytermdev IOCTLVT))) + (macro writeinherited_ptytermdev_chr_files ((type ARG1)) + (allow ARG1 ptytermdev writeinherited_chr_file) + (allowx ARG1 ptytermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 ptytermdev IOCTLVT))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .ptytermdev.base_template) - (blockinherit .ptytermdev.macro_template_chr_files)) + (blockinherit .ptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr ptytermdev.typeattr (chr_file (not (audit_access execmod)))))) + (allow typeattr ptytermdev.typeattr (chr_file (not (audit_access execmod)))))) (in termdev.unconfined diff --git a/src/dev/termdev/ptytermdev/loginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev.cil index bfaa62c..994ebcf 100644 --- a/src/dev/termdev/ptytermdev/loginptytermdev.cil +++ b/src/dev/termdev/ptytermdev/loginptytermdev.cil @@ -1,37 +1,37 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block loginptytermdev - (macro all_type_change ((type ARG1)(type ARG2)) - (typechange ARG1 typeattr chr_file ARG2)) + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .ptytermdev.type (typeattr)) + (call .ptytermdev.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .ptytermdev.base_template) + (blockinherit .ptytermdev.base_template) - (call .loginptytermdev.type (ptytermdev))) + (call .loginptytermdev.type (ptytermdev))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (macro ptytermdev_type_change ((type ARG1)(type ARG2)) - (typechange ARG1 ptytermdev chr_file ARG2)) + (macro ptytermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 ptytermdev chr_file ARG2)) - (blockinherit .loginptytermdev.base_template) - (blockinherit .ptytermdev.macro_template_chr_files))) + (blockinherit .loginptytermdev.base_template) + (blockinherit .ptytermdev.macro_template_chr_files))) (in after loginptytermdev.appendinherited_all_chr_files (allowx ARG1 typeattr IOCTLCONSOLE_NOT_TIOCLINUX) diff --git a/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil index 86a1fee..c8cf2ff 100644 --- a/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil +++ b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in ptytermdev.unconfined @@ -8,12 +8,12 @@ (in sys (macro devpts_fs_type_transition_ptytermdev ((type ARG1)) - (call .devpts.fs_type_transition - (ARG1 ptytermdev chr_file "*"))) + (call .devpts.fs_type_transition + (ARG1 ptytermdev chr_file "*"))) (macro loginptytermdev_all_type_change_ptytermdev ((type ARG1)) - (call .loginptytermdev.all_type_change - (ARG1 ptytermdev))) + (call .loginptytermdev.all_type_change + (ARG1 ptytermdev))) ;; support for unknown login services (blockinherit .loginptytermdev.template) diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil index 3c461c8..8f1c610 100644 --- a/src/dev/termdev/serialtermdev.cil +++ b/src/dev/termdev/serialtermdev.cil @@ -1,103 +1,103 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block serialtermdev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .termdev.type (typeattr)) + (call .termdev.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context serialtermdev_context - (.sys.id .sys.role serialtermdev .sys.lowlow)) + (context serialtermdev_context + (.sys.id .sys.role serialtermdev .sys.lowlow)) - (type serialtermdev) - (call .serialtermdev.type (serialtermdev))) + (type serialtermdev) + (call .serialtermdev.type (serialtermdev))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev append_chr_file)) + (macro append_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev append_chr_file)) - (macro appendinherited_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev appendinherited_chr_file) - (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 serialtermdev IOCTLVT)) + (macro appendinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev appendinherited_chr_file) + (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) - (macro create_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev create_chr_file)) + (macro create_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev create_chr_file)) - (macro delete_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev delete_chr_file)) + (macro delete_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev delete_chr_file)) - (macro manage_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev manage_chr_file)) + (macro manage_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev manage_chr_file)) - (macro mapexecute_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev mapexecute_chr_file)) + (macro mapexecute_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev mapexecute_chr_file)) - (macro read_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev read_chr_file)) + (macro read_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev read_chr_file)) - (macro readinherited_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev readinherited_chr_file)) + (macro readinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readinherited_chr_file)) - (macro readwrite_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev readwrite_chr_file)) + (macro readwrite_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwrite_chr_file)) - (macro readwriteinherited_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev readwriteinherited_chr_file) - (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 serialtermdev IOCTLVT)) + (macro readwriteinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev readwriteinherited_chr_file) + (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT)) - (macro relabel_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev relabel_chr_file)) + (macro relabel_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabel_chr_file)) - (macro relabelfrom_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev relabelfrom_chr_file)) + (macro relabelfrom_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelfrom_chr_file)) - (macro relabelto_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev relabelto_chr_file)) + (macro relabelto_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev relabelto_chr_file)) - (macro rename_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev rename_chr_file)) + (macro rename_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev rename_chr_file)) - (macro write_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev write_chr_file)) + (macro write_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev write_chr_file)) - (macro writeinherited_serialtermdev_chr_files ((type ARG1)) - (allow ARG1 serialtermdev writeinherited_chr_file) - (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) - (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) - (allowx ARG1 serialtermdev IOCTLVT))) + (macro writeinherited_serialtermdev_chr_files ((type ARG1)) + (allow ARG1 serialtermdev writeinherited_chr_file) + (allowx ARG1 serialtermdev IOCTLCONSOLE_NOT_TIOCLINUX) + (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI) + (allowx ARG1 serialtermdev IOCTLVT))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .serialtermdev.base_template) - (blockinherit .serialtermdev.macro_template_chr_files)) + (blockinherit .serialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr serialtermdev.typeattr (chr_file (not (audit_access execmod)))))) + (allow typeattr serialtermdev.typeattr (chr_file (not (audit_access execmod)))))) (in termdev.unconfined diff --git a/src/dev/termdev/serialtermdev/acmserialtermdev.cil b/src/dev/termdev/serialtermdev/acmserialtermdev.cil index d1f23d1..ab9e54d 100644 --- a/src/dev/termdev/serialtermdev/acmserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/acmserialtermdev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block acm - (filecon "/dev/ttyACM[0-9]+" char serialtermdev_context) + (filecon "/dev/ttyACM[0-9]+" char serialtermdev_context) - (blockinherit .serialtermdev.template)) + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/consoleserialtermdev.cil b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil index b7a52b8..f69a33d 100644 --- a/src/dev/termdev/serialtermdev/consoleserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block console - (filecon "/dev/console" char serialtermdev_context) + (filecon "/dev/console" char serialtermdev_context) - (blockinherit .serialtermdev.template)) + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev.cil index 05ee9b5..2b2780b 100644 --- a/src/dev/termdev/serialtermdev/loginserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/loginserialtermdev.cil @@ -1,37 +1,37 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block loginserialtermdev - (macro all_type_change ((type ARG1)(type ARG2)) - (typechange ARG1 typeattr chr_file ARG2)) + (macro all_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 typeattr chr_file ARG2)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_chr_files) - (call .serialtermdev.type (typeattr)) + (call .serialtermdev.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .serialtermdev.base_template) + (blockinherit .serialtermdev.base_template) - (call .loginserialtermdev.type (serialtermdev))) + (call .loginserialtermdev.type (serialtermdev))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (macro serialtermdev_type_change ((type ARG1)(type ARG2)) - (typechange ARG1 serialtermdev chr_file ARG2)) + (macro serialtermdev_type_change ((type ARG1)(type ARG2)) + (typechange ARG1 serialtermdev chr_file ARG2)) - (blockinherit .loginserialtermdev.base_template) - (blockinherit .serialtermdev.macro_template_chr_files))) + (blockinherit .loginserialtermdev.base_template) + (blockinherit .serialtermdev.macro_template_chr_files))) (in after loginserialtermdev.appendinherited_all_chr_files (allowx ARG1 typeattr IOCTLCONSOLE_NOT_TIOCLINUX) diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil index 1df710d..209909f 100644 --- a/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in tty diff --git a/src/dev/termdev/serialtermdev/msmserialtermdev.cil b/src/dev/termdev/serialtermdev/msmserialtermdev.cil index 25b0fc7..aa5dc3c 100644 --- a/src/dev/termdev/serialtermdev/msmserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/msmserialtermdev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block msm - (filecon "/dev/ttyMSM[0-9]+" char serialtermdev_context) + (filecon "/dev/ttyMSM[0-9]+" char serialtermdev_context) - (blockinherit .serialtermdev.template)) + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/sysserialtermdev.cil b/src/dev/termdev/serialtermdev/sysserialtermdev.cil index f430a30..ab6f0ae 100644 --- a/src/dev/termdev/serialtermdev/sysserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/sysserialtermdev.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in serialtermdev.unconfined @@ -8,7 +8,7 @@ (in sys (macro loginserialtermdev_all_type_change_serialtermdev ((type ARG1)) - (call .loginserialtermdev.all_type_change - (ARG1 serialtermdev))) + (call .loginserialtermdev.all_type_change + (ARG1 serialtermdev))) (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/usbserialtermdev.cil b/src/dev/termdev/serialtermdev/usbserialtermdev.cil index 59c4c7c..3932f06 100644 --- a/src/dev/termdev/serialtermdev/usbserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/usbserialtermdev.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in usb diff --git a/src/dev/termdev/serialtermdev/vcsserialtermdev.cil b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil index 6dfefe0..6639e79 100644 --- a/src/dev/termdev/serialtermdev/vcsserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vcs - (filecon "/dev/vcs[^/]*" char serialtermdev_context) + (filecon "/dev/vcs[^/]*" char serialtermdev_context) - (blockinherit .serialtermdev.template)) + (blockinherit .serialtermdev.template)) diff --git a/src/dev/termdev/serialtermdev/vportserialtermdev.cil b/src/dev/termdev/serialtermdev/vportserialtermdev.cil index aede94a..9af0c45 100644 --- a/src/dev/termdev/serialtermdev/vportserialtermdev.cil +++ b/src/dev/termdev/serialtermdev/vportserialtermdev.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vport - (filecon "/dev/vport[0-9]p[0-9]+" char serialtermdev_context) + (filecon "/dev/vport[0-9]p[0-9]+" char serialtermdev_context) - (blockinherit .serialtermdev.template)) + (blockinherit .serialtermdev.template)) diff --git a/src/file.cil b/src/file.cil index 469f72f..83a4b47 100644 --- a/src/file.cil +++ b/src/file.cil @@ -1,850 +1,850 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block file - (macro anon_file_type_transition - ((type ARG1)(type ARG2)(class ARG3)(name ARG4)(type ARG5)) - (typetransition ARG1 ARG2 ARG3 ARG4 ARG5) - (allow ARG1 ARG2 addname_dir)) + (macro anon_file_type_transition + ((type ARG1)(type ARG2)(class ARG3)(name ARG4)(type ARG5)) + (typetransition ARG1 ARG2 ARG3 ARG4 ARG5) + (allow ARG1 ARG2 addname_dir)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template_all_files) - (blockinherit all_macro_template_blk_files) - (blockinherit all_macro_template_chr_files) - (blockinherit all_macro_template_dirs) - (blockinherit all_macro_template_fifo_files) - (blockinherit all_macro_template_files) - (blockinherit all_macro_template_lnk_files) - (blockinherit all_macro_template_sock_files) + (blockinherit all_macro_template_all_files) + (blockinherit all_macro_template_blk_files) + (blockinherit all_macro_template_chr_files) + (blockinherit all_macro_template_dirs) + (blockinherit all_macro_template_fifo_files) + (blockinherit all_macro_template_files) + (blockinherit all_macro_template_lnk_files) + (blockinherit all_macro_template_sock_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template_all_files + (block all_macro_template_all_files - (blockabstract all_macro_template_all_files) + (blockabstract all_macro_template_all_files) - (macro create_all_file ((type ARG1)) - (allow ARG1 typeattr (files (create)))) + (macro create_all_file ((type ARG1)) + (allow ARG1 typeattr (files (create)))) - (macro delete_all_file ((type ARG1)) - (allow ARG1 typeattr (files (delete)))) + (macro delete_all_file ((type ARG1)) + (allow ARG1 typeattr (files (delete)))) - (macro manage_all_file ((type ARG1)) - (allow ARG1 typeattr (files (manage)))) + (macro manage_all_file ((type ARG1)) + (allow ARG1 typeattr (files (manage)))) - (macro read_all_file ((type ARG1)) - (allow ARG1 typeattr (files (read)))) + (macro read_all_file ((type ARG1)) + (allow ARG1 typeattr (files (read)))) - (macro readwrite_all_file ((type ARG1)) - (allow ARG1 typeattr (files (readwrite)))) + (macro readwrite_all_file ((type ARG1)) + (allow ARG1 typeattr (files (readwrite)))) - (macro relabel_all_file ((type ARG1)) - (allow ARG1 typeattr (files (relabel)))) + (macro relabel_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabel)))) - (macro relabelfrom_all_file ((type ARG1)) - (allow ARG1 typeattr (files (relabelfrom)))) + (macro relabelfrom_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabelfrom)))) - (macro relabelto_all_file ((type ARG1)) - (allow ARG1 typeattr (files (relabelto)))) + (macro relabelto_all_file ((type ARG1)) + (allow ARG1 typeattr (files (relabelto)))) - (macro rename_all_file ((type ARG1)) - (allow ARG1 typeattr (files (rename)))) + (macro rename_all_file ((type ARG1)) + (allow ARG1 typeattr (files (rename)))) - (macro write_all_file ((type ARG1)) - (allow ARG1 typeattr (files (write))))) + (macro write_all_file ((type ARG1)) + (allow ARG1 typeattr (files (write))))) - (block all_macro_template_blk_files + (block all_macro_template_blk_files - (blockabstract all_macro_template_blk_files) + (blockabstract all_macro_template_blk_files) - (macro append_all_blk_files ((type ARG1)) - (allow ARG1 typeattr append_blk_file)) + (macro append_all_blk_files ((type ARG1)) + (allow ARG1 typeattr append_blk_file)) - (macro appendinherited_all_blk_files ((type ARG1)) - (allow ARG1 typeattr appendinherited_blk_file)) + (macro appendinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_blk_file)) - (macro create_all_blk_files ((type ARG1)) - (allow ARG1 typeattr create_blk_file)) + (macro create_all_blk_files ((type ARG1)) + (allow ARG1 typeattr create_blk_file)) - (macro delete_all_blk_files ((type ARG1)) - (allow ARG1 typeattr delete_blk_file)) + (macro delete_all_blk_files ((type ARG1)) + (allow ARG1 typeattr delete_blk_file)) - (macro manage_all_blk_files ((type ARG1)) - (allow ARG1 typeattr manage_blk_file)) + (macro manage_all_blk_files ((type ARG1)) + (allow ARG1 typeattr manage_blk_file)) - (macro read_all_blk_files ((type ARG1)) - (allow ARG1 typeattr read_blk_file)) + (macro read_all_blk_files ((type ARG1)) + (allow ARG1 typeattr read_blk_file)) - (macro readinherited_all_blk_files ((type ARG1)) - (allow ARG1 typeattr readinherited_blk_file)) + (macro readinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readinherited_blk_file)) - (macro readwrite_all_blk_files ((type ARG1)) - (allow ARG1 typeattr readwrite_blk_file)) + (macro readwrite_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readwrite_blk_file)) - (macro readwriteinherited_all_blk_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_blk_file)) + (macro readwriteinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_blk_file)) - (macro relabel_all_blk_files ((type ARG1)) - (allow ARG1 typeattr relabel_blk_file)) + (macro relabel_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabel_blk_file)) - (macro relabelfrom_all_blk_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_blk_file)) + (macro relabelfrom_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_blk_file)) - (macro relabelto_all_blk_files ((type ARG1)) - (allow ARG1 typeattr relabelto_blk_file)) + (macro relabelto_all_blk_files ((type ARG1)) + (allow ARG1 typeattr relabelto_blk_file)) - (macro rename_all_blk_files ((type ARG1)) - (allow ARG1 typeattr rename_blk_file)) + (macro rename_all_blk_files ((type ARG1)) + (allow ARG1 typeattr rename_blk_file)) - (macro write_all_blk_files ((type ARG1)) - (allow ARG1 typeattr write_blk_file)) + (macro write_all_blk_files ((type ARG1)) + (allow ARG1 typeattr write_blk_file)) - (macro writeinherited_all_blk_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_blk_file))) + (macro writeinherited_all_blk_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_blk_file))) - (block all_macro_template_chr_files + (block all_macro_template_chr_files - (blockabstract all_macro_template_chr_files) + (blockabstract all_macro_template_chr_files) - (macro append_all_chr_files ((type ARG1)) - (allow ARG1 typeattr append_chr_file)) + (macro append_all_chr_files ((type ARG1)) + (allow ARG1 typeattr append_chr_file)) - (macro appendinherited_all_chr_files ((type ARG1)) - (allow ARG1 typeattr appendinherited_chr_file)) + (macro appendinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_chr_file)) - (macro create_all_chr_files ((type ARG1)) - (allow ARG1 typeattr create_chr_file)) + (macro create_all_chr_files ((type ARG1)) + (allow ARG1 typeattr create_chr_file)) - (macro delete_all_chr_files ((type ARG1)) - (allow ARG1 typeattr delete_chr_file)) + (macro delete_all_chr_files ((type ARG1)) + (allow ARG1 typeattr delete_chr_file)) - (macro manage_all_chr_files ((type ARG1)) - (allow ARG1 typeattr manage_chr_file)) + (macro manage_all_chr_files ((type ARG1)) + (allow ARG1 typeattr manage_chr_file)) - (macro mapexecute_all_chr_files ((type ARG1)) - (allow ARG1 typeattr mapexecute_chr_file)) + (macro mapexecute_all_chr_files ((type ARG1)) + (allow ARG1 typeattr mapexecute_chr_file)) - (macro read_all_chr_files ((type ARG1)) - (allow ARG1 typeattr read_chr_file)) + (macro read_all_chr_files ((type ARG1)) + (allow ARG1 typeattr read_chr_file)) - (macro readinherited_all_chr_files ((type ARG1)) - (allow ARG1 typeattr readinherited_chr_file)) + (macro readinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readinherited_chr_file)) - (macro readwrite_all_chr_files ((type ARG1)) - (allow ARG1 typeattr readwrite_chr_file)) + (macro readwrite_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwrite_chr_file)) - (macro readwriteinherited_all_chr_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_chr_file)) + (macro readwriteinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_chr_file)) - (macro relabel_all_chr_files ((type ARG1)) - (allow ARG1 typeattr relabel_chr_file)) + (macro relabel_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabel_chr_file)) - (macro relabelfrom_all_chr_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_chr_file)) + (macro relabelfrom_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_chr_file)) - (macro relabelto_all_chr_files ((type ARG1)) - (allow ARG1 typeattr relabelto_chr_file)) + (macro relabelto_all_chr_files ((type ARG1)) + (allow ARG1 typeattr relabelto_chr_file)) - (macro rename_all_chr_files ((type ARG1)) - (allow ARG1 typeattr rename_chr_file)) + (macro rename_all_chr_files ((type ARG1)) + (allow ARG1 typeattr rename_chr_file)) - (macro write_all_chr_files ((type ARG1)) - (allow ARG1 typeattr write_chr_file)) + (macro write_all_chr_files ((type ARG1)) + (allow ARG1 typeattr write_chr_file)) - (macro writeinherited_all_chr_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_chr_file))) + (macro writeinherited_all_chr_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_chr_file))) - (block all_macro_template_dirs + (block all_macro_template_dirs - (blockabstract all_macro_template_dirs) + (blockabstract all_macro_template_dirs) - (macro addname_all_dirs ((type ARG1)) - (allow ARG1 typeattr addname_dir)) + (macro addname_all_dirs ((type ARG1)) + (allow ARG1 typeattr addname_dir)) - (macro create_all_dirs ((type ARG1)) - (allow ARG1 typeattr create_dir)) + (macro create_all_dirs ((type ARG1)) + (allow ARG1 typeattr create_dir)) - (macro delete_all_dirs ((type ARG1)) - (allow ARG1 typeattr delete_dir)) + (macro delete_all_dirs ((type ARG1)) + (allow ARG1 typeattr delete_dir)) - (macro deletename_all_dirs ((type ARG1)) - (allow ARG1 typeattr deletename_dir)) + (macro deletename_all_dirs ((type ARG1)) + (allow ARG1 typeattr deletename_dir)) - (macro list_all_dirs ((type ARG1)) - (allow ARG1 typeattr list_dir)) + (macro list_all_dirs ((type ARG1)) + (allow ARG1 typeattr list_dir)) - (macro listinherited_all_dirs ((type ARG1)) - (allow ARG1 typeattr listinherited_dir)) + (macro listinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr listinherited_dir)) - (macro manage_all_dirs ((type ARG1)) - (allow ARG1 typeattr manage_dir)) + (macro manage_all_dirs ((type ARG1)) + (allow ARG1 typeattr manage_dir)) - (macro mounton_all_dirs ((type ARG1)) - (allow ARG1 typeattr mounton_dir)) + (macro mounton_all_dirs ((type ARG1)) + (allow ARG1 typeattr mounton_dir)) - (macro all_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) - (typetransition ARG1 typeattr ARG3 ARG4 ARG2) - (call addname_all_dirs (ARG1))) + (macro all_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 typeattr ARG3 ARG4 ARG2) + (call addname_all_dirs (ARG1))) - (macro readwrite_all_dirs ((type ARG1)) - (allow ARG1 typeattr readwrite_dir)) + (macro readwrite_all_dirs ((type ARG1)) + (allow ARG1 typeattr readwrite_dir)) - (macro readwriteinherited_all_dirs ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_dir)) + (macro readwriteinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_dir)) - (macro relabel_all_dirs ((type ARG1)) - (allow ARG1 typeattr relabel_dir)) + (macro relabel_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabel_dir)) - (macro relabelfrom_all_dirs ((type ARG1)) - (allow ARG1 typeattr relabelfrom_dir)) + (macro relabelfrom_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabelfrom_dir)) - (macro relabelto_all_dirs ((type ARG1)) - (allow ARG1 typeattr relabelto_dir)) + (macro relabelto_all_dirs ((type ARG1)) + (allow ARG1 typeattr relabelto_dir)) - (macro rename_all_dirs ((type ARG1)) - (allow ARG1 typeattr rename_dir)) + (macro rename_all_dirs ((type ARG1)) + (allow ARG1 typeattr rename_dir)) - (macro search_all_dirs ((type ARG1)) - (allow ARG1 typeattr search_dir)) + (macro search_all_dirs ((type ARG1)) + (allow ARG1 typeattr search_dir)) - (macro write_all_dirs ((type ARG1)) - (allow ARG1 typeattr write_dir)) + (macro write_all_dirs ((type ARG1)) + (allow ARG1 typeattr write_dir)) - (macro writeinherited_all_dirs ((type ARG1)) - (allow ARG1 typeattr writeinherited_dir))) + (macro writeinherited_all_dirs ((type ARG1)) + (allow ARG1 typeattr writeinherited_dir))) - (block all_macro_template_fifo_files + (block all_macro_template_fifo_files - (blockabstract all_macro_template_fifo_files) + (blockabstract all_macro_template_fifo_files) - (macro append_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr append_fifo_file)) + (macro append_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr append_fifo_file)) - (macro appendinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr appendinherited_fifo_file)) + (macro appendinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_fifo_file)) - (macro create_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr create_fifo_file)) + (macro create_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr create_fifo_file)) - (macro delete_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr delete_fifo_file)) + (macro delete_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr delete_fifo_file)) - (macro manage_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr manage_fifo_file)) + (macro manage_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr manage_fifo_file)) - (macro read_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr read_fifo_file)) + (macro read_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr read_fifo_file)) - (macro readinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readinherited_fifo_file)) + (macro readinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readinherited_fifo_file)) - (macro readwrite_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readwrite_fifo_file)) + (macro readwrite_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwrite_fifo_file)) - (macro readwriteinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_fifo_file)) + (macro readwriteinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_fifo_file)) - (macro relabel_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr relabel_fifo_file)) + (macro relabel_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabel_fifo_file)) - (macro relabelfrom_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_fifo_file)) + (macro relabelfrom_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_fifo_file)) - (macro relabelto_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr relabelto_fifo_file)) + (macro relabelto_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr relabelto_fifo_file)) - (macro rename_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr rename_fifo_file)) + (macro rename_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr rename_fifo_file)) - (macro write_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr write_fifo_file)) + (macro write_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr write_fifo_file)) - (macro writeinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_fifo_file))) + (macro writeinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_fifo_file))) - (block all_macro_template_files + (block all_macro_template_files - (blockabstract all_macro_template_files) + (blockabstract all_macro_template_files) - (macro append_all_files ((type ARG1)) - (allow ARG1 typeattr append_file)) + (macro append_all_files ((type ARG1)) + (allow ARG1 typeattr append_file)) - (macro appendinherited_all_files ((type ARG1)) - (allow ARG1 typeattr appendinherited_file)) + (macro appendinherited_all_files ((type ARG1)) + (allow ARG1 typeattr appendinherited_file)) - (macro create_all_files ((type ARG1)) - (allow ARG1 typeattr create_file)) + (macro create_all_files ((type ARG1)) + (allow ARG1 typeattr create_file)) - (macro delete_all_files ((type ARG1)) - (allow ARG1 typeattr delete_file)) + (macro delete_all_files ((type ARG1)) + (allow ARG1 typeattr delete_file)) - (macro execute_all_files ((type ARG1)) - (allow ARG1 typeattr execute_file)) + (macro execute_all_files ((type ARG1)) + (allow ARG1 typeattr execute_file)) - (macro manage_all_files ((type ARG1)) - (allow ARG1 typeattr manage_file)) + (macro manage_all_files ((type ARG1)) + (allow ARG1 typeattr manage_file)) - (macro mapexecute_all_files ((type ARG1)) - (allow ARG1 typeattr mapexecute_file)) + (macro mapexecute_all_files ((type ARG1)) + (allow ARG1 typeattr mapexecute_file)) - (macro mounton_all_files ((type ARG1)) - (allow ARG1 typeattr mounton_file)) + (macro mounton_all_files ((type ARG1)) + (allow ARG1 typeattr mounton_file)) - (macro read_all_files ((type ARG1)) - (allow ARG1 typeattr read_file)) + (macro read_all_files ((type ARG1)) + (allow ARG1 typeattr read_file)) - (macro readinherited_all_files ((type ARG1)) - (allow ARG1 typeattr readinherited_file)) + (macro readinherited_all_files ((type ARG1)) + (allow ARG1 typeattr readinherited_file)) - (macro readwrite_all_files ((type ARG1)) - (allow ARG1 typeattr readwrite_file)) + (macro readwrite_all_files ((type ARG1)) + (allow ARG1 typeattr readwrite_file)) - (macro readwriteinherited_all_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_file)) + (macro readwriteinherited_all_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_file)) - (macro relabel_all_files ((type ARG1)) - (allow ARG1 typeattr relabel_file)) + (macro relabel_all_files ((type ARG1)) + (allow ARG1 typeattr relabel_file)) - (macro relabelfrom_all_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_file)) + (macro relabelfrom_all_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_file)) - (macro relabelto_all_files ((type ARG1)) - (allow ARG1 typeattr relabelto_file)) + (macro relabelto_all_files ((type ARG1)) + (allow ARG1 typeattr relabelto_file)) - (macro rename_all_files ((type ARG1)) - (allow ARG1 typeattr rename_file)) + (macro rename_all_files ((type ARG1)) + (allow ARG1 typeattr rename_file)) - (macro write_all_files ((type ARG1)) - (allow ARG1 typeattr write_file)) + (macro write_all_files ((type ARG1)) + (allow ARG1 typeattr write_file)) - (macro writeinherited_all_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_file))) + (macro writeinherited_all_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_file))) - (block all_macro_template_lnk_files + (block all_macro_template_lnk_files - (blockabstract all_macro_template_lnk_files) + (blockabstract all_macro_template_lnk_files) - (macro create_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr create_lnk_file)) + (macro create_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr create_lnk_file)) - (macro delete_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr delete_lnk_file)) + (macro delete_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr delete_lnk_file)) - (macro manage_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr manage_lnk_file)) + (macro manage_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr manage_lnk_file)) - (macro read_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr read_lnk_file)) + (macro read_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr read_lnk_file)) - (macro readwrite_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr readwrite_lnk_file)) + (macro readwrite_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr readwrite_lnk_file)) - (macro relabel_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr relabel_lnk_file)) + (macro relabel_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabel_lnk_file)) - (macro relabelfrom_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_lnk_file)) + (macro relabelfrom_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_lnk_file)) - (macro relabelto_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr relabelto_lnk_file)) + (macro relabelto_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr relabelto_lnk_file)) - (macro rename_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr rename_lnk_file)) + (macro rename_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr rename_lnk_file)) - (macro write_all_lnk_files ((type ARG1)) - (allow ARG1 typeattr write_lnk_file))) + (macro write_all_lnk_files ((type ARG1)) + (allow ARG1 typeattr write_lnk_file))) - (block all_macro_template_sock_files + (block all_macro_template_sock_files - (blockabstract all_macro_template_sock_files) + (blockabstract all_macro_template_sock_files) - (macro create_all_sock_files ((type ARG1)) - (allow ARG1 typeattr create_sock_file)) + (macro create_all_sock_files ((type ARG1)) + (allow ARG1 typeattr create_sock_file)) - (macro delete_all_sock_files ((type ARG1)) - (allow ARG1 typeattr delete_sock_file)) + (macro delete_all_sock_files ((type ARG1)) + (allow ARG1 typeattr delete_sock_file)) - (macro manage_all_sock_files ((type ARG1)) - (allow ARG1 typeattr manage_sock_file)) + (macro manage_all_sock_files ((type ARG1)) + (allow ARG1 typeattr manage_sock_file)) - (macro read_all_sock_files ((type ARG1)) - (allow ARG1 typeattr read_sock_file)) + (macro read_all_sock_files ((type ARG1)) + (allow ARG1 typeattr read_sock_file)) - (macro readinherited_all_sock_files ((type ARG1)) - (allow ARG1 typeattr readinherited_sock_file)) + (macro readinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readinherited_sock_file)) - (macro readwrite_all_sock_files ((type ARG1)) - (allow ARG1 typeattr readwrite_sock_file)) + (macro readwrite_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readwrite_sock_file)) - (macro readwriteinherited_all_sock_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_sock_file)) + (macro readwriteinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_sock_file)) - (macro relabel_all_sock_files ((type ARG1)) - (allow ARG1 typeattr relabel_sock_file)) + (macro relabel_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabel_sock_file)) - (macro relabelfrom_all_sock_files ((type ARG1)) - (allow ARG1 typeattr relabelfrom_sock_file)) + (macro relabelfrom_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabelfrom_sock_file)) - (macro relabelto_all_sock_files ((type ARG1)) - (allow ARG1 typeattr relabelto_sock_file)) + (macro relabelto_all_sock_files ((type ARG1)) + (allow ARG1 typeattr relabelto_sock_file)) - (macro rename_all_sock_files ((type ARG1)) - (allow ARG1 typeattr rename_sock_file)) + (macro rename_all_sock_files ((type ARG1)) + (allow ARG1 typeattr rename_sock_file)) - (macro write_all_sock_files ((type ARG1)) - (allow ARG1 typeattr write_sock_file)) + (macro write_all_sock_files ((type ARG1)) + (allow ARG1 typeattr write_sock_file)) - (macro writeinherited_all_sock_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_sock_file))) + (macro writeinherited_all_sock_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_sock_file))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context file_context (.sys.id .sys.role file .sys.lowlow)) + (context file_context (.sys.id .sys.role file .sys.lowlow)) - (type file) - (call .file.type (file))) + (type file) + (call .file.type (file))) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_all_files) - (blockinherit file.all_macro_template_blk_files) - (blockinherit file.all_macro_template_chr_files) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr (and file.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr (and file.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr))) + (call file.type (typeattr))) - (block macro_template_all_files + (block macro_template_all_files - (blockabstract macro_template_all_files) + (blockabstract macro_template_all_files) - (macro create_file ((type ARG1)) - (allow ARG1 file (files (create)))) + (macro create_file ((type ARG1)) + (allow ARG1 file (files (create)))) - (macro delete_file ((type ARG1)) - (allow ARG1 file (files (delete)))) + (macro delete_file ((type ARG1)) + (allow ARG1 file (files (delete)))) - (macro manage_file ((type ARG1)) - (allow ARG1 file (files (manage)))) + (macro manage_file ((type ARG1)) + (allow ARG1 file (files (manage)))) - (macro read_file ((type ARG1)) - (allow ARG1 file (files (read)))) + (macro read_file ((type ARG1)) + (allow ARG1 file (files (read)))) - (macro readwrite_file ((type ARG1)) - (allow ARG1 file (files (readwrite)))) + (macro readwrite_file ((type ARG1)) + (allow ARG1 file (files (readwrite)))) - (macro relabel_file ((type ARG1)) - (allow ARG1 file (files (relabel)))) + (macro relabel_file ((type ARG1)) + (allow ARG1 file (files (relabel)))) - (macro relabelfrom_file ((type ARG1)) - (allow ARG1 file (files (relabelfrom)))) + (macro relabelfrom_file ((type ARG1)) + (allow ARG1 file (files (relabelfrom)))) - (macro relabelto_file ((type ARG1)) - (allow ARG1 file (files (relabelto)))) + (macro relabelto_file ((type ARG1)) + (allow ARG1 file (files (relabelto)))) - (macro rename_file ((type ARG1)) - (allow ARG1 file (files (rename)))) + (macro rename_file ((type ARG1)) + (allow ARG1 file (files (rename)))) - (macro write_file ((type ARG1)) - (allow ARG1 file (files (write))))) + (macro write_file ((type ARG1)) + (allow ARG1 file (files (write))))) - (block macro_template_blk_files + (block macro_template_blk_files - (blockabstract macro_template_blk_files) + (blockabstract macro_template_blk_files) - (macro append_file_blk_files ((type ARG1)) - (allow ARG1 file append_blk_file)) + (macro append_file_blk_files ((type ARG1)) + (allow ARG1 file append_blk_file)) - (macro appendinherited_file_blk_files ((type ARG1)) - (allow ARG1 file appendinherited_blk_file)) + (macro appendinherited_file_blk_files ((type ARG1)) + (allow ARG1 file appendinherited_blk_file)) - (macro create_file_blk_files ((type ARG1)) - (allow ARG1 file create_blk_file)) + (macro create_file_blk_files ((type ARG1)) + (allow ARG1 file create_blk_file)) - (macro delete_file_blk_files ((type ARG1)) - (allow ARG1 file delete_blk_file)) + (macro delete_file_blk_files ((type ARG1)) + (allow ARG1 file delete_blk_file)) - (macro manage_file_blk_files ((type ARG1)) - (allow ARG1 file manage_blk_file)) + (macro manage_file_blk_files ((type ARG1)) + (allow ARG1 file manage_blk_file)) - (macro read_file_blk_files ((type ARG1)) - (allow ARG1 file read_blk_file)) + (macro read_file_blk_files ((type ARG1)) + (allow ARG1 file read_blk_file)) - (macro readinherited_file_blk_files ((type ARG1)) - (allow ARG1 file readinherited_blk_file)) + (macro readinherited_file_blk_files ((type ARG1)) + (allow ARG1 file readinherited_blk_file)) - (macro readwrite_file_blk_files ((type ARG1)) - (allow ARG1 file readwrite_blk_file)) + (macro readwrite_file_blk_files ((type ARG1)) + (allow ARG1 file readwrite_blk_file)) - (macro readwriteinherited_file_blk_files ((type ARG1)) - (allow ARG1 file readwriteinherited_blk_file)) + (macro readwriteinherited_file_blk_files ((type ARG1)) + (allow ARG1 file readwriteinherited_blk_file)) - (macro relabel_file_blk_files ((type ARG1)) - (allow ARG1 file relabel_blk_file)) + (macro relabel_file_blk_files ((type ARG1)) + (allow ARG1 file relabel_blk_file)) - (macro relabelfrom_file_blk_files ((type ARG1)) - (allow ARG1 file relabelfrom_blk_file)) + (macro relabelfrom_file_blk_files ((type ARG1)) + (allow ARG1 file relabelfrom_blk_file)) - (macro relabelto_file_blk_files ((type ARG1)) - (allow ARG1 file relabelto_blk_file)) + (macro relabelto_file_blk_files ((type ARG1)) + (allow ARG1 file relabelto_blk_file)) - (macro rename_file_blk_files ((type ARG1)) - (allow ARG1 file rename_blk_file)) + (macro rename_file_blk_files ((type ARG1)) + (allow ARG1 file rename_blk_file)) - (macro write_file_blk_files ((type ARG1)) - (allow ARG1 file write_blk_file)) + (macro write_file_blk_files ((type ARG1)) + (allow ARG1 file write_blk_file)) - (macro writeinherited_file_blk_files ((type ARG1)) - (allow ARG1 file writeinherited_blk_file))) + (macro writeinherited_file_blk_files ((type ARG1)) + (allow ARG1 file writeinherited_blk_file))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_file_chr_files ((type ARG1)) - (allow ARG1 file append_chr_file)) + (macro append_file_chr_files ((type ARG1)) + (allow ARG1 file append_chr_file)) - (macro appendinherited_file_chr_files ((type ARG1)) - (allow ARG1 file appendinherited_chr_file)) + (macro appendinherited_file_chr_files ((type ARG1)) + (allow ARG1 file appendinherited_chr_file)) - (macro create_file_chr_files ((type ARG1)) - (allow ARG1 file create_chr_file)) + (macro create_file_chr_files ((type ARG1)) + (allow ARG1 file create_chr_file)) - (macro delete_file_chr_files ((type ARG1)) - (allow ARG1 file delete_chr_file)) + (macro delete_file_chr_files ((type ARG1)) + (allow ARG1 file delete_chr_file)) - (macro manage_file_chr_files ((type ARG1)) - (allow ARG1 file manage_chr_file)) + (macro manage_file_chr_files ((type ARG1)) + (allow ARG1 file manage_chr_file)) - (macro mapexecute_file_chr_files ((type ARG1)) - (allow ARG1 file mapexecute_chr_file)) + (macro mapexecute_file_chr_files ((type ARG1)) + (allow ARG1 file mapexecute_chr_file)) - (macro read_file_chr_files ((type ARG1)) - (allow ARG1 file read_chr_file)) + (macro read_file_chr_files ((type ARG1)) + (allow ARG1 file read_chr_file)) - (macro readinherited_file_chr_files ((type ARG1)) - (allow ARG1 file readinherited_chr_file)) + (macro readinherited_file_chr_files ((type ARG1)) + (allow ARG1 file readinherited_chr_file)) - (macro readwrite_file_chr_files ((type ARG1)) - (allow ARG1 file readwrite_chr_file)) + (macro readwrite_file_chr_files ((type ARG1)) + (allow ARG1 file readwrite_chr_file)) - (macro readwriteinherited_file_chr_files ((type ARG1)) - (allow ARG1 file readwriteinherited_chr_file)) + (macro readwriteinherited_file_chr_files ((type ARG1)) + (allow ARG1 file readwriteinherited_chr_file)) - (macro relabel_file_chr_files ((type ARG1)) - (allow ARG1 file relabel_chr_file)) + (macro relabel_file_chr_files ((type ARG1)) + (allow ARG1 file relabel_chr_file)) - (macro relabelfrom_file_chr_files ((type ARG1)) - (allow ARG1 file relabelfrom_chr_file)) + (macro relabelfrom_file_chr_files ((type ARG1)) + (allow ARG1 file relabelfrom_chr_file)) - (macro relabelto_file_chr_files ((type ARG1)) - (allow ARG1 file relabelto_chr_file)) + (macro relabelto_file_chr_files ((type ARG1)) + (allow ARG1 file relabelto_chr_file)) - (macro rename_file_chr_files ((type ARG1)) - (allow ARG1 file rename_chr_file)) + (macro rename_file_chr_files ((type ARG1)) + (allow ARG1 file rename_chr_file)) - (macro write_file_chr_files ((type ARG1)) - (allow ARG1 file write_chr_file)) + (macro write_file_chr_files ((type ARG1)) + (allow ARG1 file write_chr_file)) - (macro writeinherited_file_chr_files ((type ARG1)) - (allow ARG1 file writeinherited_chr_file))) + (macro writeinherited_file_chr_files ((type ARG1)) + (allow ARG1 file writeinherited_chr_file))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_file_dirs ((type ARG1)) - (allow ARG1 file addname_dir)) + (macro addname_file_dirs ((type ARG1)) + (allow ARG1 file addname_dir)) - (macro create_file_dirs ((type ARG1)) - (allow ARG1 file create_dir)) + (macro create_file_dirs ((type ARG1)) + (allow ARG1 file create_dir)) - (macro delete_file_dirs ((type ARG1)) - (allow ARG1 file delete_dir)) + (macro delete_file_dirs ((type ARG1)) + (allow ARG1 file delete_dir)) - (macro deletename_file_dirs ((type ARG1)) - (allow ARG1 file deletename_dir)) + (macro deletename_file_dirs ((type ARG1)) + (allow ARG1 file deletename_dir)) - (macro list_file_dirs ((type ARG1)) - (allow ARG1 file list_dir)) + (macro list_file_dirs ((type ARG1)) + (allow ARG1 file list_dir)) - (macro listinherited_file_dirs ((type ARG1)) - (allow ARG1 file listinherited_dir)) + (macro listinherited_file_dirs ((type ARG1)) + (allow ARG1 file listinherited_dir)) - (macro manage_file_dirs ((type ARG1)) - (allow ARG1 file manage_dir)) + (macro manage_file_dirs ((type ARG1)) + (allow ARG1 file manage_dir)) - (macro mounton_file_dirs ((type ARG1)) - (allow ARG1 file mounton_dir)) + (macro mounton_file_dirs ((type ARG1)) + (allow ARG1 file mounton_dir)) - (macro file_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) - (typetransition ARG1 file ARG3 ARG4 ARG2) - (call addname_file_dirs (ARG1))) + (macro file_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 file ARG3 ARG4 ARG2) + (call addname_file_dirs (ARG1))) - (macro readwrite_file_dirs ((type ARG1)) - (allow ARG1 file readwrite_dir)) + (macro readwrite_file_dirs ((type ARG1)) + (allow ARG1 file readwrite_dir)) - (macro readwriteinherited_file_dirs ((type ARG1)) - (allow ARG1 file readwriteinherited_dir)) + (macro readwriteinherited_file_dirs ((type ARG1)) + (allow ARG1 file readwriteinherited_dir)) - (macro relabel_file_dirs ((type ARG1)) - (allow ARG1 file relabel_dir)) + (macro relabel_file_dirs ((type ARG1)) + (allow ARG1 file relabel_dir)) - (macro relabelfrom_file_dirs ((type ARG1)) - (allow ARG1 file relabelfrom_dir)) + (macro relabelfrom_file_dirs ((type ARG1)) + (allow ARG1 file relabelfrom_dir)) - (macro relabelto_file_dirs ((type ARG1)) - (allow ARG1 file relabelto_dir)) + (macro relabelto_file_dirs ((type ARG1)) + (allow ARG1 file relabelto_dir)) - (macro rename_file_dirs ((type ARG1)) - (allow ARG1 file rename_dir)) + (macro rename_file_dirs ((type ARG1)) + (allow ARG1 file rename_dir)) - (macro search_file_dirs ((type ARG1)) - (allow ARG1 file search_dir)) + (macro search_file_dirs ((type ARG1)) + (allow ARG1 file search_dir)) - (macro write_file_dirs ((type ARG1)) - (allow ARG1 file write_dir)) + (macro write_file_dirs ((type ARG1)) + (allow ARG1 file write_dir)) - (macro writeinherited_file_dirs ((type ARG1)) - (allow ARG1 file writeinherited_dir))) + (macro writeinherited_file_dirs ((type ARG1)) + (allow ARG1 file writeinherited_dir))) - (block macro_template_fifo_files + (block macro_template_fifo_files - (blockabstract macro_template_fifo_files) + (blockabstract macro_template_fifo_files) - (macro append_file_fifo_files ((type ARG1)) - (allow ARG1 file append_fifo_file)) + (macro append_file_fifo_files ((type ARG1)) + (allow ARG1 file append_fifo_file)) - (macro appendinherited_file_fifo_files ((type ARG1)) - (allow ARG1 file appendinherited_fifo_file)) + (macro appendinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file appendinherited_fifo_file)) - (macro create_file_fifo_files ((type ARG1)) - (allow ARG1 file create_fifo_file)) + (macro create_file_fifo_files ((type ARG1)) + (allow ARG1 file create_fifo_file)) - (macro delete_file_fifo_files ((type ARG1)) - (allow ARG1 file delete_fifo_file)) + (macro delete_file_fifo_files ((type ARG1)) + (allow ARG1 file delete_fifo_file)) - (macro manage_file_fifo_files ((type ARG1)) - (allow ARG1 file manage_fifo_file)) + (macro manage_file_fifo_files ((type ARG1)) + (allow ARG1 file manage_fifo_file)) - (macro read_file_fifo_files ((type ARG1)) - (allow ARG1 file read_fifo_file)) + (macro read_file_fifo_files ((type ARG1)) + (allow ARG1 file read_fifo_file)) - (macro readinherited_file_fifo_files ((type ARG1)) - (allow ARG1 file readinherited_fifo_file)) + (macro readinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file readinherited_fifo_file)) - (macro readwrite_file_fifo_files ((type ARG1)) - (allow ARG1 file readwrite_fifo_file)) + (macro readwrite_file_fifo_files ((type ARG1)) + (allow ARG1 file readwrite_fifo_file)) - (macro readwriteinherited_file_fifo_files ((type ARG1)) - (allow ARG1 file readwriteinherited_fifo_file)) + (macro readwriteinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file readwriteinherited_fifo_file)) - (macro relabel_file_fifo_files ((type ARG1)) - (allow ARG1 file relabel_fifo_file)) + (macro relabel_file_fifo_files ((type ARG1)) + (allow ARG1 file relabel_fifo_file)) - (macro relabelfrom_file_fifo_files ((type ARG1)) - (allow ARG1 file relabelfrom_fifo_file)) + (macro relabelfrom_file_fifo_files ((type ARG1)) + (allow ARG1 file relabelfrom_fifo_file)) - (macro relabelto_file_fifo_files ((type ARG1)) - (allow ARG1 file relabelto_fifo_file)) + (macro relabelto_file_fifo_files ((type ARG1)) + (allow ARG1 file relabelto_fifo_file)) - (macro rename_file_fifo_files ((type ARG1)) - (allow ARG1 file rename_fifo_file)) + (macro rename_file_fifo_files ((type ARG1)) + (allow ARG1 file rename_fifo_file)) - (macro write_file_fifo_files ((type ARG1)) - (allow ARG1 file write_fifo_file)) + (macro write_file_fifo_files ((type ARG1)) + (allow ARG1 file write_fifo_file)) - (macro writeinherited_file_fifo_files ((type ARG1)) - (allow ARG1 file writeinherited_fifo_file))) + (macro writeinherited_file_fifo_files ((type ARG1)) + (allow ARG1 file writeinherited_fifo_file))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_file_files ((type ARG1)) - (allow ARG1 file append_file)) + (macro append_file_files ((type ARG1)) + (allow ARG1 file append_file)) - (macro appendinherited_file_files ((type ARG1)) - (allow ARG1 file appendinherited_file)) + (macro appendinherited_file_files ((type ARG1)) + (allow ARG1 file appendinherited_file)) - (macro create_file_files ((type ARG1)) - (allow ARG1 file create_file)) + (macro create_file_files ((type ARG1)) + (allow ARG1 file create_file)) - (macro delete_file_files ((type ARG1)) - (allow ARG1 file delete_file)) + (macro delete_file_files ((type ARG1)) + (allow ARG1 file delete_file)) - (macro execute_file_files ((type ARG1)) - (allow ARG1 file execute_file)) + (macro execute_file_files ((type ARG1)) + (allow ARG1 file execute_file)) - (macro manage_file_files ((type ARG1)) - (allow ARG1 file manage_file)) + (macro manage_file_files ((type ARG1)) + (allow ARG1 file manage_file)) - (macro mapexecute_file_files ((type ARG1)) - (allow ARG1 file mapexecute_file)) + (macro mapexecute_file_files ((type ARG1)) + (allow ARG1 file mapexecute_file)) - (macro mounton_file_files ((type ARG1)) - (allow ARG1 file mounton_file)) + (macro mounton_file_files ((type ARG1)) + (allow ARG1 file mounton_file)) - (macro read_file_files ((type ARG1)) - (allow ARG1 file read_file)) + (macro read_file_files ((type ARG1)) + (allow ARG1 file read_file)) - (macro readinherited_file_files ((type ARG1)) - (allow ARG1 file readinherited_file)) + (macro readinherited_file_files ((type ARG1)) + (allow ARG1 file readinherited_file)) - (macro readwrite_file_files ((type ARG1)) - (allow ARG1 file readwrite_file)) + (macro readwrite_file_files ((type ARG1)) + (allow ARG1 file readwrite_file)) - (macro readwriteinherited_file_files ((type ARG1)) - (allow ARG1 file readwriteinherited_file)) + (macro readwriteinherited_file_files ((type ARG1)) + (allow ARG1 file readwriteinherited_file)) - (macro relabel_file_files ((type ARG1)) - (allow ARG1 file relabel_file)) + (macro relabel_file_files ((type ARG1)) + (allow ARG1 file relabel_file)) - (macro relabelfrom_file_files ((type ARG1)) - (allow ARG1 file relabelfrom_file)) + (macro relabelfrom_file_files ((type ARG1)) + (allow ARG1 file relabelfrom_file)) - (macro relabelto_file_files ((type ARG1)) - (allow ARG1 file relabelto_file)) + (macro relabelto_file_files ((type ARG1)) + (allow ARG1 file relabelto_file)) - (macro rename_file_files ((type ARG1)) - (allow ARG1 file rename_file)) + (macro rename_file_files ((type ARG1)) + (allow ARG1 file rename_file)) - (macro write_file_files ((type ARG1)) - (allow ARG1 file write_file)) + (macro write_file_files ((type ARG1)) + (allow ARG1 file write_file)) - (macro writeinherited_file_files ((type ARG1)) - (allow ARG1 file writeinherited_file))) + (macro writeinherited_file_files ((type ARG1)) + (allow ARG1 file writeinherited_file))) - (block macro_template_lnk_files + (block macro_template_lnk_files - (blockabstract macro_template_lnk_files) + (blockabstract macro_template_lnk_files) - (macro create_file_lnk_files ((type ARG1)) - (allow ARG1 file create_lnk_file)) + (macro create_file_lnk_files ((type ARG1)) + (allow ARG1 file create_lnk_file)) - (macro delete_file_lnk_files ((type ARG1)) - (allow ARG1 file delete_lnk_file)) + (macro delete_file_lnk_files ((type ARG1)) + (allow ARG1 file delete_lnk_file)) - (macro manage_file_lnk_files ((type ARG1)) - (allow ARG1 file manage_lnk_file)) + (macro manage_file_lnk_files ((type ARG1)) + (allow ARG1 file manage_lnk_file)) - (macro read_file_lnk_files ((type ARG1)) - (allow ARG1 file read_lnk_file)) + (macro read_file_lnk_files ((type ARG1)) + (allow ARG1 file read_lnk_file)) - (macro readwrite_file_lnk_files ((type ARG1)) - (allow ARG1 file readwrite_lnk_file)) + (macro readwrite_file_lnk_files ((type ARG1)) + (allow ARG1 file readwrite_lnk_file)) - (macro relabel_file_lnk_files ((type ARG1)) - (allow ARG1 file relabel_lnk_file)) + (macro relabel_file_lnk_files ((type ARG1)) + (allow ARG1 file relabel_lnk_file)) - (macro relabelfrom_file_lnk_files ((type ARG1)) - (allow ARG1 file relabelfrom_lnk_file)) + (macro relabelfrom_file_lnk_files ((type ARG1)) + (allow ARG1 file relabelfrom_lnk_file)) - (macro relabelto_file_lnk_files ((type ARG1)) - (allow ARG1 file relabelto_lnk_file)) + (macro relabelto_file_lnk_files ((type ARG1)) + (allow ARG1 file relabelto_lnk_file)) - (macro rename_file_lnk_files ((type ARG1)) - (allow ARG1 file rename_lnk_file)) + (macro rename_file_lnk_files ((type ARG1)) + (allow ARG1 file rename_lnk_file)) - (macro write_file_lnk_files ((type ARG1)) - (allow ARG1 file write_lnk_file))) + (macro write_file_lnk_files ((type ARG1)) + (allow ARG1 file write_lnk_file))) - (block macro_template_sock_files + (block macro_template_sock_files - (blockabstract macro_template_sock_files) + (blockabstract macro_template_sock_files) - (macro create_file_sock_files ((type ARG1)) - (allow ARG1 file create_sock_file)) + (macro create_file_sock_files ((type ARG1)) + (allow ARG1 file create_sock_file)) - (macro delete_file_sock_files ((type ARG1)) - (allow ARG1 file delete_sock_file)) + (macro delete_file_sock_files ((type ARG1)) + (allow ARG1 file delete_sock_file)) - (macro manage_file_sock_files ((type ARG1)) - (allow ARG1 file manage_sock_file)) + (macro manage_file_sock_files ((type ARG1)) + (allow ARG1 file manage_sock_file)) - (macro read_file_sock_files ((type ARG1)) - (allow ARG1 file read_sock_file)) + (macro read_file_sock_files ((type ARG1)) + (allow ARG1 file read_sock_file)) - (macro readinherited_file_sock_files ((type ARG1)) - (allow ARG1 file readinherited_sock_file)) + (macro readinherited_file_sock_files ((type ARG1)) + (allow ARG1 file readinherited_sock_file)) - (macro readwrite_file_sock_files ((type ARG1)) - (allow ARG1 file readwrite_sock_file)) + (macro readwrite_file_sock_files ((type ARG1)) + (allow ARG1 file readwrite_sock_file)) - (macro readwriteinherited_file_sock_files ((type ARG1)) - (allow ARG1 file readwriteinherited_sock_file)) + (macro readwriteinherited_file_sock_files ((type ARG1)) + (allow ARG1 file readwriteinherited_sock_file)) - (macro relabel_file_sock_files ((type ARG1)) - (allow ARG1 file relabel_sock_file)) + (macro relabel_file_sock_files ((type ARG1)) + (allow ARG1 file relabel_sock_file)) - (macro relabelfrom_file_sock_files ((type ARG1)) - (allow ARG1 file relabelfrom_sock_file)) + (macro relabelfrom_file_sock_files ((type ARG1)) + (allow ARG1 file relabelfrom_sock_file)) - (macro relabelto_file_sock_files ((type ARG1)) - (allow ARG1 file relabelto_sock_file)) + (macro relabelto_file_sock_files ((type ARG1)) + (allow ARG1 file relabelto_sock_file)) - (macro rename_file_sock_files ((type ARG1)) - (allow ARG1 file rename_sock_file)) + (macro rename_file_sock_files ((type ARG1)) + (allow ARG1 file rename_sock_file)) - (macro write_file_sock_files ((type ARG1)) - (allow ARG1 file write_sock_file)) + (macro write_file_sock_files ((type ARG1)) + (allow ARG1 file write_sock_file)) - (macro writeinherited_file_sock_files ((type ARG1)) - (allow ARG1 file writeinherited_sock_file))) + (macro writeinherited_file_sock_files ((type ARG1)) + (allow ARG1 file writeinherited_sock_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)) + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr file.typeattr - (blk_file (not (audit_access execmod map mounton)))) - (allow typeattr file.typeattr - (chr_file (not (audit_access execmod mounton)))) - (allow typeattr file.typeattr (dir (not (audit_access execmod)))) - (allow typeattr file.typeattr - (fifo_file (not (audit_access execmod map mounton)))) - (allow typeattr file.typeattr - (file (not (audit_access entrypoint execmod)))) - (allow typeattr file.typeattr - (lnk_file (not (audit_access execmod map mounton)))) - (allow typeattr file.typeattr - (sock_file (not (audit_access execmod map mounton)))))) + (allow typeattr file.typeattr + (blk_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (chr_file (not (audit_access execmod mounton)))) + (allow typeattr file.typeattr (dir (not (audit_access execmod)))) + (allow typeattr file.typeattr + (fifo_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (file (not (audit_access entrypoint execmod)))) + (allow typeattr file.typeattr + (lnk_file (not (audit_access execmod map mounton)))) + (allow typeattr file.typeattr + (sock_file (not (audit_access execmod map mounton)))))) (in unconfined diff --git a/src/file/authfile.cil b/src/file/authfile.cil index 4aa8ec5..78dd05c 100644 --- a/src/file/authfile.cil +++ b/src/file/authfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file @@ -8,60 +8,60 @@ (block auth - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.exception.type (typeattr)) + (call file.exception.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.auth.type (file))) + (call .file.auth.type (file))) - (block relabelto + (block relabelto - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr auth.typeattr (file (relabelto)))) + (neverallow not_typeattr auth.typeattr (file (relabelto)))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.auth.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files)) + (blockinherit .file.auth.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)) - (block write + (block write - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr auth.typeattr (file (append write)))))) + (neverallow not_typeattr auth.typeattr (file (append write)))))) diff --git a/src/file/bootfile.cil b/src/file/bootfile.cil index 319866f..9548c39 100644 --- a/src/file/bootfile.cil +++ b/src/file/bootfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block boot @@ -9,37 +9,37 @@ (filecon "/boot/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "boot")))) + (call .root.file_type_transition + (ARG1 file dir "boot")))) (in file (block boot - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.boot.type (file))) + (call .file.boot.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.boot.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files)))) + (blockinherit .file.boot.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/bootflagfile.cil b/src/file/bootflagfile.cil index 0304093..7f5c2f3 100644 --- a/src/file/bootflagfile.cil +++ b/src/file/bootflagfile.cil @@ -1,32 +1,32 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file (block bootflag - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.bootflag.type (file))) + (call .file.bootflag.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.bootflag.base_template) - (blockinherit .file.macro_template_files)))) + (blockinherit .file.bootflag.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/certfile.cil b/src/file/certfile.cil index 6eda0f8..be381cd 100644 --- a/src/file/certfile.cil +++ b/src/file/certfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cert @@ -35,32 +35,32 @@ (block cert - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.cert.type (file))) + (call .file.cert.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.cert.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.cert.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/conffile.cil b/src/file/conffile.cil index 9f46cc5..308d4d6 100644 --- a/src/file/conffile.cil +++ b/src/file/conffile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block conf @@ -20,32 +20,32 @@ (block conf - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.conf.type (file))) + (call .file.conf.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.conf.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.conf.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/datafile.cil b/src/file/datafile.cil index 973e6ea..871a732 100644 --- a/src/file/datafile.cil +++ b/src/file/datafile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block data - (blockinherit .file.data.template)) + (blockinherit .file.data.template)) (in file (block data - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.data.type (file))) + (call .file.data.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.data.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.data.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/datafile/execfile.cil b/src/file/datafile/execfile.cil index 178ac12..ef13723 100644 --- a/src/file/datafile/execfile.cil +++ b/src/file/datafile/execfile.cil @@ -1,74 +1,74 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block exec - (blockinherit .file.exec.template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files)) + (blockinherit .file.exec.template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files)) (in file (block exec - (macro entrypoint_all_files ((type ARG1)) - (allow ARG1 typeattr (file (entrypoint)))) + (macro entrypoint_all_files ((type ARG1)) + (allow ARG1 typeattr (file (entrypoint)))) - (macro getattr_all_files ((type ARG1)) - (allow ARG1 typeattr (file (getattr)))) + (macro getattr_all_files ((type ARG1)) + (allow ARG1 typeattr (file (getattr)))) - (macro map_all_files ((type ARG1)) - (allow ARG1 typeattr (file (map)))) + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) - (macro subj_range_transition ((type ARG1)(levelrange ARG2)) - (rangetransition ARG1 typeattr process ARG2)) + (macro subj_range_transition ((type ARG1)(levelrange ARG2)) + (rangetransition ARG1 typeattr process ARG2)) - (macro subj_role_transition ((role ARG1)(role ARG2)) - (roletransition ARG1 typeattr process ARG2)) + (macro subj_role_transition ((role ARG1)(role ARG2)) + (roletransition ARG1 typeattr process ARG2)) - (macro subj_type_transition ((type ARG1)(type ARG2)) - (typetransition ARG1 typeattr process ARG2)) + (macro subj_type_transition ((type ARG1)(type ARG2)) + (typetransition ARG1 typeattr process ARG2)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call data.type (typeattr)) + (call data.type (typeattr)) - (call .subj.entry.type (typeattr)) + (call .subj.entry.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.exec.type (file))) + (call .file.exec.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (macro entrypoint_file_files ((type ARG1)) - (allow ARG1 file (file (entrypoint)))) + (macro entrypoint_file_files ((type ARG1)) + (allow ARG1 file (file (entrypoint)))) - (macro getattr_file_files ((type ARG1)) - (allow ARG1 file (file (getattr)))) + (macro getattr_file_files ((type ARG1)) + (allow ARG1 file (file (getattr)))) - (macro map_file_files ((type ARG1)) - (allow ARG1 file (file (map)))) + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) - (macro subj_range_transition ((type ARG1)(levelrange ARG2)) - (rangetransition ARG1 file process ARG2)) + (macro subj_range_transition ((type ARG1)(levelrange ARG2)) + (rangetransition ARG1 file process ARG2)) - (macro subj_role_transition ((role ARG1)(role ARG2)) - (roletransition ARG1 file process ARG2)) + (macro subj_role_transition ((role ARG1)(role ARG2)) + (roletransition ARG1 file process ARG2)) - (macro subj_type_transition ((type ARG1)(type ARG2)) - (typetransition ARG1 file process ARG2)) + (macro subj_type_transition ((type ARG1)(type ARG2)) + (typetransition ARG1 file process ARG2)) - (blockinherit .file.exec.base_template) - (blockinherit .file.macro_template_files)))) + (blockinherit .file.exec.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/datafile/libfile.cil b/src/file/datafile/libfile.cil index 6076741..3a1e715 100644 --- a/src/file/datafile/libfile.cil +++ b/src/file/datafile/libfile.cil @@ -1,51 +1,51 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lib - (blockinherit .file.lib.template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files)) + (blockinherit .file.lib.template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files)) (block textrel - (block lib + (block lib - (macro execmod_file_files ((type ARG1)) - (allow ARG1 file (file (execmod)))) + (macro execmod_file_files ((type ARG1)) + (allow ARG1 file (file (execmod)))) - (blockinherit .file.lib.template))) + (blockinherit .file.lib.template))) (in file (block lib - (macro map_all_files ((type ARG1)) - (allow ARG1 typeattr (file (map)))) + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call data.type (typeattr)) + (call data.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.lib.type (file))) + (call .file.lib.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (macro map_file_files ((type ARG1)) - (allow ARG1 file (file (map)))) + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) - (blockinherit .file.lib.base_template) - (blockinherit .file.macro_template_files)))) + (blockinherit .file.lib.base_template) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/datafile/modfile.cil b/src/file/datafile/modfile.cil index 356859f..e2388a5 100644 --- a/src/file/datafile/modfile.cil +++ b/src/file/datafile/modfile.cil @@ -1,51 +1,51 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mod - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.mod.template)) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.mod.template)) (in file (block mod - (macro load_all_files ((type ARG1)) - (allow ARG1 typeattr (system (module_load)))) + (macro load_all_files ((type ARG1)) + (allow ARG1 typeattr (system (module_load)))) - (macro map_all_files ((type ARG1)) - (allow ARG1 typeattr (file (map)))) + (macro map_all_files ((type ARG1)) + (allow ARG1 typeattr (file (map)))) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call data.type (typeattr)) + (call data.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.mod.type (file))) + (call .file.mod.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (macro load_file_files ((type ARG1)) - (allow ARG1 file (system (module_load)))) + (macro load_file_files ((type ARG1)) + (allow ARG1 file (system (module_load)))) - (macro map_file_files ((type ARG1)) - (allow ARG1 file (file (map)))) + (macro map_file_files ((type ARG1)) + (allow ARG1 file (file (map)))) - (blockinherit .file.macro_template_files) - (blockinherit .file.mod.base_template)))) + (blockinherit .file.macro_template_files) + (blockinherit .file.mod.base_template)))) (in sys diff --git a/src/file/datafile/srcfile.cil b/src/file/datafile/srcfile.cil index 121d522..6223875 100644 --- a/src/file/datafile/srcfile.cil +++ b/src/file/datafile/srcfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block src - (blockinherit .file.data.template) + (blockinherit .file.data.template) - (call .xattr.associate_fs (file))) + (call .xattr.associate_fs (file))) diff --git a/src/file/devfile.cil b/src/file/devfile.cil index 7d326f4..43053d8 100644 --- a/src/file/devfile.cil +++ b/src/file/devfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in dev @@ -12,39 +12,39 @@ (block dev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_all_files) - (blockinherit file.all_macro_template_blk_files) - (blockinherit file.all_macro_template_chr_files) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .devtmp.associate_fs (typeattr)) + (call .devtmp.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.dev.type (file))) + (call .file.dev.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.dev.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files)))) + (blockinherit .file.dev.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)))) diff --git a/src/file/homefile.cil b/src/file/homefile.cil index 3323153..e112a4d 100644 --- a/src/file/homefile.cil +++ b/src/file/homefile.cil @@ -1,47 +1,47 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block home - (blockinherit .file.home.template) - (blockinherit .file.macro_template_all_files) - (blockinherit .file.macro_template_blk_files) - (blockinherit .file.macro_template_chr_files)) + (blockinherit .file.home.template) + (blockinherit .file.macro_template_all_files) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files)) (in file (block home - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.home.type (file))) + (call .file.home.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.home.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files)))) + (blockinherit .file.home.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files)))) diff --git a/src/file/homefile/syshomefile.cil b/src/file/homefile/syshomefile.cil index e5eb176..f570342 100644 --- a/src/file/homefile/syshomefile.cil +++ b/src/file/homefile/syshomefile.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys (block home - (blockinherit .file.home.template) - (blockinherit .file.macro_template_all_files) - (blockinherit .file.macro_template_blk_files) - (blockinherit .file.macro_template_chr_files))) + (blockinherit .file.home.template) + (blockinherit .file.macro_template_all_files) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files))) diff --git a/src/file/hugetlbfsfile.cil b/src/file/hugetlbfsfile.cil index f1fc057..fa8e8a8 100644 --- a/src/file/hugetlbfsfile.cil +++ b/src/file/hugetlbfsfile.cil @@ -1,34 +1,34 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file (block hugetlbfs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .hugetlb.associate_fs (typeattr)) + (call .hugetlb.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.hugetlbfs.type (file))) + (call .file.hugetlbfs.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.hugetlbfs.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files)))) + (blockinherit .file.hugetlbfs.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files)))) diff --git a/src/file/hugetlbfsfile/syshugetlbfsfile.cil b/src/file/hugetlbfsfile/syshugetlbfsfile.cil index c4fd7ca..de6c2fc 100644 --- a/src/file/hugetlbfsfile/syshugetlbfsfile.cil +++ b/src/file/hugetlbfsfile/syshugetlbfsfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys (block hugetlbfs - (blockinherit .file.hugetlbfs.template))) + (blockinherit .file.hugetlbfs.template))) diff --git a/src/file/misc/lostfoundfile.cil b/src/file/misc/lostfoundfile.cil index 5f3fe83..a39f3a7 100644 --- a/src/file/misc/lostfoundfile.cil +++ b/src/file/misc/lostfoundfile.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lostfound - (blockinherit .file.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) - (call .xattr.associate_fs (file))) + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/mediafile.cil b/src/file/misc/mediafile.cil index 1f3b4b3..33ce5ec 100644 --- a/src/file/misc/mediafile.cil +++ b/src/file/misc/mediafile.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block media - (blockinherit .file.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) - (call .xattr.associate_fs (file))) + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/rootfile.cil b/src/file/misc/rootfile.cil index 5ef143f..8992518 100644 --- a/src/file/misc/rootfile.cil +++ b/src/file/misc/rootfile.cil @@ -1,13 +1,13 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block root - (filecon "/" dir file_context) - (filecon "/[^/]+" symlink file_context) + (filecon "/" dir file_context) + (filecon "/[^/]+" symlink file_context) - (blockinherit .file.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) - (call .xattr.associate_fs (file))) + (call .xattr.associate_fs (file))) diff --git a/src/file/misc/unknownfile.cil b/src/file/misc/unknownfile.cil index a4d42bb..d33fe42 100644 --- a/src/file/misc/unknownfile.cil +++ b/src/file/misc/unknownfile.cil @@ -1,24 +1,24 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unknown - (filecon "/.*" any file_context) + (filecon "/.*" any file_context) - (macro root_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) - (call .root.file_type_transition - (ARG1 file ARG2 ARG3))) + (macro root_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) + (call .root.file_type_transition + (ARG1 file ARG2 ARG3))) - (blockinherit .file.base_template) - (blockinherit .file.macro_template_blk_files) - (blockinherit .file.macro_template_chr_files) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) + (blockinherit .file.base_template) + (blockinherit .file.macro_template_blk_files) + (blockinherit .file.macro_template_chr_files) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) - (call .xattr.associate_fs (file))) + (call .xattr.associate_fs (file))) (in file.unconfined diff --git a/src/file/mqueuefsfile.cil b/src/file/mqueuefsfile.cil index 4db50cb..b98ba70 100644 --- a/src/file/mqueuefsfile.cil +++ b/src/file/mqueuefsfile.cil @@ -1,33 +1,33 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file (block mqueuefs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .mqueue.associate_fs (typeattr)) + (call .mqueue.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.mqueuefs.type (file))) + (call .file.mqueuefs.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_files) - (blockinherit .file.mqueuefs.base_template)))) + (blockinherit .file.macro_template_files) + (blockinherit .file.mqueuefs.base_template)))) diff --git a/src/file/mqueuefsfile/sysmqueuefsfile.cil b/src/file/mqueuefsfile/sysmqueuefsfile.cil index 9088b33..65e2235 100644 --- a/src/file/mqueuefsfile/sysmqueuefsfile.cil +++ b/src/file/mqueuefsfile/sysmqueuefsfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys (block mqueuefs - (blockinherit .file.mqueuefs.template))) + (blockinherit .file.mqueuefs.template))) diff --git a/src/file/runfile.cil b/src/file/runfile.cil index 8ec3783..6de1cf6 100644 --- a/src/file/runfile.cil +++ b/src/file/runfile.cil @@ -1,47 +1,47 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block run - (blockinherit .file.run.template)) + (blockinherit .file.run.template)) (in file (block run - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_all_files) - (blockinherit file.all_macro_template_blk_files) - (blockinherit file.all_macro_template_chr_files) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .tmp.associate_fs (typeattr)) + (call .tmp.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.run.type (file))) + (call .file.run.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.run.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.run.base_template)))) diff --git a/src/file/runfile/runlockfile.cil b/src/file/runfile/runlockfile.cil index 41f292c..bb4d4d4 100644 --- a/src/file/runfile/runlockfile.cil +++ b/src/file/runfile/runlockfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block runlock - (blockinherit .file.runlock.template) + (blockinherit .file.runlock.template) - (call .rbacsep.exempt.obj.type (file))) + (call .rbacsep.exempt.obj.type (file))) (in file (block runlock - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call run.type (typeattr)) + (call run.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.run.base_template) + (blockinherit .file.run.base_template) - (call .file.runlock.type (file))) + (call .file.runlock.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.runlock.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.runlock.base_template)))) diff --git a/src/file/runfile/runuserfile.cil b/src/file/runfile/runuserfile.cil index 6384a83..e54547c 100644 --- a/src/file/runfile/runuserfile.cil +++ b/src/file/runfile/runuserfile.cil @@ -1,47 +1,47 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block runuser - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.runuser.base_template)) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.runuser.base_template)) (in file (block runuser - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_all_files) - (blockinherit file.all_macro_template_blk_files) - (blockinherit file.all_macro_template_chr_files) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call run.type (typeattr)) + (call run.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.run.base_template) + (blockinherit .file.run.base_template) - (call .file.runuser.type (file))) + (call .file.runuser.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.runuser.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.runuser.base_template)))) diff --git a/src/file/secfile.cil b/src/file/secfile.cil index 3b34a86..687317f 100644 --- a/src/file/secfile.cil +++ b/src/file/secfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file @@ -8,60 +8,60 @@ (block sec - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.exception.type (typeattr)) + (call file.exception.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.sec.type (file))) + (call .file.sec.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.sec.base_template)) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.sec.base_template)) - (block relabelto + (block relabelto - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr sec.typeattr (file (relabelto)))) + (neverallow not_typeattr sec.typeattr (file (relabelto)))) - (block write + (block write - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr sec.typeattr (file (append write)))))) + (neverallow not_typeattr sec.typeattr (file (append write)))))) diff --git a/src/file/tmpfile.cil b/src/file/tmpfile.cil index 7236bec..13d437e 100644 --- a/src/file/tmpfile.cil +++ b/src/file/tmpfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in tmp @@ -11,39 +11,39 @@ (block tmp - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_all_files) - (blockinherit file.all_macro_template_blk_files) - (blockinherit file.all_macro_template_chr_files) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_all_files) + (blockinherit file.all_macro_template_blk_files) + (blockinherit file.all_macro_template_chr_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .tmp.associate_fs (typeattr)) + (call .tmp.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.tmp.type (file))) + (call .file.tmp.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.tmp.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.tmp.base_template)))) diff --git a/src/file/tmpfile/systmpfile.cil b/src/file/tmpfile/systmpfile.cil index 5cad25e..7db8180 100644 --- a/src/file/tmpfile/systmpfile.cil +++ b/src/file/tmpfile/systmpfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys (block tmp - (blockinherit .file.tmp.template))) + (blockinherit .file.tmp.template))) diff --git a/src/file/tmpfsfile.cil b/src/file/tmpfsfile.cil index af2d2c6..d3cbc13 100644 --- a/src/file/tmpfsfile.cil +++ b/src/file/tmpfsfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in file (block tmpfs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .tmp.associate_fs (typeattr)) + (call .tmp.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.tmpfs.type (file))) + (call .file.tmpfs.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.tmpfs.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.tmpfs.base_template)))) diff --git a/src/file/tmpfsfile/systmpfsfile.cil b/src/file/tmpfsfile/systmpfsfile.cil index cdd5845..06c7a1c 100644 --- a/src/file/tmpfsfile/systmpfsfile.cil +++ b/src/file/tmpfsfile/systmpfsfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys (block tmpfs - (blockinherit .file.tmpfs.template))) + (blockinherit .file.tmpfs.template))) diff --git a/src/file/varfile.cil b/src/file/varfile.cil index 70146f1..58325f3 100644 --- a/src/file/varfile.cil +++ b/src/file/varfile.cil @@ -1,44 +1,44 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block var - (blockinherit .file.var.template)) + (blockinherit .file.var.template)) (in file (block var - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call file.type (typeattr)) + (call file.type (typeattr)) - (call .xattr.associate_fs (typeattr)) + (call .xattr.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.base_template) + (blockinherit .file.base_template) - (call .file.var.type (file))) + (call .file.var.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.var.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.var.base_template)))) diff --git a/src/file/varfile/cachefile.cil b/src/file/varfile/cachefile.cil index fb7bfce..46c9a3e 100644 --- a/src/file/varfile/cachefile.cil +++ b/src/file/varfile/cachefile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cache @@ -9,8 +9,8 @@ (filecon "/var/cache/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "cache"))) + (call .var.file_type_transition + (ARG1 file dir "cache"))) (call .root.associate_fs (file))) @@ -18,30 +18,30 @@ (block cache - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call var.type (typeattr)) + (call var.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.var.base_template) + (blockinherit .file.var.base_template) - (call .file.cache.type (file))) + (call .file.cache.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.cache.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.cache.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/dbfile.cil b/src/file/varfile/dbfile.cil index bc04a58..56b9a93 100644 --- a/src/file/varfile/dbfile.cil +++ b/src/file/varfile/dbfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block db - (blockinherit .file.db.template)) + (blockinherit .file.db.template)) (in file (block db - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call var.type (typeattr)) + (call var.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.var.base_template) + (blockinherit .file.var.base_template) - (call .file.db.type (file))) + (call .file.db.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.db.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.db.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/logfile.cil b/src/file/varfile/logfile.cil index d466301..9a5079c 100644 --- a/src/file/varfile/logfile.cil +++ b/src/file/varfile/logfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block log - (blockinherit .file.log.template)) + (blockinherit .file.log.template)) (in file (block log - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call var.type (typeattr)) + (call var.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.var.base_template) + (blockinherit .file.var.base_template) - (call .file.log.type (file))) + (call .file.log.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.log.base_template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files)))) + (blockinherit .file.log.base_template) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files)))) diff --git a/src/file/varfile/spoolfile.cil b/src/file/varfile/spoolfile.cil index 8b8f861..ee381f5 100644 --- a/src/file/varfile/spoolfile.cil +++ b/src/file/varfile/spoolfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block spool - (blockinherit .file.spool.template)) + (blockinherit .file.spool.template)) (in file (block spool - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call var.type (typeattr)) + (call var.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.var.base_template) + (blockinherit .file.var.base_template) - (call .file.spool.type (file))) + (call .file.spool.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.spool.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.spool.base_template)))) diff --git a/src/file/varfile/spoolfile/mailspoolfile.cil b/src/file/varfile/spoolfile/mailspoolfile.cil index 9153df9..db9a61c 100644 --- a/src/file/varfile/spoolfile/mailspoolfile.cil +++ b/src/file/varfile/spoolfile/mailspoolfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mail - (block spool + (block spool - (blockinherit .file.spool.mail.template))) + (blockinherit .file.spool.mail.template))) (in file.spool (block mail - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call .file.spool.type (typeattr)) + (call .file.spool.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.spool.base_template) + (blockinherit .file.spool.base_template) - (call .file.spool.mail.type (file))) + (call .file.spool.mail.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.spool.mail.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.spool.mail.base_template)))) diff --git a/src/file/varfile/statefile.cil b/src/file/varfile/statefile.cil index 98417f6..5bf2aea 100644 --- a/src/file/varfile/statefile.cil +++ b/src/file/varfile/statefile.cil @@ -1,42 +1,42 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block state - (blockinherit .file.state.template)) + (blockinherit .file.state.template)) (in file (block state - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_fifo_files) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) - (blockinherit file.all_macro_template_sock_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_fifo_files) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_sock_files) - (typeattribute typeattr) + (typeattribute typeattr) - (call var.type (typeattr)) + (call var.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .file.var.base_template) + (blockinherit .file.var.base_template) - (call .file.state.type (file))) + (call .file.state.type (file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .file.macro_template_dirs) - (blockinherit .file.macro_template_fifo_files) - (blockinherit .file.macro_template_files) - (blockinherit .file.macro_template_lnk_files) - (blockinherit .file.macro_template_sock_files) - (blockinherit .file.state.base_template)))) + (blockinherit .file.macro_template_dirs) + (blockinherit .file.macro_template_fifo_files) + (blockinherit .file.macro_template_files) + (blockinherit .file.macro_template_lnk_files) + (blockinherit .file.macro_template_sock_files) + (blockinherit .file.state.base_template)))) @@ -1,592 +1,592 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class filesystem - (associate getattr mount quotaget quotamod relabelfrom relabelto remount - unmount watch)) + (associate getattr mount quotaget quotamod relabelfrom relabelto remount + unmount watch)) (classorder (unordered filesystem)) (in ibac (constrain (filesystem (relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in mcs (mlsconstrain (filesystem (relabelto)) - (or (neq t1 constrained.typeattr) - (and (dom h1 h2) (eq l2 h2)))) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) (mlsconstrain (filesystem (associate getattr mount remount)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (filesystem (relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 objchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (filesystem (getattr)) - (or (or (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr)) - (and (eq r2 exempt.roleattr) (eq t2 typeattr))) - (and (eq t1 readstatesource.typeattr) - (eq t2 readstatetarget.typeattr))))) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr))))) (macro associate_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (associate)))) + (allow ARG1 invalid (filesystem (associate)))) (macro getattr_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (getattr)))) + (allow ARG1 invalid (filesystem (getattr)))) (macro mount_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (mount)))) + (allow ARG1 invalid (filesystem (mount)))) (macro quotaget_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (quotaget)))) + (allow ARG1 invalid (filesystem (quotaget)))) (macro quotamod_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (quotamod)))) + (allow ARG1 invalid (filesystem (quotamod)))) (macro relabel_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (relabelfrom relabelto)))) + (allow ARG1 invalid (filesystem (relabelfrom relabelto)))) (macro relabelfrom_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (relabelfrom)))) + (allow ARG1 invalid (filesystem (relabelfrom)))) (macro relabelto_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (relabelto)))) + (allow ARG1 invalid (filesystem (relabelto)))) (macro remount_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (remount)))) + (allow ARG1 invalid (filesystem (remount)))) (macro unmount_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (unmount)))) + (allow ARG1 invalid (filesystem (unmount)))) (macro watch_invalid_fs ((type ARG1)) - (allow ARG1 invalid (filesystem (watch)))) + (allow ARG1 invalid (filesystem (watch)))) (allow invalid self (filesystem (associate))) (block fs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template_fs) + (blockinherit all_macro_template_fs) - (blockinherit .file.all_macro_template_all_files) - (blockinherit .file.all_macro_template_blk_files) - (blockinherit .file.all_macro_template_chr_files) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_fifo_files) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) - (blockinherit .file.all_macro_template_sock_files) + (blockinherit .file.all_macro_template_all_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template_fs + (block all_macro_template_fs - (blockabstract all_macro_template_fs) + (blockabstract all_macro_template_fs) - (macro associate_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (associate)))) + (macro associate_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (associate)))) - (macro getattr_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (getattr)))) + (macro getattr_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (getattr)))) - (macro mount_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (mount)))) + (macro mount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (mount)))) - (macro quotaget_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (quotaget)))) + (macro quotaget_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (quotaget)))) - (macro quotamod_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (quotamod)))) + (macro quotamod_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (quotamod)))) - (macro relabel_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (relabelfrom relabelto)))) + (macro relabel_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelfrom relabelto)))) - (macro relabelfrom_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (relabelfrom)))) + (macro relabelfrom_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelfrom)))) - (macro relabelto_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (relabelto)))) + (macro relabelto_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (relabelto)))) - (macro remount_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (remount)))) + (macro remount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (remount)))) - (macro unmount_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (unmount)))) + (macro unmount_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (unmount)))) - (macro watch_all_fs ((type ARG1)) - (allow ARG1 typeattr (filesystem (watch))))) + (macro watch_all_fs ((type ARG1)) + (allow ARG1 typeattr (filesystem (watch))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context fs_context (.sys.id .sys.role fs .sys.lowlow)) + (context fs_context (.sys.id .sys.role fs .sys.lowlow)) - (type fs) - (call .fs.type (fs))) + (type fs) + (call .fs.type (fs))) - (block macro_template_all_files + (block macro_template_all_files - (blockabstract macro_template_all_files) + (blockabstract macro_template_all_files) - (macro create_fs_file ((type ARG1)) - (allow ARG1 fs (files (create)))) + (macro create_fs_file ((type ARG1)) + (allow ARG1 fs (files (create)))) - (macro delete_fs_file ((type ARG1)) - (allow ARG1 fs (files (delete)))) + (macro delete_fs_file ((type ARG1)) + (allow ARG1 fs (files (delete)))) - (macro manage_fs_file ((type ARG1)) - (allow ARG1 fs (files (manage)))) + (macro manage_fs_file ((type ARG1)) + (allow ARG1 fs (files (manage)))) - (macro read_fs_file ((type ARG1)) - (allow ARG1 fs (files (read)))) + (macro read_fs_file ((type ARG1)) + (allow ARG1 fs (files (read)))) - (macro readwrite_fs_file ((type ARG1)) - (allow ARG1 fs (files (readwrite)))) + (macro readwrite_fs_file ((type ARG1)) + (allow ARG1 fs (files (readwrite)))) - (macro relabel_fs_file ((type ARG1)) - (allow ARG1 fs (files (relabel)))) + (macro relabel_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabel)))) - (macro relabelfrom_fs_file ((type ARG1)) - (allow ARG1 fs (files (relabelfrom)))) + (macro relabelfrom_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabelfrom)))) - (macro relabelto_fs_file ((type ARG1)) - (allow ARG1 fs (files (relabelto)))) + (macro relabelto_fs_file ((type ARG1)) + (allow ARG1 fs (files (relabelto)))) - (macro rename_fs_file ((type ARG1)) - (allow ARG1 fs (files (rename)))) + (macro rename_fs_file ((type ARG1)) + (allow ARG1 fs (files (rename)))) - (macro write_fs_file ((type ARG1)) - (allow ARG1 fs (files (write))))) + (macro write_fs_file ((type ARG1)) + (allow ARG1 fs (files (write))))) - (block macro_template_blk_files + (block macro_template_blk_files - (blockabstract macro_template_blk_files) + (blockabstract macro_template_blk_files) - (macro append_blk_fs_files ((type ARG1)) - (allow ARG1 fs append_blk_file)) + (macro append_blk_fs_files ((type ARG1)) + (allow ARG1 fs append_blk_file)) - (macro appendinherited_fs_blk_files ((type ARG1)) - (allow ARG1 fs appendinherited_blk_file)) + (macro appendinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs appendinherited_blk_file)) - (macro create_fs_blk_files ((type ARG1)) - (allow ARG1 fs create_blk_file)) + (macro create_fs_blk_files ((type ARG1)) + (allow ARG1 fs create_blk_file)) - (macro delete_fs_blk_files ((type ARG1)) - (allow ARG1 fs delete_blk_file)) + (macro delete_fs_blk_files ((type ARG1)) + (allow ARG1 fs delete_blk_file)) - (macro manage_fs_blk_files ((type ARG1)) - (allow ARG1 fs manage_blk_file)) + (macro manage_fs_blk_files ((type ARG1)) + (allow ARG1 fs manage_blk_file)) - (macro read_fs_blk_files ((type ARG1)) - (allow ARG1 fs read_blk_file)) + (macro read_fs_blk_files ((type ARG1)) + (allow ARG1 fs read_blk_file)) - (macro readinherited_fs_blk_files ((type ARG1)) - (allow ARG1 fs readinherited_blk_file)) + (macro readinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs readinherited_blk_file)) - (macro readwrite_fs_blk_files ((type ARG1)) - (allow ARG1 fs readwrite_blk_file)) + (macro readwrite_fs_blk_files ((type ARG1)) + (allow ARG1 fs readwrite_blk_file)) - (macro readwriteinherited_fs_blk_files ((type ARG1)) - (allow ARG1 fs readwriteinherited_blk_file)) + (macro readwriteinherited_fs_blk_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_blk_file)) - (macro relabel_fs_blk_files ((type ARG1)) - (allow ARG1 fs relabel_blk_file)) + (macro relabel_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabel_blk_file)) - (macro relabelfrom_fs_blk_files ((type ARG1)) - (allow ARG1 fs relabelfrom_blk_file)) + (macro relabelfrom_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabelfrom_blk_file)) - (macro relabelto_fs_blk_files ((type ARG1)) - (allow ARG1 fs relabelto_blk_file)) + (macro relabelto_fs_blk_files ((type ARG1)) + (allow ARG1 fs relabelto_blk_file)) - (macro rename_fs_blk_files ((type ARG1)) - (allow ARG1 fs rename_blk_file)) + (macro rename_fs_blk_files ((type ARG1)) + (allow ARG1 fs rename_blk_file)) - (macro write_fs_blk_files ((type ARG1)) - (allow ARG1 fs write_blk_file)) + (macro write_fs_blk_files ((type ARG1)) + (allow ARG1 fs write_blk_file)) - (macro writeinherited_fs-blk_files ((type ARG1)) - (allow ARG1 fs writeinherited_blk_file))) + (macro writeinherited_fs-blk_files ((type ARG1)) + (allow ARG1 fs writeinherited_blk_file))) - (block macro_template_chr_files + (block macro_template_chr_files - (blockabstract macro_template_chr_files) + (blockabstract macro_template_chr_files) - (macro append_fs_chr_files ((type ARG1)) - (allow ARG1 fs append_chr_file)) + (macro append_fs_chr_files ((type ARG1)) + (allow ARG1 fs append_chr_file)) - (macro appendinherited_fs_chr_files ((type ARG1)) - (allow ARG1 fs appendinherited_chr_file)) + (macro appendinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs appendinherited_chr_file)) - (macro create_fs_chr_files ((type ARG1)) - (allow ARG1 fs create_chr_file)) + (macro create_fs_chr_files ((type ARG1)) + (allow ARG1 fs create_chr_file)) - (macro delete_fs_chr_files ((type ARG1)) - (allow ARG1 fs delete_chr_file)) + (macro delete_fs_chr_files ((type ARG1)) + (allow ARG1 fs delete_chr_file)) - (macro manage_fs_chr_files ((type ARG1)) - (allow ARG1 fs manage_chr_file)) + (macro manage_fs_chr_files ((type ARG1)) + (allow ARG1 fs manage_chr_file)) - (macro mapexecute_fs_chr_files ((type ARG1)) - (allow ARG1 fs mapexecute_chr_file)) + (macro mapexecute_fs_chr_files ((type ARG1)) + (allow ARG1 fs mapexecute_chr_file)) - (macro read_fs_chr_files ((type ARG1)) - (allow ARG1 fs read_chr_file)) + (macro read_fs_chr_files ((type ARG1)) + (allow ARG1 fs read_chr_file)) - (macro readinherited_fs_chr_files ((type ARG1)) - (allow ARG1 fs readinherited_chr_file)) + (macro readinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs readinherited_chr_file)) - (macro readwrite_fs_chr_files ((type ARG1)) - (allow ARG1 fs readwrite_chr_file)) + (macro readwrite_fs_chr_files ((type ARG1)) + (allow ARG1 fs readwrite_chr_file)) - (macro readwriteinherited_fs_chr_files ((type ARG1)) - (allow ARG1 fs readwriteinherited_chr_file)) + (macro readwriteinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_chr_file)) - (macro relabel_fs_chr_files ((type ARG1)) - (allow ARG1 fs relabel_chr_file)) + (macro relabel_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabel_chr_file)) - (macro relabelfrom_fs_chr_files ((type ARG1)) - (allow ARG1 fs relabelfrom_chr_file)) + (macro relabelfrom_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabelfrom_chr_file)) - (macro relabelto_fs_chr_files ((type ARG1)) - (allow ARG1 fs relabelto_chr_file)) + (macro relabelto_fs_chr_files ((type ARG1)) + (allow ARG1 fs relabelto_chr_file)) - (macro rename_fs_chr_files ((type ARG1)) - (allow ARG1 fs rename_chr_file)) + (macro rename_fs_chr_files ((type ARG1)) + (allow ARG1 fs rename_chr_file)) - (macro write_fs_chr_files ((type ARG1)) - (allow ARG1 fs write_chr_file)) + (macro write_fs_chr_files ((type ARG1)) + (allow ARG1 fs write_chr_file)) - (macro writeinherited_fs_chr_files ((type ARG1)) - (allow ARG1 fs writeinherited_chr_file))) + (macro writeinherited_fs_chr_files ((type ARG1)) + (allow ARG1 fs writeinherited_chr_file))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_fs_dirs ((type ARG1)) - (allow ARG1 fs addname_dir)) + (macro addname_fs_dirs ((type ARG1)) + (allow ARG1 fs addname_dir)) - (macro create_fs_dirs ((type ARG1)) - (allow ARG1 fs create_dir)) + (macro create_fs_dirs ((type ARG1)) + (allow ARG1 fs create_dir)) - (macro delete_fs_dirs ((type ARG1)) - (allow ARG1 fs delete_dir)) + (macro delete_fs_dirs ((type ARG1)) + (allow ARG1 fs delete_dir)) - (macro deletename_fs_dirs ((type ARG1)) - (allow ARG1 fs deletename_dir)) + (macro deletename_fs_dirs ((type ARG1)) + (allow ARG1 fs deletename_dir)) - (macro fs_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) - (typetransition ARG1 fs ARG3 ARG4 ARG2) - (call addname_fs_dirs (ARG1))) + (macro fs_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) + (typetransition ARG1 fs ARG3 ARG4 ARG2) + (call addname_fs_dirs (ARG1))) - (macro list_fs_dirs ((type ARG1)) - (allow ARG1 fs list_dir)) + (macro list_fs_dirs ((type ARG1)) + (allow ARG1 fs list_dir)) - (macro listinherited_fs_dirs ((type ARG1)) - (allow ARG1 fs listinherited_dir)) + (macro listinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs listinherited_dir)) - (macro manage_fs_dirs ((type ARG1)) - (allow ARG1 fs manage_dir)) + (macro manage_fs_dirs ((type ARG1)) + (allow ARG1 fs manage_dir)) - (macro mounton_fs_dirs ((type ARG1)) - (allow ARG1 fs mounton_dir)) + (macro mounton_fs_dirs ((type ARG1)) + (allow ARG1 fs mounton_dir)) - (macro readwrite_fs_dirs ((type ARG1)) - (allow ARG1 fs readwrite_dir)) + (macro readwrite_fs_dirs ((type ARG1)) + (allow ARG1 fs readwrite_dir)) - (macro readwriteinherited_fs_dirs ((type ARG1)) - (allow ARG1 fs readwriteinherited_dir)) + (macro readwriteinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs readwriteinherited_dir)) - (macro relabel_fs_dirs ((type ARG1)) - (allow ARG1 fs relabel_dir)) + (macro relabel_fs_dirs ((type ARG1)) + (allow ARG1 fs relabel_dir)) - (macro relabelfrom_fs_dirs ((type ARG1)) - (allow ARG1 fs relabelfrom_dir)) + (macro relabelfrom_fs_dirs ((type ARG1)) + (allow ARG1 fs relabelfrom_dir)) - (macro relabelto_fs_dirs ((type ARG1)) - (allow ARG1 fs relabelto_dir)) + (macro relabelto_fs_dirs ((type ARG1)) + (allow ARG1 fs relabelto_dir)) - (macro rename_fs_dirs ((type ARG1)) - (allow ARG1 fs rename_dir)) + (macro rename_fs_dirs ((type ARG1)) + (allow ARG1 fs rename_dir)) - (macro search_fs_dirs ((type ARG1)) - (allow ARG1 fs search_dir)) + (macro search_fs_dirs ((type ARG1)) + (allow ARG1 fs search_dir)) - (macro write_fs_dirs ((type ARG1)) - (allow ARG1 fs write_dir)) + (macro write_fs_dirs ((type ARG1)) + (allow ARG1 fs write_dir)) - (macro writeinherited_fs_dirs ((type ARG1)) - (allow ARG1 fs writeinherited_dir))) + (macro writeinherited_fs_dirs ((type ARG1)) + (allow ARG1 fs writeinherited_dir))) - (block macro_template_fifo_files + (block macro_template_fifo_files - (blockabstract macro_template_fifo_files) + (blockabstract macro_template_fifo_files) - (macro append_fs_fifo_files ((type ARG1)) - (allow ARG1 fs append_fifo_file)) + (macro append_fs_fifo_files ((type ARG1)) + (allow ARG1 fs append_fifo_file)) - (macro appendinherited_fs_fifo_files ((type ARG1)) - (allow ARG1 fs appendinherited_fifo_file)) + (macro appendinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs appendinherited_fifo_file)) - (macro create_fs_fifo_files ((type ARG1)) - (allow ARG1 fs create_fifo_file)) + (macro create_fs_fifo_files ((type ARG1)) + (allow ARG1 fs create_fifo_file)) - (macro delete_fs_fifo_files ((type ARG1)) - (allow ARG1 fs delete_fifo_file)) + (macro delete_fs_fifo_files ((type ARG1)) + (allow ARG1 fs delete_fifo_file)) - (macro manage_fs_fifo_files ((type ARG1)) - (allow ARG1 fs manage_fifo_file)) + (macro manage_fs_fifo_files ((type ARG1)) + (allow ARG1 fs manage_fifo_file)) - (macro read_fs_fifo_files ((type ARG1)) - (allow ARG1 fs read_fifo_file)) + (macro read_fs_fifo_files ((type ARG1)) + (allow ARG1 fs read_fifo_file)) - (macro readinherited_fs_fifo_files ((type ARG1)) - (allow ARG1 fs readinherited_fifo_file)) + (macro readinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readinherited_fifo_file)) - (macro readwrite_fs_fifo_files ((type ARG1)) - (allow ARG1 fs readwrite_fifo_file)) + (macro readwrite_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readwrite_fifo_file)) - (macro readwriteinherited_fs_fifo_files ((type ARG1)) - (allow ARG1 fs readwriteinherited_fifo_file)) + (macro readwriteinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_fifo_file)) - (macro relabel_fs_fifo_files ((type ARG1)) - (allow ARG1 fs relabel_fifo_file)) + (macro relabel_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabel_fifo_file)) - (macro relabelfrom_fs_fifo_files ((type ARG1)) - (allow ARG1 fs relabelfrom_fifo_file)) + (macro relabelfrom_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabelfrom_fifo_file)) - (macro relabelto_fs_fifo_files ((type ARG1)) - (allow ARG1 fs relabelto_fifo_file)) + (macro relabelto_fs_fifo_files ((type ARG1)) + (allow ARG1 fs relabelto_fifo_file)) - (macro rename_fs_fifo_files ((type ARG1)) - (allow ARG1 fs rename_fifo_file)) + (macro rename_fs_fifo_files ((type ARG1)) + (allow ARG1 fs rename_fifo_file)) - (macro write_fs_fifo_files ((type ARG1)) - (allow ARG1 fs write_fifo_file)) + (macro write_fs_fifo_files ((type ARG1)) + (allow ARG1 fs write_fifo_file)) - (macro writeinherited_fs_fifo_files ((type ARG1)) - (allow ARG1 fs writeinherited_fifo_file))) + (macro writeinherited_fs_fifo_files ((type ARG1)) + (allow ARG1 fs writeinherited_fifo_file))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_fs_files ((type ARG1)) - (allow ARG1 fs append_file)) + (macro append_fs_files ((type ARG1)) + (allow ARG1 fs append_file)) - (macro appendinherited_fs_files ((type ARG1)) - (allow ARG1 fs appendinherited_file)) + (macro appendinherited_fs_files ((type ARG1)) + (allow ARG1 fs appendinherited_file)) - (macro create_fs_files ((type ARG1)) - (allow ARG1 fs create_file)) + (macro create_fs_files ((type ARG1)) + (allow ARG1 fs create_file)) - (macro delete_fs_files ((type ARG1)) - (allow ARG1 fs delete_file)) + (macro delete_fs_files ((type ARG1)) + (allow ARG1 fs delete_file)) - (macro execute_fs_files ((type ARG1)) - (allow ARG1 fs execute_file)) + (macro execute_fs_files ((type ARG1)) + (allow ARG1 fs execute_file)) - (macro manage_fs_files ((type ARG1)) - (allow ARG1 fs manage_file)) + (macro manage_fs_files ((type ARG1)) + (allow ARG1 fs manage_file)) - (macro mapexecute_fs_files ((type ARG1)) - (allow ARG1 fs mapexecute_file)) + (macro mapexecute_fs_files ((type ARG1)) + (allow ARG1 fs mapexecute_file)) - (macro mounton_fs_files ((type ARG1)) - (allow ARG1 fs mounton_file)) + (macro mounton_fs_files ((type ARG1)) + (allow ARG1 fs mounton_file)) - (macro read_fs_files ((type ARG1)) - (allow ARG1 fs read_file)) + (macro read_fs_files ((type ARG1)) + (allow ARG1 fs read_file)) - (macro readinherited_fs_files ((type ARG1)) - (allow ARG1 fs readinherited_file)) + (macro readinherited_fs_files ((type ARG1)) + (allow ARG1 fs readinherited_file)) - (macro readwrite_fs_files ((type ARG1)) - (allow ARG1 fs readwrite_file)) + (macro readwrite_fs_files ((type ARG1)) + (allow ARG1 fs readwrite_file)) - (macro readwriteinherited_fs_files ((type ARG1)) - (allow ARG1 fs readwriteinherited_file)) + (macro readwriteinherited_fs_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_file)) - (macro relabel_fs_files ((type ARG1)) - (allow ARG1 fs relabel_file)) + (macro relabel_fs_files ((type ARG1)) + (allow ARG1 fs relabel_file)) - (macro relabelfrom_fs_files ((type ARG1)) - (allow ARG1 fs relabelfrom_file)) + (macro relabelfrom_fs_files ((type ARG1)) + (allow ARG1 fs relabelfrom_file)) - (macro relabelto_fs_files ((type ARG1)) - (allow ARG1 fs relabelto_file)) + (macro relabelto_fs_files ((type ARG1)) + (allow ARG1 fs relabelto_file)) - (macro rename_fs_files ((type ARG1)) - (allow ARG1 fs rename_file)) + (macro rename_fs_files ((type ARG1)) + (allow ARG1 fs rename_file)) - (macro write_fs_files ((type ARG1)) - (allow ARG1 fs write_file)) + (macro write_fs_files ((type ARG1)) + (allow ARG1 fs write_file)) - (macro writeinherited_fs_files ((type ARG1)) - (allow ARG1 fs writeinherited_file))) + (macro writeinherited_fs_files ((type ARG1)) + (allow ARG1 fs writeinherited_file))) - (block macro_template_lnk_files + (block macro_template_lnk_files - (blockabstract macro_template_lnk_files) + (blockabstract macro_template_lnk_files) - (macro create_fs_lnk_files ((type ARG1)) - (allow ARG1 fs create_lnk_file)) + (macro create_fs_lnk_files ((type ARG1)) + (allow ARG1 fs create_lnk_file)) - (macro delete_fs_lnk_files ((type ARG1)) - (allow ARG1 fs delete_lnk_file)) + (macro delete_fs_lnk_files ((type ARG1)) + (allow ARG1 fs delete_lnk_file)) - (macro manage_fs_lnk_files ((type ARG1)) - (allow ARG1 fs manage_lnk_file)) + (macro manage_fs_lnk_files ((type ARG1)) + (allow ARG1 fs manage_lnk_file)) - (macro read_fs_lnk_files ((type ARG1)) - (allow ARG1 fs read_lnk_file)) + (macro read_fs_lnk_files ((type ARG1)) + (allow ARG1 fs read_lnk_file)) - (macro readwrite_fs_lnk_files ((type ARG1)) - (allow ARG1 fs readwrite_lnk_file)) + (macro readwrite_fs_lnk_files ((type ARG1)) + (allow ARG1 fs readwrite_lnk_file)) - (macro relabel_fs_lnk_files ((type ARG1)) - (allow ARG1 fs relabel_lnk_file)) + (macro relabel_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabel_lnk_file)) - (macro relabelfrom_fs_lnk_files ((type ARG1)) - (allow ARG1 fs relabelfrom_lnk_file)) + (macro relabelfrom_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabelfrom_lnk_file)) - (macro relabelto_fs_lnk_files ((type ARG1)) - (allow ARG1 fs relabelto_lnk_file)) + (macro relabelto_fs_lnk_files ((type ARG1)) + (allow ARG1 fs relabelto_lnk_file)) - (macro rename_fs_lnk_files ((type ARG1)) - (allow ARG1 fs rename_lnk_file)) + (macro rename_fs_lnk_files ((type ARG1)) + (allow ARG1 fs rename_lnk_file)) - (macro write_fs_lnk_files ((type ARG1)) - (allow ARG1 fs write_lnk_file))) + (macro write_fs_lnk_files ((type ARG1)) + (allow ARG1 fs write_lnk_file))) - (block macro_template_sock_files + (block macro_template_sock_files - (blockabstract macro_template_sock_files) + (blockabstract macro_template_sock_files) - (macro create_fs_sock_files ((type ARG1)) - (allow ARG1 fs create_sock_file)) + (macro create_fs_sock_files ((type ARG1)) + (allow ARG1 fs create_sock_file)) - (macro delete_fs_sock_files ((type ARG1)) - (allow ARG1 fs delete_sock_file)) + (macro delete_fs_sock_files ((type ARG1)) + (allow ARG1 fs delete_sock_file)) - (macro manage_fs_sock_files ((type ARG1)) - (allow ARG1 fs manage_sock_file)) + (macro manage_fs_sock_files ((type ARG1)) + (allow ARG1 fs manage_sock_file)) - (macro read_fs_sock_files ((type ARG1)) - (allow ARG1 fs read_sock_file)) + (macro read_fs_sock_files ((type ARG1)) + (allow ARG1 fs read_sock_file)) - (macro readinherited_fs_sock_files ((type ARG1)) - (allow ARG1 fs readinherited_sock_file)) + (macro readinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs readinherited_sock_file)) - (macro readwrite_fs_sock_files ((type ARG1)) - (allow ARG1 fs readwrite_sock_file)) + (macro readwrite_fs_sock_files ((type ARG1)) + (allow ARG1 fs readwrite_sock_file)) - (macro readwriteinherited_fs_sock_files ((type ARG1)) - (allow ARG1 fs readwriteinherited_sock_file)) + (macro readwriteinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs readwriteinherited_sock_file)) - (macro relabel_fs_sock_files ((type ARG1)) - (allow ARG1 fs relabel_sock_file)) + (macro relabel_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabel_sock_file)) - (macro relabelfrom_fs_sock_files ((type ARG1)) - (allow ARG1 fs relabelfrom_sock_file)) + (macro relabelfrom_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabelfrom_sock_file)) - (macro relabelto_fs_sock_files ((type ARG1)) - (allow ARG1 fs relabelto_sock_file)) + (macro relabelto_fs_sock_files ((type ARG1)) + (allow ARG1 fs relabelto_sock_file)) - (macro rename_fs_sock_files ((type ARG1)) - (allow ARG1 fs rename_sock_file)) + (macro rename_fs_sock_files ((type ARG1)) + (allow ARG1 fs rename_sock_file)) - (macro write_fs_sock_files ((type ARG1)) - (allow ARG1 fs write_sock_file)) + (macro write_fs_sock_files ((type ARG1)) + (allow ARG1 fs write_sock_file)) - (macro writeinherited_fs_sock_files ((type ARG1)) - (allow ARG1 fs writeinherited_sock_file))) + (macro writeinherited_fs_sock_files ((type ARG1)) + (allow ARG1 fs writeinherited_sock_file))) - (block macro_template_fs + (block macro_template_fs - (blockabstract macro_template_fs) + (blockabstract macro_template_fs) - (macro associate_fs ((type ARG1)) - (allow ARG1 fs (filesystem (associate)))) + (macro associate_fs ((type ARG1)) + (allow ARG1 fs (filesystem (associate)))) - (macro getattr_fs ((type ARG1)) - (allow ARG1 fs (filesystem (getattr)))) + (macro getattr_fs ((type ARG1)) + (allow ARG1 fs (filesystem (getattr)))) - (macro mount_fs ((type ARG1)) - (allow ARG1 fs (filesystem (mount)))) + (macro mount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (mount)))) - (macro quotaget_fs ((type ARG1)) - (allow ARG1 fs (filesystem (quotaget)))) + (macro quotaget_fs ((type ARG1)) + (allow ARG1 fs (filesystem (quotaget)))) - (macro quotamod_fs ((type ARG1)) - (allow ARG1 fs (filesystem (quotamod)))) + (macro quotamod_fs ((type ARG1)) + (allow ARG1 fs (filesystem (quotamod)))) - (macro relabel_fs ((type ARG1)) - (allow ARG1 fs (filesystem (relabelfrom relabelto)))) + (macro relabel_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelfrom relabelto)))) - (macro relabelfrom_fs ((type ARG1)) - (allow ARG1 fs (filesystem (relabelfrom)))) + (macro relabelfrom_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelfrom)))) - (macro relabelto_fs ((type ARG1)) - (allow ARG1 fs (filesystem (relabelto)))) + (macro relabelto_fs ((type ARG1)) + (allow ARG1 fs (filesystem (relabelto)))) - (macro remount_fs ((type ARG1)) - (allow ARG1 fs (filesystem (remount)))) + (macro remount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (remount)))) - (macro unmount_fs ((type ARG1)) - (allow ARG1 fs (filesystem (unmount)))) + (macro unmount_fs ((type ARG1)) + (allow ARG1 fs (filesystem (unmount)))) - (macro watch_fs ((type ARG1)) - (allow ARG1 fs (filesystem (watch))))) + (macro watch_fs ((type ARG1)) + (allow ARG1 fs (filesystem (watch))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .fs.base_template) - (blockinherit .fs.macro_template_fs)) + (blockinherit .fs.base_template) + (blockinherit .fs.macro_template_fs)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr fs.typeattr - (blk_file (not (audit_access execmod map mounton)))) - (allow typeattr fs.typeattr (chr_file (not (audit_access execmod mounton)))) - (allow typeattr fs.typeattr (dir (not (audit_access execmod)))) - (allow typeattr fs.typeattr - (fifo_file (not (audit_access execmod map mounton)))) - (allow typeattr fs.typeattr (file (not (audit_access entrypoint execmod)))) - (allow typeattr fs.typeattr (filesystem (not associate))) - (allow typeattr fs.typeattr - (lnk_file (not (audit_access execmod map mounton)))) - (allow typeattr fs.typeattr - (sock_file (not (audit_access execmod map mounton)))))) + (allow typeattr fs.typeattr + (blk_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr (chr_file (not (audit_access execmod mounton)))) + (allow typeattr fs.typeattr (dir (not (audit_access execmod)))) + (allow typeattr fs.typeattr + (fifo_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr (file (not (audit_access entrypoint execmod)))) + (allow typeattr fs.typeattr (filesystem (not associate))) + (allow typeattr fs.typeattr + (lnk_file (not (audit_access execmod map mounton)))) + (allow typeattr fs.typeattr + (sock_file (not (audit_access execmod map mounton)))))) (in invalid.unconfined diff --git a/src/fs/noseclabelfs.cil b/src/fs/noseclabelfs.cil index 66a75c1..80cf86d 100644 --- a/src/fs/noseclabelfs.cil +++ b/src/fs/noseclabelfs.cil @@ -1,37 +1,37 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block noseclabelfs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_fifo_files) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) - (blockinherit .file.all_macro_template_sock_files) - (blockinherit .fs.all_macro_template_fs) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) + (blockinherit .fs.all_macro_template_fs) - (allow typeattr self (filesystem (associate))) + (allow typeattr self (filesystem (associate))) - (call .fs.type (typeattr)) + (call .fs.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .fs.base_template) + (blockinherit .fs.base_template) - (call .noseclabelfs.type (fs))) + (call .noseclabelfs.type (fs))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_files) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template))) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template))) diff --git a/src/fs/noseclabelfs/aionoseclabelfs.cil b/src/fs/noseclabelfs/aionoseclabelfs.cil index 48d59b7..e1b3f92 100644 --- a/src/fs/noseclabelfs/aionoseclabelfs.cil +++ b/src/fs/noseclabelfs/aionoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block aio - (genfscon "aio" "/" fs_context) + (genfscon "aio" "/" fs_context) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/anoninodenoseclabelfs.cil b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil index d7156a2..a1e8dee 100644 --- a/src/fs/noseclabelfs/anoninodenoseclabelfs.cil +++ b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block anoninode - (genfscon "anon_inodefs" "/" fs_context) + (genfscon "anon_inodefs" "/" fs_context) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/autonoseclabelfs.cil b/src/fs/noseclabelfs/autonoseclabelfs.cil index 6180533..d22b133 100644 --- a/src/fs/noseclabelfs/autonoseclabelfs.cil +++ b/src/fs/noseclabelfs/autonoseclabelfs.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block auto - (genfscon "autofs" "/" fs_context) - (genfscon "automount" "/" fs_context) + (genfscon "autofs" "/" fs_context) + (genfscon "automount" "/" fs_context) - (macro getattr_fs_dirs ((type ARG1)) - (allow ARG1 fs (dir (getattr)))) + (macro getattr_fs_dirs ((type ARG1)) + (allow ARG1 fs (dir (getattr)))) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/bdevnoseclabelfs.cil b/src/fs/noseclabelfs/bdevnoseclabelfs.cil index b0a7369..2109eda 100644 --- a/src/fs/noseclabelfs/bdevnoseclabelfs.cil +++ b/src/fs/noseclabelfs/bdevnoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bdev - (genfscon "bdev" "/" fs_context) + (genfscon "bdev" "/" fs_context) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil index 0b36870..beaa0e3 100644 --- a/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil +++ b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block binfmtmisc - (genfscon "binfmt_misc" "/" fs_context) + (genfscon "binfmt_misc" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/bpfnoseclabelfs.cil b/src/fs/noseclabelfs/bpfnoseclabelfs.cil index 6e855ff..99d59dc 100644 --- a/src/fs/noseclabelfs/bpfnoseclabelfs.cil +++ b/src/fs/noseclabelfs/bpfnoseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bpf @@ -7,5 +7,5 @@ (filecon "/sys/fs/bpf/.*" any ()) (genfscon "bpf" "/" fs_context) - + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/cinoseclabelfs.cil b/src/fs/noseclabelfs/cinoseclabelfs.cil index a23198b..dbad070 100644 --- a/src/fs/noseclabelfs/cinoseclabelfs.cil +++ b/src/fs/noseclabelfs/cinoseclabelfs.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ci - (genfscon "cifs" "/" fs_context) - (genfscon "smbfs" "/" fs_context) + (genfscon "cifs" "/" fs_context) + (genfscon "smbfs" "/" fs_context) - (macro map_fs_files ((type ARG1)) - (allow ARG1 fs (file (map)))) + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) - (blockinherit .noseclabelfs.template) + (blockinherit .noseclabelfs.template) - (call .rbacsep.exempt.obj.type (fs))) + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/confignoseclabelfs.cil b/src/fs/noseclabelfs/confignoseclabelfs.cil index 78bf7ea..a0dde62 100644 --- a/src/fs/noseclabelfs/confignoseclabelfs.cil +++ b/src/fs/noseclabelfs/confignoseclabelfs.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block config - (genfscon "configfs" "/" fs_context) + (genfscon "configfs" "/" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/cpusetnoseclabelfs.cil b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil index c241ba8..9e1c1d7 100644 --- a/src/fs/noseclabelfs/cpusetnoseclabelfs.cil +++ b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cpuset - (genfscon "cpuset" "/" fs_context) + (genfscon "cpuset" "/" fs_context) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/dosnoseclabelfs.cil b/src/fs/noseclabelfs/dosnoseclabelfs.cil index b3e0996..dc1412a 100644 --- a/src/fs/noseclabelfs/dosnoseclabelfs.cil +++ b/src/fs/noseclabelfs/dosnoseclabelfs.cil @@ -1,21 +1,21 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dos - (genfscon "fat" "/" fs_context) - (genfscon "hfs" "/" fs_context) - (genfscon "hfsplus" "/" fs_context) - (genfscon "msdos" "/" fs_context) - (genfscon "ntfs" "/" fs_context) - (genfscon "ntfs-3g" "/" fs_context) - (genfscon "ntfs3" "/" fs_context) - (genfscon "vfat" "/" fs_context) - (genfscon "exfat" "/" fs_context) + (genfscon "fat" "/" fs_context) + (genfscon "hfs" "/" fs_context) + (genfscon "hfsplus" "/" fs_context) + (genfscon "msdos" "/" fs_context) + (genfscon "ntfs" "/" fs_context) + (genfscon "ntfs-3g" "/" fs_context) + (genfscon "ntfs3" "/" fs_context) + (genfscon "vfat" "/" fs_context) + (genfscon "exfat" "/" fs_context) - (macro map_fs_files ((type ARG1)) - (allow ARG1 fs (file (map)))) + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) - (blockinherit .noseclabelfs.template) + (blockinherit .noseclabelfs.template) - (call .rbacsep.exempt.obj.type (fs))) + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/drmnoseclabelfs.cil b/src/fs/noseclabelfs/drmnoseclabelfs.cil index 8b20c7c..ac6c075 100644 --- a/src/fs/noseclabelfs/drmnoseclabelfs.cil +++ b/src/fs/noseclabelfs/drmnoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block drm - (genfscon "drm" "/" fs_context) + (genfscon "drm" "/" fs_context) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/efivarnoseclabelfs.cil b/src/fs/noseclabelfs/efivarnoseclabelfs.cil index 2c7d931..7ff8fd2 100644 --- a/src/fs/noseclabelfs/efivarnoseclabelfs.cil +++ b/src/fs/noseclabelfs/efivarnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block efivar - (genfscon "efivarfs" "/" fs_context) + (genfscon "efivarfs" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/fusenoseclabelfs.cil b/src/fs/noseclabelfs/fusenoseclabelfs.cil index 9ebbbfd..f714975 100644 --- a/src/fs/noseclabelfs/fusenoseclabelfs.cil +++ b/src/fs/noseclabelfs/fusenoseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fuse @@ -8,7 +8,7 @@ (genfscon "fusectl" "/" fs_context) (macro map_fs_files ((type ARG1)) - (allow ARG1 fs (file (map)))) + (allow ARG1 fs (file (map)))) (blockinherit .fs.macro_template_lnk_files) (blockinherit .noseclabelfs.template) diff --git a/src/fs/noseclabelfs/iso9660noseclabelfs.cil b/src/fs/noseclabelfs/iso9660noseclabelfs.cil index c54d335..4a0916b 100644 --- a/src/fs/noseclabelfs/iso9660noseclabelfs.cil +++ b/src/fs/noseclabelfs/iso9660noseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block iso9660 - (genfscon "iso9660" "/" fs_context) + (genfscon "iso9660" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsdnoseclabelfs.cil b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil index 0ecd907..93d82ad 100644 --- a/src/fs/noseclabelfs/nfsdnoseclabelfs.cil +++ b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nfsd - (genfscon "nfsd" "/" fs_context) + (genfscon "nfsd" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/nfsnoseclabelfs.cil b/src/fs/noseclabelfs/nfsnoseclabelfs.cil index 92898d9..0ce9073 100644 --- a/src/fs/noseclabelfs/nfsnoseclabelfs.cil +++ b/src/fs/noseclabelfs/nfsnoseclabelfs.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nfs - (genfscon "afs" "/" fs_context) - (genfscon "nfs" "/" fs_context) + (genfscon "afs" "/" fs_context) + (genfscon "nfs" "/" fs_context) - (macro map_fs_files ((type ARG1)) - (allow ARG1 fs (file (map)))) + (macro map_fs_files ((type ARG1)) + (allow ARG1 fs (file (map)))) - (blockinherit .fs.macro_template_fifo_files) - (blockinherit .fs.macro_template_lnk_files) - (blockinherit .fs.macro_template_sock_files) - (blockinherit .noseclabelfs.template) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .noseclabelfs.template) - (call .rbacsep.exempt.obj.type (fs))) + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/noseclabelfs/nsnoseclabelfs.cil b/src/fs/noseclabelfs/nsnoseclabelfs.cil index 1927e67..06bc2ed 100644 --- a/src/fs/noseclabelfs/nsnoseclabelfs.cil +++ b/src/fs/noseclabelfs/nsnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ns - (genfscon "nsfs" "/" fs_context) + (genfscon "nsfs" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/pidnoseclabelfs.cil b/src/fs/noseclabelfs/pidnoseclabelfs.cil index 90cb19a..1d575b9 100644 --- a/src/fs/noseclabelfs/pidnoseclabelfs.cil +++ b/src/fs/noseclabelfs/pidnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pid - (genfscon "pidfs" "/" fs_context) + (genfscon "pidfs" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/procnoseclabelfs.cil b/src/fs/noseclabelfs/procnoseclabelfs.cil index c4401e8..8ab7f96 100644 --- a/src/fs/noseclabelfs/procnoseclabelfs.cil +++ b/src/fs/noseclabelfs/procnoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block proc - (genfscon "proc" "/" fs_context) + (genfscon "proc" "/" fs_context) - (blockinherit .fs.macro_template_lnk_files) - (blockinherit .noseclabelfs.template)) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/removablenoseclabelfs.cil b/src/fs/noseclabelfs/removablenoseclabelfs.cil index eb69a6a..cb0c7f7 100644 --- a/src/fs/noseclabelfs/removablenoseclabelfs.cil +++ b/src/fs/noseclabelfs/removablenoseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in removable diff --git a/src/fs/noseclabelfs/resctrlnoseclabelfs.cil b/src/fs/noseclabelfs/resctrlnoseclabelfs.cil index 20d84b7..4e16e68 100644 --- a/src/fs/noseclabelfs/resctrlnoseclabelfs.cil +++ b/src/fs/noseclabelfs/resctrlnoseclabelfs.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block resctrl - (filecon "/sys/fs/resctrl" dir ()) - (filecon "/sys/fs/resctrl/.*" any ()) + (filecon "/sys/fs/resctrl" dir ()) + (filecon "/sys/fs/resctrl/.*" any ()) - (genfscon "resctrl" "/" fs_context) + (genfscon "resctrl" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil index f7608fc..e2be422 100644 --- a/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil +++ b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rpcpipe - (genfscon "rpc_pipefs" "/" fs_context) + (genfscon "rpc_pipefs" "/" fs_context) - (blockinherit .fs.macro_template_fs) - (blockinherit .noseclabelfs.base_template)) + (blockinherit .fs.macro_template_fs) + (blockinherit .noseclabelfs.base_template)) diff --git a/src/fs/noseclabelfs/securitynoseclabelfs.cil b/src/fs/noseclabelfs/securitynoseclabelfs.cil index 59c5e3b..a0b7a8d 100644 --- a/src/fs/noseclabelfs/securitynoseclabelfs.cil +++ b/src/fs/noseclabelfs/securitynoseclabelfs.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block security - (genfscon "securityfs" "/" fs_context) + (genfscon "securityfs" "/" fs_context) - (blockinherit .fs.macro_template_lnk_files) - (blockinherit .noseclabelfs.template)) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/noseclabelfs/selinuxnoseclabelfs.cil b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil index 1245921..8d27ba7 100644 --- a/src/fs/noseclabelfs/selinuxnoseclabelfs.cil +++ b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in selinux diff --git a/src/fs/noseclabelfs/udfnoseclabelfs.cil b/src/fs/noseclabelfs/udfnoseclabelfs.cil index 4f2ec42..d096086 100644 --- a/src/fs/noseclabelfs/udfnoseclabelfs.cil +++ b/src/fs/noseclabelfs/udfnoseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block udf - (genfscon "udf" "/" fs_context) + (genfscon "udf" "/" fs_context) - (blockinherit .noseclabelfs.template)) + (blockinherit .noseclabelfs.template)) diff --git a/src/fs/seclabelfs.cil b/src/fs/seclabelfs.cil index 7b6a6ef..d21caaa 100644 --- a/src/fs/seclabelfs.cil +++ b/src/fs/seclabelfs.cil @@ -1,37 +1,37 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block seclabelfs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .fs.all_macro_template_fs) + (blockinherit .fs.all_macro_template_fs) - (blockinherit .file.all_macro_template_all_files) - (blockinherit .file.all_macro_template_blk_files) - (blockinherit .file.all_macro_template_chr_files) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_fifo_files) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) - (blockinherit .file.all_macro_template_sock_files) + (blockinherit .file.all_macro_template_all_files) + (blockinherit .file.all_macro_template_blk_files) + (blockinherit .file.all_macro_template_chr_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_fifo_files) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_sock_files) - (call .fs.type (typeattr)) + (call .fs.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .fs.base_template) + (blockinherit .fs.base_template) - (call .seclabelfs.type (fs))) + (call .seclabelfs.type (fs))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .fs.macro_template_fs) - (blockinherit .seclabelfs.base_template))) + (blockinherit .fs.macro_template_fs) + (blockinherit .seclabelfs.base_template))) diff --git a/src/fs/seclabelfs/cgroupseclabelfs.cil b/src/fs/seclabelfs/cgroupseclabelfs.cil index 18266a1..0a0f9ef 100644 --- a/src/fs/seclabelfs/cgroupseclabelfs.cil +++ b/src/fs/seclabelfs/cgroupseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cgroup diff --git a/src/fs/seclabelfs/debugseclabelfs.cil b/src/fs/seclabelfs/debugseclabelfs.cil index bb2a336..1a99048 100644 --- a/src/fs/seclabelfs/debugseclabelfs.cil +++ b/src/fs/seclabelfs/debugseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in debug diff --git a/src/fs/seclabelfs/devptsseclabelfs.cil b/src/fs/seclabelfs/devptsseclabelfs.cil index 59d4789..4545f1f 100644 --- a/src/fs/seclabelfs/devptsseclabelfs.cil +++ b/src/fs/seclabelfs/devptsseclabelfs.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block devpts - (fsuse trans "devpts" fs_context) + (fsuse trans "devpts" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_chr_files) - (blockinherit .fs.macro_template_fs) - (blockinherit .seclabelfs.base_template)) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_fs) + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/devtmpseclabelfs.cil b/src/fs/seclabelfs/devtmpseclabelfs.cil index a5a35e2..fdfc120 100644 --- a/src/fs/seclabelfs/devtmpseclabelfs.cil +++ b/src/fs/seclabelfs/devtmpseclabelfs.cil @@ -1,16 +1,16 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block devtmp - (fsuse trans "devtmpfs" fs_context) + (fsuse trans "devtmpfs" fs_context) - (blockinherit .fs.macro_template_all_files) - (blockinherit .fs.macro_template_blk_files) - (blockinherit .fs.macro_template_chr_files) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_fifo_files) - (blockinherit .fs.macro_template_files) - (blockinherit .fs.macro_template_lnk_files) - (blockinherit .fs.macro_template_sock_files) - (blockinherit .seclabelfs.template)) + (blockinherit .fs.macro_template_all_files) + (blockinherit .fs.macro_template_blk_files) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/eventpollseclabelfs.cil b/src/fs/seclabelfs/eventpollseclabelfs.cil index 1ec86f8..dcabbc2 100644 --- a/src/fs/seclabelfs/eventpollseclabelfs.cil +++ b/src/fs/seclabelfs/eventpollseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block eventpoll - (fsuse task "eventpollfs" fs_context) + (fsuse task "eventpollfs" fs_context) - (blockinherit .seclabelfs.base_template)) + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/hugetlbseclabelfs.cil b/src/fs/seclabelfs/hugetlbseclabelfs.cil index a2474d4..81f7a86 100644 --- a/src/fs/seclabelfs/hugetlbseclabelfs.cil +++ b/src/fs/seclabelfs/hugetlbseclabelfs.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hugetlb - (fsuse trans "hugetlbfs" fs_context) + (fsuse trans "hugetlbfs" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_files) - (blockinherit .seclabelfs.template)) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/mqueueseclabelfs.cil b/src/fs/seclabelfs/mqueueseclabelfs.cil index 7307449..431afb5 100644 --- a/src/fs/seclabelfs/mqueueseclabelfs.cil +++ b/src/fs/seclabelfs/mqueueseclabelfs.cil @@ -1,12 +1,12 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mqueue - (fsuse trans "mqueue" fs_context) + (fsuse trans "mqueue" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_files) - (blockinherit .seclabelfs.template) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template) - (call .rbacsep.exempt.obj.type (fs))) + (call .rbacsep.exempt.obj.type (fs))) diff --git a/src/fs/seclabelfs/nfs4seclabelfs.cil b/src/fs/seclabelfs/nfs4seclabelfs.cil index 752aa01..25c1fed 100644 --- a/src/fs/seclabelfs/nfs4seclabelfs.cil +++ b/src/fs/seclabelfs/nfs4seclabelfs.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nfs4 - (genfscon "nfs4" "/" fs_context) + (genfscon "nfs4" "/" fs_context) - (blockinherit .seclabelfs.template) + (blockinherit .seclabelfs.template) - (allow fs self (filesystem (associate)))) + (allow fs self (filesystem (associate)))) diff --git a/src/fs/seclabelfs/pipeseclabelfs.cil b/src/fs/seclabelfs/pipeseclabelfs.cil index 3496562..0de2d3f 100644 --- a/src/fs/seclabelfs/pipeseclabelfs.cil +++ b/src/fs/seclabelfs/pipeseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pipe - (fsuse task "pipefs" fs_context) + (fsuse task "pipefs" fs_context) - (blockinherit .seclabelfs.base_template)) + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/pstoreseclabelfs.cil b/src/fs/seclabelfs/pstoreseclabelfs.cil index 10ef8f3..92c272a 100644 --- a/src/fs/seclabelfs/pstoreseclabelfs.cil +++ b/src/fs/seclabelfs/pstoreseclabelfs.cil @@ -1,12 +1,12 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pstore - (genfscon "pstore" "/" fs_context) + (genfscon "pstore" "/" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_files) - (blockinherit .seclabelfs.template) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template) - (allow fs self (filesystem (associate)))) + (allow fs self (filesystem (associate)))) diff --git a/src/fs/seclabelfs/rootseclabelfs.cil b/src/fs/seclabelfs/rootseclabelfs.cil index 7c86c65..2170132 100644 --- a/src/fs/seclabelfs/rootseclabelfs.cil +++ b/src/fs/seclabelfs/rootseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in root diff --git a/src/fs/seclabelfs/sockseclabelfs.cil b/src/fs/seclabelfs/sockseclabelfs.cil index 84ba42c..4f8f6e4 100644 --- a/src/fs/seclabelfs/sockseclabelfs.cil +++ b/src/fs/seclabelfs/sockseclabelfs.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sock - (fsuse task "sockfs" fs_context) + (fsuse task "sockfs" fs_context) - (blockinherit .seclabelfs.base_template)) + (blockinherit .seclabelfs.base_template)) diff --git a/src/fs/seclabelfs/sysseclabelfs.cil b/src/fs/seclabelfs/sysseclabelfs.cil index a0c3fc6..622d34d 100644 --- a/src/fs/seclabelfs/sysseclabelfs.cil +++ b/src/fs/seclabelfs/sysseclabelfs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in sys diff --git a/src/fs/seclabelfs/tmpseclabelfs.cil b/src/fs/seclabelfs/tmpseclabelfs.cil index a37e0fc..8bcd891 100644 --- a/src/fs/seclabelfs/tmpseclabelfs.cil +++ b/src/fs/seclabelfs/tmpseclabelfs.cil @@ -1,18 +1,18 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block tmp - (fsuse trans "ramfs" fs_context) - (fsuse trans "shm" fs_context) - (fsuse trans "tmpfs" fs_context) + (fsuse trans "ramfs" fs_context) + (fsuse trans "shm" fs_context) + (fsuse trans "tmpfs" fs_context) - (blockinherit .fs.macro_template_all_files) - (blockinherit .fs.macro_template_blk_files) - (blockinherit .fs.macro_template_chr_files) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_fifo_files) - (blockinherit .fs.macro_template_files) - (blockinherit .fs.macro_template_lnk_files) - (blockinherit .fs.macro_template_sock_files) - (blockinherit .seclabelfs.template)) + (blockinherit .fs.macro_template_all_files) + (blockinherit .fs.macro_template_blk_files) + (blockinherit .fs.macro_template_chr_files) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_fifo_files) + (blockinherit .fs.macro_template_files) + (blockinherit .fs.macro_template_lnk_files) + (blockinherit .fs.macro_template_sock_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/traceseclabelfs.cil b/src/fs/seclabelfs/traceseclabelfs.cil index f52d51e..1589181 100644 --- a/src/fs/seclabelfs/traceseclabelfs.cil +++ b/src/fs/seclabelfs/traceseclabelfs.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block trace - (genfscon "tracefs" "/" fs_context) + (genfscon "tracefs" "/" fs_context) - (blockinherit .fs.macro_template_dirs) - (blockinherit .fs.macro_template_files) - (blockinherit .seclabelfs.template)) + (blockinherit .fs.macro_template_dirs) + (blockinherit .fs.macro_template_files) + (blockinherit .seclabelfs.template)) diff --git a/src/fs/seclabelfs/xattrseclabelfs.cil b/src/fs/seclabelfs/xattrseclabelfs.cil index bdc02a2..fbe64ff 100644 --- a/src/fs/seclabelfs/xattrseclabelfs.cil +++ b/src/fs/seclabelfs/xattrseclabelfs.cil @@ -1,36 +1,36 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block xattr - (fsuse xattr "bcachefs" fs_context) - (fsuse xattr "btrfs" fs_context) - (fsuse xattr "ceph" fs_context) - (fsuse xattr "encfs" fs_context) - (fsuse xattr "erofs" fs_context) - (fsuse xattr "ext2" fs_context) - (fsuse xattr "ext3" fs_context) - (fsuse xattr "ext4" fs_context) - (fsuse xattr "ext4dev" fs_context) - (fsuse xattr "f2fs" fs_context) - (fsuse xattr "gfs" fs_context) - (fsuse xattr "gfs2" fs_context) - (fsuse xattr "gpfs" fs_context) - (fsuse xattr "incremental-fs" fs_context) - (fsuse xattr "jffs2" fs_context) - (fsuse xattr "jfs" fs_context) - (fsuse xattr "lustre" fs_context) - (fsuse xattr "ocfs2" fs_context) - (fsuse xattr "odms" fs_context) - (fsuse xattr "overlay" fs_context) - (fsuse xattr "shiftfs" fs_context) - (fsuse xattr "squashfs" fs_context) - (fsuse xattr "ubifs" fs_context) - (fsuse xattr "virtiofs" fs_context) - (fsuse xattr "vxclonefs" fs_context) - (fsuse xattr "vxfs" fs_context) - (fsuse xattr "xfs" fs_context) - (fsuse xattr "yaffs2" fs_context) - (fsuse xattr "zfs" fs_context) + (fsuse xattr "bcachefs" fs_context) + (fsuse xattr "btrfs" fs_context) + (fsuse xattr "ceph" fs_context) + (fsuse xattr "encfs" fs_context) + (fsuse xattr "erofs" fs_context) + (fsuse xattr "ext2" fs_context) + (fsuse xattr "ext3" fs_context) + (fsuse xattr "ext4" fs_context) + (fsuse xattr "ext4dev" fs_context) + (fsuse xattr "f2fs" fs_context) + (fsuse xattr "gfs" fs_context) + (fsuse xattr "gfs2" fs_context) + (fsuse xattr "gpfs" fs_context) + (fsuse xattr "incremental-fs" fs_context) + (fsuse xattr "jffs2" fs_context) + (fsuse xattr "jfs" fs_context) + (fsuse xattr "lustre" fs_context) + (fsuse xattr "ocfs2" fs_context) + (fsuse xattr "odms" fs_context) + (fsuse xattr "overlay" fs_context) + (fsuse xattr "shiftfs" fs_context) + (fsuse xattr "squashfs" fs_context) + (fsuse xattr "ubifs" fs_context) + (fsuse xattr "virtiofs" fs_context) + (fsuse xattr "vxclonefs" fs_context) + (fsuse xattr "vxfs" fs_context) + (fsuse xattr "xfs" fs_context) + (fsuse xattr "yaffs2" fs_context) + (fsuse xattr "zfs" fs_context) - (blockinherit .seclabelfs.template)) + (blockinherit .seclabelfs.template)) diff --git a/src/invalid.cil b/src/invalid.cil index 2efb466..2737a99 100644 --- a/src/invalid.cil +++ b/src/invalid.cil @@ -1,407 +1,407 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext unlabeled (sys.id sys.role invalid sys.lowlow)) (macro addname_invalid_dirs ((type ARG1)) - (allow ARG1 invalid addname_dir)) + (allow ARG1 invalid addname_dir)) (macro append_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid append_blk_file)) + (allow ARG1 invalid append_blk_file)) (macro append_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid append_chr_file)) + (allow ARG1 invalid append_chr_file)) (macro append_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid append_fifo_file)) + (allow ARG1 invalid append_fifo_file)) (macro append_invalid_files ((type ARG1)) - (allow ARG1 invalid append_file)) + (allow ARG1 invalid append_file)) (macro appendinherited_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid appendinherited_blk_file)) + (allow ARG1 invalid appendinherited_blk_file)) (macro appendinherited_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid appendinherited_chr_file)) + (allow ARG1 invalid appendinherited_chr_file)) (macro appendinherited_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid appendinherited_fifo_file)) + (allow ARG1 invalid appendinherited_fifo_file)) (macro appendinherited_invalid_files ((type ARG1)) - (allow ARG1 invalid appendinherited_file)) + (allow ARG1 invalid appendinherited_file)) (macro create_invalid ((type ARG1)) - (allow ARG1 invalid (files (create)))) + (allow ARG1 invalid (files (create)))) (macro create_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid create_blk_file)) + (allow ARG1 invalid create_blk_file)) (macro create_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid create_chr_file)) + (allow ARG1 invalid create_chr_file)) (macro create_invalid_dirs ((type ARG1)) - (allow ARG1 invalid create_dir)) + (allow ARG1 invalid create_dir)) (macro create_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid create_fifo_file)) + (allow ARG1 invalid create_fifo_file)) (macro create_invalid_files ((type ARG1)) - (allow ARG1 invalid create_file)) + (allow ARG1 invalid create_file)) (macro create_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid create_lnk_file)) + (allow ARG1 invalid create_lnk_file)) (macro create_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid create_sock_file)) + (allow ARG1 invalid create_sock_file)) (macro delete_invalid ((type ARG1)) - (allow ARG1 invalid (files (delete)))) + (allow ARG1 invalid (files (delete)))) (macro delete_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid delete_blk_file)) + (allow ARG1 invalid delete_blk_file)) (macro delete_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid delete_chr_file)) + (allow ARG1 invalid delete_chr_file)) (macro delete_invalid_dirs ((type ARG1)) - (allow ARG1 invalid delete_dir)) + (allow ARG1 invalid delete_dir)) (macro delete_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid delete_fifo_file)) + (allow ARG1 invalid delete_fifo_file)) (macro delete_invalid_files ((type ARG1)) - (allow ARG1 invalid delete_file)) + (allow ARG1 invalid delete_file)) (macro delete_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid delete_lnk_file)) + (allow ARG1 invalid delete_lnk_file)) (macro delete_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid delete_sock_file)) + (allow ARG1 invalid delete_sock_file)) (macro deletename_invalid_dirs ((type ARG1)) - (allow ARG1 invalid deletename_dir)) + (allow ARG1 invalid deletename_dir)) (macro execute_invalid_files ((type ARG1)) - (allow ARG1 invalid execute_file)) + (allow ARG1 invalid execute_file)) (macro getattr_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (getattr)))) + (allow ARG1 invalid (process (getattr)))) (macro getrlimit_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (getrlimit)))) + (allow ARG1 invalid (process (getrlimit)))) (macro getsched_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (getsched)))) + (allow ARG1 invalid (process (getsched)))) (macro invalid_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) - (typetransition ARG1 invalid ARG3 ARG4 ARG2) - (call addname_invalid_dirs (ARG1))) + (typetransition ARG1 invalid ARG3 ARG4 ARG2) + (call addname_invalid_dirs (ARG1))) (macro list_invalid_dirs ((type ARG1)) - (allow ARG1 invalid list_dir)) + (allow ARG1 invalid list_dir)) (macro listinherited_invalid_dirs ((type ARG1)) - (allow ARG1 invalid listinherited_dir)) + (allow ARG1 invalid listinherited_dir)) (macro manage_invalid ((type ARG1)) - (allow ARG1 invalid (files (manage)))) + (allow ARG1 invalid (files (manage)))) (macro manage_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid manage_blk_file)) + (allow ARG1 invalid manage_blk_file)) (macro manage_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid manage_chr_file)) + (allow ARG1 invalid manage_chr_file)) (macro manage_invalid_dirs ((type ARG1)) - (allow ARG1 invalid manage_dir)) + (allow ARG1 invalid manage_dir)) (macro manage_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid manage_fifo_file)) + (allow ARG1 invalid manage_fifo_file)) (macro manage_invalid_files ((type ARG1)) - (allow ARG1 invalid manage_file)) + (allow ARG1 invalid manage_file)) (macro manage_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid manage_lnk_file)) + (allow ARG1 invalid manage_lnk_file)) (macro manage_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid manage_sock_file)) + (allow ARG1 invalid manage_sock_file)) (macro mapexecute_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid mapexecute_chr_file)) + (allow ARG1 invalid mapexecute_chr_file)) (macro mapexecute_invalid_files ((type ARG1)) - (allow ARG1 invalid mapexecute_file)) + (allow ARG1 invalid mapexecute_file)) (macro mounton_invalid_dirs ((type ARG1)) - (allow ARG1 invalid mounton_dir)) + (allow ARG1 invalid mounton_dir)) (macro mounton_invalid_files ((type ARG1)) - (allow ARG1 invalid mounton_file)) + (allow ARG1 invalid mounton_file)) (macro nnptransition_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process2 (nnp_transition)))) + (allow ARG1 invalid (process2 (nnp_transition)))) (macro noatsecure_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (noatsecure)))) + (allow ARG1 invalid (process (noatsecure)))) (macro nosuidtransition_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process2 (nosuid_transition)))) + (allow ARG1 invalid (process2 (nosuid_transition)))) (macro ps_invalid_states ((type ARG1)) - (allow ARG1 invalid (state (ps)))) + (allow ARG1 invalid (state (ps)))) (macro ptrace_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (ptrace)))) + (allow ARG1 invalid (process (ptrace)))) (macro read_invalid ((type ARG1)) - (allow ARG1 invalid (files (read)))) + (allow ARG1 invalid (files (read)))) (macro read_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid read_blk_file)) + (allow ARG1 invalid read_blk_file)) (macro read_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid read_chr_file)) + (allow ARG1 invalid read_chr_file)) (macro read_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid read_fifo_file)) + (allow ARG1 invalid read_fifo_file)) (macro read_invalid_files ((type ARG1)) - (allow ARG1 invalid read_file)) + (allow ARG1 invalid read_file)) (macro read_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid read_lnk_file)) + (allow ARG1 invalid read_lnk_file)) (macro read_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid read_sock_file)) + (allow ARG1 invalid read_sock_file)) (macro read_invalid_states ((type ARG1)) - (allow ARG1 invalid (state (read)))) + (allow ARG1 invalid (state (read)))) (macro readinherited_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid readinherited_blk_file)) + (allow ARG1 invalid readinherited_blk_file)) (macro readinherited_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid readinherited_chr_file)) + (allow ARG1 invalid readinherited_chr_file)) (macro readinherited_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid readinherited_fifo_file)) + (allow ARG1 invalid readinherited_fifo_file)) (macro readinherited_invalid_files ((type ARG1)) - (allow ARG1 invalid readinherited_file)) + (allow ARG1 invalid readinherited_file)) (macro readinherited_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid readinherited_sock_file)) + (allow ARG1 invalid readinherited_sock_file)) (macro readwrite_invalid ((type ARG1)) - (allow ARG1 invalid (files (readwrite)))) + (allow ARG1 invalid (files (readwrite)))) (macro readwrite_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid readwrite_blk_file)) + (allow ARG1 invalid readwrite_blk_file)) (macro readwrite_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid readwrite_chr_file)) + (allow ARG1 invalid readwrite_chr_file)) (macro readwrite_invalid_dirs ((type ARG1)) - (allow ARG1 invalid readwrite_dir)) + (allow ARG1 invalid readwrite_dir)) (macro readwrite_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid readwrite_fifo_file)) + (allow ARG1 invalid readwrite_fifo_file)) (macro readwrite_invalid_files ((type ARG1)) - (allow ARG1 invalid readwrite_file)) + (allow ARG1 invalid readwrite_file)) (macro readwrite_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid readwrite_lnk_file)) + (allow ARG1 invalid readwrite_lnk_file)) (macro readwrite_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid readwrite_sock_file)) + (allow ARG1 invalid readwrite_sock_file)) (macro readwriteinherited_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid readwriteinherited_blk_file)) + (allow ARG1 invalid readwriteinherited_blk_file)) (macro readwriteinherited_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid readwriteinherited_chr_file)) + (allow ARG1 invalid readwriteinherited_chr_file)) (macro readwriteinherited_invalid_dirs ((type ARG1)) - (allow ARG1 invalid readwriteinherited_dir)) + (allow ARG1 invalid readwriteinherited_dir)) (macro readwriteinherited_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid readwriteinherited_fifo_file)) + (allow ARG1 invalid readwriteinherited_fifo_file)) (macro readwriteinherited_invalid_files ((type ARG1)) - (allow ARG1 invalid readwriteinherited_file)) + (allow ARG1 invalid readwriteinherited_file)) (macro readwriteinherited_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid readwriteinherited_sock_file)) + (allow ARG1 invalid readwriteinherited_sock_file)) (macro relabel_invalid ((type ARG1)) - (allow ARG1 invalid (files (relabel)))) + (allow ARG1 invalid (files (relabel)))) (macro relabel_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid relabel_blk_file)) + (allow ARG1 invalid relabel_blk_file)) (macro relabel_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid relabel_chr_file)) + (allow ARG1 invalid relabel_chr_file)) (macro relabel_invalid_dirs ((type ARG1)) - (allow ARG1 invalid relabel_dir)) + (allow ARG1 invalid relabel_dir)) (macro relabel_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid relabel_fifo_file)) + (allow ARG1 invalid relabel_fifo_file)) (macro relabel_invalid_files ((type ARG1)) - (allow ARG1 invalid relabel_file)) + (allow ARG1 invalid relabel_file)) (macro relabel_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid relabel_lnk_file)) + (allow ARG1 invalid relabel_lnk_file)) (macro relabel_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid relabel_sock_file)) + (allow ARG1 invalid relabel_sock_file)) (macro relabelfrom_invalid ((type ARG1)) - (allow ARG1 invalid (files (relabelfrom)))) + (allow ARG1 invalid (files (relabelfrom)))) (macro relabelfrom_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_blk_file)) + (allow ARG1 invalid relabelfrom_blk_file)) (macro relabelfrom_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_chr_file)) + (allow ARG1 invalid relabelfrom_chr_file)) (macro relabelfrom_invalid_dirs ((type ARG1)) - (allow ARG1 invalid relabelfrom_dir)) + (allow ARG1 invalid relabelfrom_dir)) (macro relabelfrom_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_fifo_file)) + (allow ARG1 invalid relabelfrom_fifo_file)) (macro relabelfrom_invalid_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_file)) + (allow ARG1 invalid relabelfrom_file)) (macro relabelfrom_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_lnk_file)) + (allow ARG1 invalid relabelfrom_lnk_file)) (macro relabelfrom_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid relabelfrom_sock_file)) + (allow ARG1 invalid relabelfrom_sock_file)) (macro relabelto_invalid ((type ARG1)) - (allow ARG1 invalid (files (relabelto)))) + (allow ARG1 invalid (files (relabelto)))) (macro relabelto_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid relabelto_blk_file)) + (allow ARG1 invalid relabelto_blk_file)) (macro relabelto_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid relabelto_chr_file)) + (allow ARG1 invalid relabelto_chr_file)) (macro relabelto_invalid_dirs ((type ARG1)) - (allow ARG1 invalid relabelto_dir)) + (allow ARG1 invalid relabelto_dir)) (macro relabelto_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid relabelto_fifo_file)) + (allow ARG1 invalid relabelto_fifo_file)) (macro relabelto_invalid_files ((type ARG1)) - (allow ARG1 invalid relabelto_file)) + (allow ARG1 invalid relabelto_file)) (macro relabelto_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid relabelto_lnk_file)) + (allow ARG1 invalid relabelto_lnk_file)) (macro relabelto_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid relabelto_sock_file)) + (allow ARG1 invalid relabelto_sock_file)) (macro rename_invalid ((type ARG1)) - (allow ARG1 invalid (files (rename)))) + (allow ARG1 invalid (files (rename)))) (macro rename_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid rename_blk_file)) + (allow ARG1 invalid rename_blk_file)) (macro rename_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid rename_chr_file)) + (allow ARG1 invalid rename_chr_file)) (macro rename_invalid_dirs ((type ARG1)) - (allow ARG1 invalid rename_dir)) + (allow ARG1 invalid rename_dir)) (macro rename_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid rename_fifo_file)) + (allow ARG1 invalid rename_fifo_file)) (macro rename_invalid_files ((type ARG1)) - (allow ARG1 invalid rename_file)) + (allow ARG1 invalid rename_file)) (macro rename_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid rename_lnk_file)) + (allow ARG1 invalid rename_lnk_file)) (macro rename_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid rename_sock_file)) + (allow ARG1 invalid rename_sock_file)) (macro rlimitinh_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (rlimitinh)))) + (allow ARG1 invalid (process (rlimitinh)))) (macro search_invalid_dirs ((type ARG1)) - (allow ARG1 invalid search_dir)) + (allow ARG1 invalid search_dir)) (macro setrlimit_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (setrlimit)))) + (allow ARG1 invalid (process (setrlimit)))) (macro setsched_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (setsched)))) + (allow ARG1 invalid (process (setsched)))) (macro sigchld_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (sigchld)))) + (allow ARG1 invalid (process (sigchld)))) (macro sigkill_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (sigkill)))) + (allow ARG1 invalid (process (sigkill)))) (macro signal_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (signal)))) + (allow ARG1 invalid (process (signal)))) (macro signull_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (signull)))) + (allow ARG1 invalid (process (signull)))) (macro sigstop_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (sigstop)))) + (allow ARG1 invalid (process (sigstop)))) (macro transition_invalid_processes ((type ARG1)) - (allow ARG1 invalid (process (transition)))) + (allow ARG1 invalid (process (transition)))) (macro write_invalid ((type ARG1)) - (allow ARG1 invalid (files (write)))) + (allow ARG1 invalid (files (write)))) (macro write_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid write_blk_file)) + (allow ARG1 invalid write_blk_file)) (macro write_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid write_chr_file)) + (allow ARG1 invalid write_chr_file)) (macro write_invalid_dirs ((type ARG1)) - (allow ARG1 invalid write_dir)) + (allow ARG1 invalid write_dir)) (macro write_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid write_fifo_file)) + (allow ARG1 invalid write_fifo_file)) (macro write_invalid_files ((type ARG1)) - (allow ARG1 invalid write_file)) + (allow ARG1 invalid write_file)) (macro write_invalid_lnk_files ((type ARG1)) - (allow ARG1 invalid write_lnk_file)) + (allow ARG1 invalid write_lnk_file)) (macro write_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid write_sock_file)) + (allow ARG1 invalid write_sock_file)) (macro writeinherited_invalid_blk_files ((type ARG1)) - (allow ARG1 invalid writeinherited_blk_file)) + (allow ARG1 invalid writeinherited_blk_file)) (macro writeinherited_invalid_chr_files ((type ARG1)) - (allow ARG1 invalid writeinherited_chr_file)) + (allow ARG1 invalid writeinherited_chr_file)) (macro writeinherited_invalid_dirs ((type ARG1)) - (allow ARG1 invalid writeinherited_dir)) + (allow ARG1 invalid writeinherited_dir)) (macro writeinherited_invalid_fifo_files ((type ARG1)) - (allow ARG1 invalid writeinherited_fifo_file)) + (allow ARG1 invalid writeinherited_fifo_file)) (macro writeinherited_invalid_files ((type ARG1)) - (allow ARG1 invalid writeinherited_file)) + (allow ARG1 invalid writeinherited_file)) (macro writeinherited_invalid_sock_files ((type ARG1)) - (allow ARG1 invalid writeinherited_sock_file)) + (allow ARG1 invalid writeinherited_sock_file)) (type invalid) (roletype sys.role invalid) @@ -410,31 +410,31 @@ (block invalid - (block unconfined - - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) - - (typeattribute typeattr) - - (allow typeattr .invalid - (process (not (dyntransition execheap execstack transition)))) - (allow typeattr .invalid - (process2 (not (nnp_transition nosuid_transition)))) - - (allow typeattr .invalid - (blk_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .invalid - (chr_file (not (audit_access execmod mounton relabelto)))) - (allow typeattr .invalid (dir (not (audit_access execmod relabelto)))) - (allow typeattr .invalid - (fifo_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .invalid - (file (not (audit_access entrypoint execmod relabelto)))) - (allow typeattr .invalid - (lnk_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .invalid - (sock_file (not (audit_access execmod map mounton relabelto)))))) + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr .invalid + (process (not (dyntransition execheap execstack transition)))) + (allow typeattr .invalid + (process2 (not (nnp_transition nosuid_transition)))) + + (allow typeattr .invalid + (blk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (chr_file (not (audit_access execmod mounton relabelto)))) + (allow typeattr .invalid (dir (not (audit_access execmod relabelto)))) + (allow typeattr .invalid + (fifo_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (file (not (audit_access entrypoint execmod relabelto)))) + (allow typeattr .invalid + (lnk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .invalid + (sock_file (not (audit_access execmod map mounton relabelto)))))) (in unconfined diff --git a/src/misc.cil b/src/misc.cil index 6330878..dbb8148 100644 --- a/src/misc.cil +++ b/src/misc.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext init (sys.id sys.role sys.subj sys.lowlow)) ;; userspace_initial_context @@ -19,10 +19,10 @@ (filecon "/tmp" symlink file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "opt")) - (call .root.file_type_transition - (ARG1 file dir "usr")))) + (call .root.file_type_transition + (ARG1 file dir "opt")) + (call .root.file_type_transition + (ARG1 file dir "usr")))) (in db @@ -30,8 +30,8 @@ (filecon "/var/db/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "db")))) + (call .var.file_type_transition + (ARG1 file dir "db")))) (in debug @@ -50,8 +50,8 @@ (filecon "/dev/.*" symlink file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "dev"))) + (call .root.file_type_transition + (ARG1 file dir "dev"))) (call .tmp.associate_fs (typeattr)) @@ -77,12 +77,12 @@ (filecon "/efi/.*" any ()) (macro boot_file_type_transition_fs ((type ARG1)) - (call .boot.file_type_transition - (ARG1 fs dir "efi"))) + (call .boot.file_type_transition + (ARG1 fs dir "efi"))) (macro root_file_type_transition_fs ((type ARG1)) - (call .root.file_type_transition - (ARG1 fs dir "efi"))) + (call .root.file_type_transition + (ARG1 fs dir "efi"))) (call .xattr.associate_fs (fs))) @@ -97,18 +97,18 @@ (filecon "/usr/bin/.*" any file_context) (macro data_file_type_transition_file ((type ARG1)) - (call .data.file_type_transition - (ARG1 file dir "bin")) - (call .data.file_type_transition - (ARG1 file dir "libexec")) - (call .data.file_type_transition - (ARG1 file dir "sbin"))) + (call .data.file_type_transition + (ARG1 file dir "bin")) + (call .data.file_type_transition + (ARG1 file dir "libexec")) + (call .data.file_type_transition + (ARG1 file dir "sbin"))) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "bin")) - (call .root.file_type_transition - (ARG1 file dir "sbin")))) + (call .root.file_type_transition + (ARG1 file dir "bin")) + (call .root.file_type_transition + (ARG1 file dir "sbin")))) (in file.run @@ -185,8 +185,8 @@ (filecon "/home/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "home")))) + (call .root.file_type_transition + (ARG1 file dir "home")))) (in hugetlb @@ -201,16 +201,16 @@ (filecon "/usr/lib/.*" any file_context) (macro data_file_type_transition_file ((type ARG1)) - (call .data.file_type_transition - (ARG1 file dir "lib")) - (call .data.file_type_transition - (ARG1 file dir "lib64"))) + (call .data.file_type_transition + (ARG1 file dir "lib")) + (call .data.file_type_transition + (ARG1 file dir "lib64"))) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "lib")) - (call .root.file_type_transition - (ARG1 file dir "lib64")))) + (call .root.file_type_transition + (ARG1 file dir "lib")) + (call .root.file_type_transition + (ARG1 file dir "lib64")))) (in log @@ -218,8 +218,8 @@ (filecon "/var/log/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "log"))) + (call .var.file_type_transition + (ARG1 file dir "log"))) (call .tmp.associate_fs (file))) @@ -280,56 +280,56 @@ (filecon "/var/tmp/lost\+found" dir file_context) (macro boot_file_type_transition_file ((type ARG1)) - (call .boot.file_type_transition - (ARG1 file dir "lost+found"))) + (call .boot.file_type_transition + (ARG1 file dir "lost+found"))) (macro cache_file_type_transition_file ((type ARG1)) - (call .cache.file_type_transition - (ARG1 file dir "lost+found"))) + (call .cache.file_type_transition + (ARG1 file dir "lost+found"))) (macro conf_file_type_transition_file ((type ARG1)) - (call .conf.file_type_transition - (ARG1 file dir "lost+found"))) + (call .conf.file_type_transition + (ARG1 file dir "lost+found"))) (macro data_file_type_transition_file ((type ARG1)) - (call .data.file_type_transition - (ARG1 file dir "lost+found"))) + (call .data.file_type_transition + (ARG1 file dir "lost+found"))) (macro db_file_type_transition_file ((type ARG1)) - (call .db.file_type_transition - (ARG1 file dir "lost+found"))) + (call .db.file_type_transition + (ARG1 file dir "lost+found"))) (macro home_file_type_transition_file ((type ARG1)) - (call .home.file_type_transition - (ARG1 file dir "lost+found"))) + (call .home.file_type_transition + (ARG1 file dir "lost+found"))) (macro log_file_type_transition_file ((type ARG1)) - (call .log.file_type_transition - (ARG1 file dir "lost+found"))) + (call .log.file_type_transition + (ARG1 file dir "lost+found"))) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "lost+found"))) + (call .root.file_type_transition + (ARG1 file dir "lost+found"))) (macro run_file_type_transition_file ((type ARG1)) - (call .run.file_type_transition - (ARG1 file dir "lost+found"))) + (call .run.file_type_transition + (ARG1 file dir "lost+found"))) (macro spool_file_type_transition_file ((type ARG1)) - (call .spool.file_type_transition - (ARG1 file dir "lost+found"))) + (call .spool.file_type_transition + (ARG1 file dir "lost+found"))) (macro state_file_type_transition_file ((type ARG1)) - (call .state.file_type_transition - (ARG1 file dir "lost+found"))) + (call .state.file_type_transition + (ARG1 file dir "lost+found"))) (macro tmp_file_type_transition_file ((type ARG1)) - (call .tmp.file_type_transition - (ARG1 file dir "lost+found"))) + (call .tmp.file_type_transition + (ARG1 file dir "lost+found"))) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "lost+found")))) + (call .var.file_type_transition + (ARG1 file dir "lost+found")))) (in mail.spool @@ -337,12 +337,12 @@ (filecon "/var/spool/mail/.*" any file_context) (macro spool_file_type_transition_file ((type ARG1)) - (call .spool.file_type_transition - (ARG1 file dir "mail"))) + (call .spool.file_type_transition + (ARG1 file dir "mail"))) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "mail")))) + (call .var.file_type_transition + (ARG1 file dir "mail")))) (in media @@ -357,14 +357,14 @@ (filecon "/run/media/.*" any ()) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "media")) - (call .root.file_type_transition - (ARG1 file dir "mnt"))) + (call .root.file_type_transition + (ARG1 file dir "media")) + (call .root.file_type_transition + (ARG1 file dir "mnt"))) (macro run_file_type_transition_file ((type ARG1)) - (call .run.file_type_transition - (ARG1 file dir "media"))) + (call .run.file_type_transition + (ARG1 file dir "media"))) (call .tmp.associate_fs (file))) @@ -374,8 +374,8 @@ (filecon "/usr/lib/modules/.*" any file_context) (macro lib_file_type_transition_file ((type ARG1)) - (call .lib.file_type_transition - (ARG1 file dir "modules")))) + (call .lib.file_type_transition + (ARG1 file dir "modules")))) (in mqueue @@ -390,8 +390,8 @@ (filecon "/proc/.*" any ()) (macro root_file_type_transition_fs ((type ARG1)) - (call .root.file_type_transition - (ARG1 fs dir "proc"))) + (call .root.file_type_transition + (ARG1 fs dir "proc"))) (call .xattr.associate_fs (fs))) @@ -418,12 +418,12 @@ (filecon "/run/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "run"))) + (call .root.file_type_transition + (ARG1 file dir "run"))) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "run"))) + (call .var.file_type_transition + (ARG1 file dir "run"))) (call .root.associate_fs (file))) @@ -435,12 +435,12 @@ (filecon "/run/lock/subsys" dir file_context) (macro run_file_type_transition_file ((type ARG1)) - (call .run.file_type_transition - (ARG1 file dir "lock"))) + (call .run.file_type_transition + (ARG1 file dir "lock"))) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "lock")))) + (call .var.file_type_transition + (ARG1 file dir "lock")))) (in runuser @@ -448,8 +448,8 @@ (filecon "/run/user/.*" any file_context) (macro run_file_type_transition_file ((type ARG1)) - (call .run.file_type_transition - (ARG1 file dir "user")))) + (call .run.file_type_transition + (ARG1 file dir "user")))) (in security @@ -467,8 +467,8 @@ (filecon "/var/spool/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "spool")))) + (call .var.file_type_transition + (ARG1 file dir "spool")))) (in src @@ -476,8 +476,8 @@ (filecon "/usr/src/.*" any file_context) (macro data_file_type_transition_file ((type ARG1)) - (call .data.file_type_transition - (ARG1 file dir "src")))) + (call .data.file_type_transition + (ARG1 file dir "src")))) (in state @@ -485,8 +485,8 @@ (filecon "/var/lib/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "lib"))) + (call .var.file_type_transition + (ARG1 file dir "lib"))) (call .root.associate_fs (file))) @@ -496,8 +496,8 @@ (filecon "/sys/.*" any ()) (macro root_file_type_transition_fs ((type ARG1)) - (call .root.file_type_transition - (ARG1 fs dir "sys"))) + (call .root.file_type_transition + (ARG1 fs dir "sys"))) (allow fs self (filesystem (associate))) @@ -527,32 +527,32 @@ (filecon "/root/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.fs_type_transition - (ARG1 file dir "root")))) + (call .root.fs_type_transition + (ARG1 file dir "root")))) (in sys.hugetlbfs (macro hugetlb_fs_type_transition_file ((type ARG1)(name ARG2)) - (call .hugetlb.fs_type_transition - (ARG1 file file ARG2)))) + (call .hugetlb.fs_type_transition + (ARG1 file file ARG2)))) (in sys.mqueuefs (macro mqueue_fs_type_transition_file ((type ARG1)(name ARG2)) - (call .mqueue.fs_type_transition - (ARG1 file file ARG2)))) + (call .mqueue.fs_type_transition + (ARG1 file file ARG2)))) (in sys.tmp (macro tmp_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) - (call .tmp.file_type_transition - (ARG1 file ARG2 ARG3)))) + (call .tmp.file_type_transition + (ARG1 file ARG2 ARG3)))) (in sys.tmpfs (macro tmp_fs_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) - (call .tmp.fs_type_transition - (ARG1 file ARG2 ARG3)))) + (call .tmp.fs_type_transition + (ARG1 file ARG2 ARG3)))) (in sys.unconfined @@ -580,20 +580,20 @@ (filecon "/tmp/\.XIM-unix/.*" any ()) (macro data_file_type_transition_file ((type ARG1)) - (call .data.file_type_transition - (ARG1 file dir "tmp"))) + (call .data.file_type_transition + (ARG1 file dir "tmp"))) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "tmp"))) + (call .root.file_type_transition + (ARG1 file dir "tmp"))) (macro sys_tmp_file_type_transition_file ((type ARG1)) - (call .sys.tmp.file_type_transition - (ARG1 file dir "tmp"))) + (call .sys.tmp.file_type_transition + (ARG1 file dir "tmp"))) (macro var_file_type_transition_file ((type ARG1)) - (call .var.file_type_transition - (ARG1 file dir "tmp"))) + (call .var.file_type_transition + (ARG1 file dir "tmp"))) (allow fs self (filesystem (associate))) @@ -618,10 +618,10 @@ (filecon "/var/spool/mail" symlink file_context) (macro root_file_type_transition_file ((type ARG1)) - (call .root.file_type_transition - (ARG1 file dir "srv")) - (call .root.file_type_transition - (ARG1 file dir "var")))) + (call .root.file_type_transition + (ARG1 file dir "srv")) + (call .root.file_type_transition + (ARG1 file dir "var")))) (typealias dpkg_script_t) (in sys (typealiasactual dpkg_script_t subj)) diff --git a/src/misc/av.cil b/src/misc/av.cil index afc8687..0847331 100644 --- a/src/misc/av.cil +++ b/src/misc/av.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class blk_file ()) @@ -20,11 +20,11 @@ (classorder (unordered lnk_file)) (class process - (dyntransition execheap execmem execstack fork getattr getcap getpgid - getrlimit getsched getsession noatsecure ptrace rlimitinh - setexec setcap setcurrent setfscreate setkeycreate setpgid - setrlimit setsched setsockcreate share sigchld siginh - sigkill signal signull sigstop transition)) + (dyntransition execheap execmem execstack fork getattr getcap getpgid + getrlimit getsched getsession noatsecure ptrace rlimitinh + setexec setcap setcurrent setfscreate setkeycreate setpgid + setrlimit setsched setsockcreate share sigchld siginh + sigkill signal signull sigstop transition)) (classorder (unordered process)) (class process2 (nnp_transition nosuid_transition)) @@ -42,7 +42,7 @@ (classcommon sock_file common_file) (common common_file - (append audit_access create execmod execute getattr ioctl lock link map - mounton open quotaon read relabelfrom relabelto rename setattr - unlink watch watch_mount watch_reads watch_sb watch_with_perm - write)) + (append audit_access create execmod execute getattr ioctl lock link map + mounton open quotaon read relabelfrom relabelto rename setattr + unlink watch watch_mount watch_reads watch_sb watch_with_perm + write)) diff --git a/src/misc/av/binderav.cil b/src/misc/av/binderav.cil index 592d066..23827f1 100644 --- a/src/misc/av/binderav.cil +++ b/src/misc/av/binderav.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class binder (call impersonate set_context_mgr transfer)) (classorder (unordered binder)) (macro call_invalid_binders ((type ARG1)) - (allow ARG1 .invalid (binder (call)))) + (allow ARG1 .invalid (binder (call)))) (macro transfer_invalid_binders ((type ARG1)) - (allow ARG1 .invalid (binder (transfer)))) + (allow ARG1 .invalid (binder (transfer)))) (in invalid.unconfined @@ -17,24 +17,24 @@ (in subj (macro call_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (call)))) + (allow ARG1 typeattr (binder (call)))) (macro impersonate_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (impersonate)))) + (allow ARG1 typeattr (binder (impersonate)))) (macro transfer_all_binders ((type ARG1)) - (allow ARG1 typeattr (binder (transfer))))) + (allow ARG1 typeattr (binder (transfer))))) (in subj.macro_template (macro call_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (call)))) + (allow ARG1 subj (binder (call)))) (macro impersonate_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (impersonate)))) + (allow ARG1 subj (binder (impersonate)))) (macro transfer_subj_binders ((type ARG1)) - (allow ARG1 subj (binder (transfer))))) + (allow ARG1 subj (binder (transfer))))) (in subj.unconfined diff --git a/src/misc/av/bpfav.cil b/src/misc/av/bpfav.cil index 286b656..0dcc5e8 100644 --- a/src/misc/av/bpfav.cil +++ b/src/misc/av/bpfav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class bpf (map_create map_read map_write prog_load prog_run)) @@ -11,18 +11,18 @@ (in mcs (mlsconstrain (bpf (map_read map_write prog_run)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (bpf (map_read map_write prog_run)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/capabilityav.cil b/src/misc/av/capabilityav.cil index fa0635a..6b079f5 100644 --- a/src/misc/av/capabilityav.cil +++ b/src/misc/av/capabilityav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class cap_userns ()) @@ -19,16 +19,16 @@ (classcommon capability2 common_capability2) (common common_capability - (audit_control audit_write chown dac_read_search dac_override fowner - fsetid ipc_lock ipc_owner kill linux_immutable lease - mknod net_admin net_bind_service net_broadcast net_raw - setfcap setgid setpcap setuid sys_admin sys_boot - sys_chroot sys_module sys_nice sys_pacct sys_ptrace - sys_rawio sys_resource sys_time sys_tty_config)) + (audit_control audit_write chown dac_read_search dac_override fowner + fsetid ipc_lock ipc_owner kill linux_immutable lease + mknod net_admin net_bind_service net_broadcast net_raw + setfcap setgid setpcap setuid sys_admin sys_boot + sys_chroot sys_module sys_nice sys_pacct sys_ptrace + sys_rawio sys_resource sys_time sys_tty_config)) (common common_capability2 - (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override - perfmon syslog wake_alarm)) + (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override + perfmon syslog wake_alarm)) (in subj.unconfined diff --git a/src/misc/av/fdav.cil b/src/misc/av/fdav.cil index 9ded93b..b625ceb 100644 --- a/src/misc/av/fdav.cil +++ b/src/misc/av/fdav.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class fd (use)) (classorder (unordered fd)) (macro use_invalid_fds ((type ARG1)) - (allow ARG1 invalid (fd (use)))) + (allow ARG1 invalid (fd (use)))) (in invalid.unconfined @@ -14,78 +14,78 @@ (in mcs (mlsconstrain (fd (use)) - (or (or (dom h1 h2) - (neq t1 constrained.typeattr)) - (and (eq t1 usefdsource.typeattr) - (eq t2 usefdtarget.typeattr)))) + (or (or (dom h1 h2) + (neq t1 constrained.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) (block usefdsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) (block usefdtarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in rbacsep (constrain (fd (use)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 usefdsource.typeattr) - (eq t2 usefdtarget.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) (block usefdsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) (block usefdtarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj (block interactivefd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call .mcs.usefdtarget.type (typeattr))) + (call .mcs.usefdtarget.type (typeattr))) (block useinteractivefd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr interactivefd.typeattr (fd (use))))) + (allow typeattr interactivefd.typeattr (fd (use))))) (in subj.all_macro_template (macro use_all_fds ((type ARG1)) - (allow ARG1 typeattr (fd (use))))) + (allow ARG1 typeattr (fd (use))))) (in subj.macro_template (macro use_subj_fds ((type ARG1)) - (allow ARG1 subj (fd (use))))) + (allow ARG1 subj (fd (use))))) (in subj.unconfined diff --git a/src/misc/av/iouringav.cil b/src/misc/av/iouringav.cil index 2e1c3aa..9476784 100644 --- a/src/misc/av/iouringav.cil +++ b/src/misc/av/iouringav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class io_uring (cmd override_creds sqpoll)) @@ -35,8 +35,8 @@ (in mcs (mlsconstrain (io_uring (override_creds)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in nodedev.unconfined @@ -57,12 +57,12 @@ (in rbacsep (constrain (io_uring (override_creds)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in securityfile.unconfined diff --git a/src/misc/av/ipcav.cil b/src/misc/av/ipcav.cil index 938daa9..a0041ac 100644 --- a/src/misc/av/ipcav.cil +++ b/src/misc/av/ipcav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class ipc ()) @@ -19,8 +19,8 @@ (classcommon shm common_ipc) (common common_ipc - (associate create destroy getattr read setattr unix_read unix_write - write)) + (associate create destroy getattr read setattr unix_read unix_write + write)) (classpermission create_ipc) (classpermission create_msgq) @@ -38,17 +38,17 @@ (classpermission readwrite_shm) (classpermissionset create_ipc - (ipc (associate create destroy getattr read setattr - unix_read unix_write write))) + (ipc (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset create_msgq - (msgq (associate create destroy enqueue getattr read setattr - unix_read unix_write write))) + (msgq (associate create destroy enqueue getattr read setattr + unix_read unix_write write))) (classpermissionset create_sem - (sem (associate create destroy getattr read setattr - unix_read unix_write write))) + (sem (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset create_shm - (shm (associate create destroy getattr read setattr - unix_read unix_write write))) + (shm (associate create destroy getattr read setattr + unix_read unix_write write))) (classpermissionset read_ipc (ipc (associate getattr read unix_read))) (classpermissionset read_msgq (msgq (associate getattr read unix_read))) @@ -56,14 +56,14 @@ (classpermissionset read_shm (shm (associate getattr read unix_read))) (classpermissionset readwrite_ipc - (ipc (associate getattr read unix_read unix_write write))) + (ipc (associate getattr read unix_read unix_write write))) (classpermissionset readwrite_msgq - (msgq (associate enqueue getattr read unix_read unix_write - write))) + (msgq (associate enqueue getattr read unix_read unix_write + write))) (classpermissionset readwrite_sem - (sem (associate getattr read unix_read unix_write write))) + (sem (associate getattr read unix_read unix_write write))) (classpermissionset readwrite_shm - (shm (associate getattr read unix_read unix_write write))) + (shm (associate getattr read unix_read unix_write write))) (classmap constrainipcsubject (create getattr read setattr write)) @@ -95,10 +95,10 @@ (in ibac (constrain (constrainipcsubject (create)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -110,27 +110,27 @@ (in mcs (mlsconstrain (constrainipcsubject (create getattr read setattr write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (constrainipcsubject (create)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (constrainipcsubject (getattr read setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/kernelserviceav.cil b/src/misc/av/kernelserviceav.cil index 7ab098a..e99cb67 100644 --- a/src/misc/av/kernelserviceav.cil +++ b/src/misc/av/kernelserviceav.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class kernel_service (create_files_as use_as_override)) (classorder (unordered kernel_service)) (macro createfilesas_invalid_kernel_services ((type ARG1)) - (allow ARG1 invalid (kernel_service (create_files_as)))) + (allow ARG1 invalid (kernel_service (create_files_as)))) (macro createfilesas_unlabeled_kernel_services ((type ARG1)) - (allow ARG1 unlabeled (kernel_service (create_files_as)))) + (allow ARG1 unlabeled (kernel_service (create_files_as)))) (macro useasoverride_invalid_kernel_services ((type ARG1)) - (allow ARG1 invalid (kernel_service (use_as_override)))) + (allow ARG1 invalid (kernel_service (use_as_override)))) (in file @@ -19,17 +19,17 @@ (block all_macro_template_kernel_services - (blockabstract all_macro_template_kernel_services) + (blockabstract all_macro_template_kernel_services) - (macro createfileas_all_kernel_services ((type ARG1)) - (allow ARG1 typeattr (kernel_service (create_files_as))))) + (macro createfileas_all_kernel_services ((type ARG1)) + (allow ARG1 typeattr (kernel_service (create_files_as))))) (block macro_template_kernel_services - (blockabstract macro_template_kernel_services) + (blockabstract macro_template_kernel_services) - (macro createfileas_file_kernel_services ((type ARG1)) - (allow ARG1 file (kernel_service (create_files_as)))))) + (macro createfileas_file_kernel_services ((type ARG1)) + (allow ARG1 file (kernel_service (create_files_as)))))) (in file.unconfined diff --git a/src/misc/av/keyav.cil b/src/misc/av/keyav.cil index 508ea64..3a5ebaf 100644 --- a/src/misc/av/keyav.cil +++ b/src/misc/av/keyav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class key (create link read search setattr view write)) @@ -7,10 +7,10 @@ (in ibac (constrain (key (create)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -19,27 +19,27 @@ (in mcs (mlsconstrain (key (create read setattr view write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (key (create)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (key (read setattr view write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/memprotectav.cil b/src/misc/av/memprotectav.cil index b43db24..1e89e53 100644 --- a/src/misc/av/memprotectav.cil +++ b/src/misc/av/memprotectav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class memprotect (mmap_zero)) @@ -8,15 +8,15 @@ (block mmapzero - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (memprotect (mmap_zero))))) + (neverallow not_typeattr self (memprotect (mmap_zero))))) (in subj.unconfined diff --git a/src/misc/av/msgav.cil b/src/misc/av/msgav.cil index 44cd39f..7a16449 100644 --- a/src/misc/av/msgav.cil +++ b/src/misc/av/msgav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class msg (receive send)) @@ -13,18 +13,18 @@ (in mcs (mlsconstrain (msg (send)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (msg (send)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/perfeventav.cil b/src/misc/av/perfeventav.cil index 5b685bc..9547108 100644 --- a/src/misc/av/perfeventav.cil +++ b/src/misc/av/perfeventav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class perf_event (cpu kernel open read tracepoint write)) @@ -11,18 +11,18 @@ (in mcs (mlsconstrain (perf_event (read write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbacsep (constrain (perf_event (read write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.unconfined diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil index 42f70ff..88b2b2f 100644 --- a/src/misc/av/socketav.cil +++ b/src/misc/av/socketav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class alg_socket ()) @@ -62,7 +62,7 @@ (classorder (unordered mctp_socket)) (class netlink_audit_socket - (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) + (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) (classorder (unordered netlink_audit_socket)) (class netlink_connector_socket ()) @@ -240,9 +240,9 @@ (classcommon xdp_socket common_socket) (common common_socket - (accept append bind connect create getattr getopt ioctl listen lock map - name_bind read recvfrom relabelfrom relabelto sendto setattr - setopt shutdown write)) + (accept append bind connect create getattr getopt ioctl listen lock map + name_bind read recvfrom relabelfrom relabelto sendto setattr + setopt shutdown write)) (classpermission create_alg_socket) (classpermission create_alg_stream_socket) @@ -333,325 +333,325 @@ (classpermission write_vsock_socket) (classpermissionset create_alg_socket - (alg_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (alg_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_alg_stream_socket - (alg_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (alg_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_appletalk_socket - (appletalk_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (appletalk_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_atmpvc_socket - (atmpvc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (atmpvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_atmsvc_socket - (atmsvc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (atmsvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_ax25_socket - (ax25_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (ax25_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_bluetooth_socket - (bluetooth_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (bluetooth_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_bluetooth_stream_socket - (bluetooth_socket (accept append bind connect create getattr - getopt ioctl listen read setattr - setopt shutdown write))) + (bluetooth_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) (classpermissionset create_caif_socket - (caif_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (caif_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_can_socket - (can_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (can_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_dccp_socket - (dccp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (dccp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_dccp_stream_socket - (dccp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (dccp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_decnet_socket - (decnet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (decnet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_icmp_socket - (icmp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (icmp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_ieee802154_socket - (ieee802154_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (ieee802154_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_ipx_socket - (ipx_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (ipx_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_irda_socket - (irda_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (irda_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_isdn_socket - (isdn_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (isdn_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_iucv_socket - (iucv_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (iucv_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_kcm_socket - (kcm_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (kcm_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_key_socket - (key_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (key_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_llc_socket - (llc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (llc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_mctp_socket - (mctp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (mctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_netlink_audit_socket - (netlink_audit_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_audit_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_connector_socket - (netlink_connector_socket (append bind connect create - getattr getopt ioctl read - setattr setopt shutdown - write))) + (netlink_connector_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) (classpermissionset create_netlink_crypto_socket - (netlink_crypto_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_crypto_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_dnrt_socket - (netlink_dnrt_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_dnrt_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_fib_lookup_socket - (netlink_fib_lookup_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_fib_lookup_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_generic_socket - (netlink_generic_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_generic_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_iscsi_socket - (netlink_iscsi_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_iscsi_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_kobject_uevent_socket - (netlink_kobject_uevent_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_kobject_uevent_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_netfilter_socket - (netlink_netfilter_socket (append bind connect create - getattr getopt ioctl read - setattr setopt shutdown - write))) + (netlink_netfilter_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) (classpermissionset create_netlink_nflog_socket - (netlink_nflog_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_nflog_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_rdma_socket - (netlink_rdma_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_rdma_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_route_socket - (netlink_route_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_route_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_scsitransport_socket - (netlink_scsitransport_socket (append bind connect create - getattr getopt ioctl - read setattr setopt - shutdown write))) + (netlink_scsitransport_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) (classpermissionset create_netlink_selinux_socket - (netlink_selinux_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_selinux_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_socket - (netlink_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (netlink_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_netlink_tcpdiag_socket - (netlink_tcpdiag_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_tcpdiag_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netlink_xfrm_socket - (netlink_xfrm_socket (append bind connect create getattr - getopt ioctl read setattr - setopt shutdown write))) + (netlink_xfrm_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) (classpermissionset create_netrom_socket - (netrom_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (netrom_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_nfc_socket - (nfc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (nfc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_packet_socket - (packet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (packet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_phonet_socket - (phonet_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (phonet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_pppox_socket - (pppox_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (pppox_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_qipcrtr_socket - (qipcrtr_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (qipcrtr_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rawip_socket - (rawip_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rawip_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rds_socket - (rds_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (rds_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_rose_socket - (rose_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rose_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_rxrpc_socket - (rxrpc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (rxrpc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_sctp_socket - (sctp_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (sctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_sctp_stream_socket - (sctp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (sctp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_smc_socket - (smc_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (smc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_socket - (socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_tcp_socket - (tcp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (tcp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_tcp_stream_socket - (tcp_socket (accept append bind connect create getattr - getopt ioctl listen read setattr setopt - shutdown write))) + (tcp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) (classpermissionset create_tipc_socket - (tipc_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (tipc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_tun_socket - (tun_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (tun_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_udp_socket - (udp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (udp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_unix_dgram_socket - (unix_dgram_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (unix_dgram_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_unix_stream_socket - (unix_stream_socket (append bind connect create getattr - getopt ioctl read setattr setopt - shutdown write))) + (unix_stream_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) (classpermissionset create_unix_stream_stream_socket - (unix_stream_socket (accept append bind connect create - getattr getopt ioctl listen read - setattr setopt shutdown write))) + (unix_stream_socket (accept append bind connect create + getattr getopt ioctl listen read + setattr setopt shutdown write))) (classpermissionset create_vsock_socket - (vsock_socket (append bind connect create getattr getopt - ioctl read setattr setopt shutdown - write))) + (vsock_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) (classpermissionset create_vsock_stream_socket - (vsock_socket (accept append bind connect create getattr - getopt ioctl listen read setattr - setopt shutdown write))) + (vsock_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) (classpermissionset create_x25_socket - (x25_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (x25_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset create_xdp_socket - (xdp_socket (append bind connect create getattr getopt ioctl - read setattr setopt shutdown write))) + (xdp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) (classpermissionset readwrite_alg_socket - (alg_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (alg_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_bluetooth_socket - (bluetooth_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (bluetooth_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset readwrite_dccp_socket - (dccp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (dccp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_netlink_audit_socket - (netlink_audit_socket (append bind connect getattr getopt - ioctl read setopt shutdown - write))) + (netlink_audit_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) (classpermissionset readwrite_sctp_socket - (sctp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (sctp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_tcp_socket - (tcp_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (tcp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_tun_socket - (tun_socket (append bind connect getattr getopt ioctl read - setopt shutdown write))) + (tun_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) (classpermissionset readwrite_unix_dgram_socket - (unix_dgram_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (unix_dgram_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset readwrite_unix_stream_socket - (unix_stream_socket (append bind connect getattr getopt - ioctl read setopt shutdown - write))) + (unix_stream_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) (classpermissionset readwrite_vsock_socket - (vsock_socket (append bind connect getattr getopt ioctl - read setopt shutdown write))) + (vsock_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) (classpermissionset write_alg_socket - (alg_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (alg_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_bluetooth_socket - (bluetooth_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (bluetooth_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_dccp_socket - (dccp_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (dccp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_sctp_socket - (sctp_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (sctp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_tcp_socket - (tcp_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (tcp_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_tun_socket - (tun_socket (append bind connect getattr getopt ioctl setopt - shutdown write))) + (tun_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) (classpermissionset write_unix_dgram_socket - (unix_dgram_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (unix_dgram_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classpermissionset write_unix_stream_socket - (unix_stream_socket (append bind connect getattr getopt - ioctl setopt shutdown write))) + (unix_stream_socket (append bind connect getattr getopt + ioctl setopt shutdown write))) (classpermissionset write_vsock_socket - (vsock_socket (append bind connect getattr getopt ioctl - setopt shutdown write))) + (vsock_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) (classmap constrainsocketobject (nameconnect nodebind)) (classmap constrainsocketsubject - (append association attachqueue connectto create getattr read - relabelto sendto setattr write)) + (append association attachqueue connectto create getattr read + relabelto sendto setattr write)) (classmap sockets (common getattr)) @@ -691,17 +691,17 @@ (classmapping constrainsocketsubject append (netlink_crypto_socket (append))) (classmapping constrainsocketsubject append (netlink_dnrt_socket (append))) (classmapping constrainsocketsubject append - (netlink_fib_lookup_socket (append))) + (netlink_fib_lookup_socket (append))) (classmapping constrainsocketsubject append (netlink_generic_socket (append))) (classmapping constrainsocketsubject append (netlink_iscsi_socket (append))) (classmapping constrainsocketsubject append - (netlink_kobject_uevent_socket (append))) + (netlink_kobject_uevent_socket (append))) (classmapping constrainsocketsubject append (netlink_netfilter_socket (append))) (classmapping constrainsocketsubject append (netlink_nflog_socket (append))) (classmapping constrainsocketsubject append (netlink_rdma_socket (append))) (classmapping constrainsocketsubject append (netlink_route_socket (append))) (classmapping constrainsocketsubject append - (netlink_scsitransport_socket (append))) + (netlink_scsitransport_socket (append))) (classmapping constrainsocketsubject append (netlink_selinux_socket (append))) (classmapping constrainsocketsubject append (netlink_socket (append))) (classmapping constrainsocketsubject append (netlink_tcpdiag_socket (append))) @@ -730,13 +730,13 @@ (classmapping constrainsocketsubject append (xdp_socket (append))) (classmapping constrainsocketsubject - association (sctp_socket (association))) + association (sctp_socket (association))) (classmapping constrainsocketsubject - attachqueue (tun_socket (attach_queue))) + attachqueue (tun_socket (attach_queue))) (classmapping constrainsocketsubject - connectto (unix_stream_socket (connectto))) + connectto (unix_stream_socket (connectto))) (classmapping constrainsocketsubject create (alg_socket (create))) (classmapping constrainsocketsubject create (appletalk_socket (create))) @@ -763,17 +763,17 @@ (classmapping constrainsocketsubject create (netlink_crypto_socket (create))) (classmapping constrainsocketsubject create (netlink_dnrt_socket (create))) (classmapping constrainsocketsubject create - (netlink_fib_lookup_socket (create))) + (netlink_fib_lookup_socket (create))) (classmapping constrainsocketsubject create (netlink_generic_socket (create))) (classmapping constrainsocketsubject create (netlink_iscsi_socket (create))) (classmapping constrainsocketsubject create - (netlink_kobject_uevent_socket (create))) + (netlink_kobject_uevent_socket (create))) (classmapping constrainsocketsubject create (netlink_netfilter_socket (create))) (classmapping constrainsocketsubject create (netlink_nflog_socket (create))) (classmapping constrainsocketsubject create (netlink_rdma_socket (create))) (classmapping constrainsocketsubject create (netlink_route_socket (create))) (classmapping constrainsocketsubject create - (netlink_scsitransport_socket (create))) + (netlink_scsitransport_socket (create))) (classmapping constrainsocketsubject create (netlink_selinux_socket (create))) (classmapping constrainsocketsubject create (netlink_socket (create))) (classmapping constrainsocketsubject create (netlink_tcpdiag_socket (create))) @@ -823,22 +823,22 @@ (classmapping constrainsocketsubject getattr (mctp_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_audit_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_connector_socket (getattr))) + (netlink_connector_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_crypto_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_dnrt_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_fib_lookup_socket (getattr))) + (netlink_fib_lookup_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_generic_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_iscsi_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_kobject_uevent_socket (getattr))) + (netlink_kobject_uevent_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_netfilter_socket (getattr))) + (netlink_netfilter_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_nflog_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_rdma_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_route_socket (getattr))) (classmapping constrainsocketsubject getattr - (netlink_scsitransport_socket (getattr))) + (netlink_scsitransport_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_selinux_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_socket (getattr))) (classmapping constrainsocketsubject getattr (netlink_tcpdiag_socket (getattr))) @@ -895,7 +895,7 @@ (classmapping constrainsocketsubject read (netlink_generic_socket (read))) (classmapping constrainsocketsubject read (netlink_iscsi_socket (read))) (classmapping constrainsocketsubject read - (netlink_kobject_uevent_socket (read))) + (netlink_kobject_uevent_socket (read))) (classmapping constrainsocketsubject read (netlink_netfilter_socket (read))) (classmapping constrainsocketsubject read (netlink_nflog_socket (read))) (classmapping constrainsocketsubject read (netlink_rdma_socket (read))) @@ -949,38 +949,38 @@ (classmapping constrainsocketsubject relabelto (llc_socket (relabelto))) (classmapping constrainsocketsubject relabelto (mctp_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_audit_socket (relabelto))) + (netlink_audit_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_connector_socket (relabelto))) + (netlink_connector_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_crypto_socket (relabelto))) + (netlink_crypto_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_dnrt_socket (relabelto))) + (netlink_dnrt_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_fib_lookup_socket (relabelto))) + (netlink_fib_lookup_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_generic_socket (relabelto))) + (netlink_generic_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_iscsi_socket (relabelto))) + (netlink_iscsi_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_kobject_uevent_socket (relabelto))) + (netlink_kobject_uevent_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_netfilter_socket (relabelto))) + (netlink_netfilter_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_nflog_socket (relabelto))) + (netlink_nflog_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_rdma_socket (relabelto))) + (netlink_rdma_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_route_socket (relabelto))) + (netlink_route_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_scsitransport_socket (relabelto))) + (netlink_scsitransport_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_selinux_socket (relabelto))) + (netlink_selinux_socket (relabelto))) (classmapping constrainsocketsubject relabelto (netlink_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_tcpdiag_socket (relabelto))) + (netlink_tcpdiag_socket (relabelto))) (classmapping constrainsocketsubject relabelto - (netlink_xfrm_socket (relabelto))) + (netlink_xfrm_socket (relabelto))) (classmapping constrainsocketsubject relabelto (netrom_socket (relabelto))) (classmapping constrainsocketsubject relabelto (nfc_socket (relabelto))) (classmapping constrainsocketsubject relabelto (packet_socket (relabelto))) @@ -1028,22 +1028,22 @@ (classmapping constrainsocketsubject setattr (mctp_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_audit_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_connector_socket (setattr))) + (netlink_connector_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_crypto_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_dnrt_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_fib_lookup_socket (setattr))) + (netlink_fib_lookup_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_generic_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_iscsi_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_kobject_uevent_socket (setattr))) + (netlink_kobject_uevent_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_netfilter_socket (setattr))) + (netlink_netfilter_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_nflog_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_rdma_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_route_socket (setattr))) (classmapping constrainsocketsubject setattr - (netlink_scsitransport_socket (setattr))) + (netlink_scsitransport_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_selinux_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_socket (setattr))) (classmapping constrainsocketsubject setattr (netlink_tcpdiag_socket (setattr))) @@ -1099,13 +1099,13 @@ (classmapping constrainsocketsubject write (netlink_generic_socket (write))) (classmapping constrainsocketsubject write (netlink_iscsi_socket (write))) (classmapping constrainsocketsubject write - (netlink_kobject_uevent_socket (write))) + (netlink_kobject_uevent_socket (write))) (classmapping constrainsocketsubject write (netlink_netfilter_socket (write))) (classmapping constrainsocketsubject write (netlink_nflog_socket (write))) (classmapping constrainsocketsubject write (netlink_rdma_socket (write))) (classmapping constrainsocketsubject write (netlink_route_socket (write))) (classmapping constrainsocketsubject write - (netlink_scsitransport_socket (write))) + (netlink_scsitransport_socket (write))) (classmapping constrainsocketsubject write (netlink_selinux_socket (write))) (classmapping constrainsocketsubject write (netlink_socket (write))) (classmapping constrainsocketsubject write (netlink_tcpdiag_socket (write))) @@ -1134,207 +1134,207 @@ (classmapping constrainsocketsubject write (xdp_socket (write))) (classmapping sockets common - (alg_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (alg_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (appletalk_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (appletalk_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (atmpvc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (atmpvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (atmsvc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (atmsvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (ax25_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ax25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (bluetooth_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (bluetooth_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (caif_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (caif_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (can_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (can_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (dccp_socket (not (accept listen map name_connect name_bind - node_bind relabelfrom relabelto recvfrom - sendto)))) + (dccp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (decnet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (decnet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (icmp_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom - sendto)))) + (icmp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (ieee802154_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ieee802154_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (ipx_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (ipx_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (irda_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (irda_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (isdn_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (isdn_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (iucv_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (iucv_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (kcm_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (kcm_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (key_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (key_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (llc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (llc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (mctp_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (mctp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_audit_socket (not (accept listen map name_bind nlmsg_read - nlmsg_readpriv nlmsg_relay - nlmsg_tty_audit nlmsg_write - relabelfrom relabelto recvfrom - sendto)))) + (netlink_audit_socket (not (accept listen map name_bind nlmsg_read + nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (netlink_connector_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_connector_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_crypto_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_crypto_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_dnrt_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_dnrt_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_fib_lookup_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_fib_lookup_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_generic_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_generic_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_iscsi_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_iscsi_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_kobject_uevent_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_kobject_uevent_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_netfilter_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_netfilter_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_nflog_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_nflog_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_rdma_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_rdma_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_route_socket (not (accept listen map name_bind nlmsg_read - nlmsg_write relabelfrom - relabelto recvfrom sendto)))) + (netlink_route_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_scsitransport_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_scsitransport_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_selinux_socket (not (accept listen map name_bind - relabelfrom relabelto - recvfrom sendto)))) + (netlink_selinux_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (netlink_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netlink_tcpdiag_socket (not (accept listen map name_bind - nlmsg_read nlmsg_write - relabelfrom relabelto - recvfrom sendto)))) + (netlink_tcpdiag_socket (not (accept listen map name_bind + nlmsg_read nlmsg_write + relabelfrom relabelto + recvfrom sendto)))) (classmapping sockets common - (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read - nlmsg_write relabelfrom - relabelto recvfrom sendto)))) + (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (netrom_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (netrom_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (nfc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (nfc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (packet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (packet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (phonet_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (phonet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (pppox_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (pppox_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (qipcrtr_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (qipcrtr_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rawip_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom - sendto)))) + (rawip_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (rds_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rds_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rose_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rose_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (rxrpc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (rxrpc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (sctp_socket (not (accept association listen map name_connect - name_bind node_bind relabelfrom - relabelto recvfrom sendto)))) + (sctp_socket (not (accept association listen map name_connect + name_bind node_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (smc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (smc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (tcp_socket (not (accept listen map name_connect name_bind - node_bind relabelfrom relabelto recvfrom - sendto)))) + (tcp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (tipc_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (tipc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (tun_socket (not (accept attach_queue listen map name_bind - relabelfrom relabelto recvfrom sendto)))) + (tun_socket (not (accept attach_queue listen map name_bind + relabelfrom relabelto recvfrom sendto)))) (classmapping sockets common - (udp_socket (not (accept listen map name_bind node_bind - relabelfrom relabelto recvfrom sendto)))) + (udp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom sendto)))) (classmapping sockets common - (unix_dgram_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (unix_dgram_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (unix_stream_socket (not (accept connectto listen map name_bind - relabelfrom relabelto recvfrom - sendto)))) + (unix_stream_socket (not (accept connectto listen map name_bind + relabelfrom relabelto recvfrom + sendto)))) (classmapping sockets common - (vsock_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (vsock_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (x25_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (x25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets common - (xdp_socket (not (accept listen map name_bind relabelfrom - relabelto recvfrom sendto)))) + (xdp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) (classmapping sockets getattr (ax25_socket (getattr))) (classmapping sockets getattr (alg_socket (getattr))) @@ -1397,81 +1397,81 @@ (classmapping sockets getattr (xdp_socket (getattr))) (macro association_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (association)))) + (allow ARG1 invalid (sctp_socket (association)))) (macro connectto_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid (unix_stream_socket (connectto)))) + (allow ARG1 invalid (unix_stream_socket (connectto)))) (macro getattr_invalid_sockets ((type ARG1)) - (allow ARG1 invalid (sockets (getattr)))) + (allow ARG1 invalid (sockets (getattr)))) (macro namebind_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (name_bind)))) + (allow ARG1 invalid (dccp_socket (name_bind)))) (macro namebind_invalid_icmp_sockets ((type ARG1)) - (allow ARG1 invalid (icmp_socket (name_bind)))) + (allow ARG1 invalid (icmp_socket (name_bind)))) (macro namebind_invalid_rawip_sockets ((type ARG1)) - (allow ARG1 invalid (rawip_socket (name_bind)))) + (allow ARG1 invalid (rawip_socket (name_bind)))) (macro namebind_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (name_bind)))) + (allow ARG1 invalid (sctp_socket (name_bind)))) (macro namebind_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (name_bind)))) + (allow ARG1 invalid (tcp_socket (name_bind)))) (macro namebind_invalid_udp_sockets ((type ARG1)) - (allow ARG1 invalid (udp_socket (name_bind)))) + (allow ARG1 invalid (udp_socket (name_bind)))) (macro nameconnect_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (name_connect)))) + (allow ARG1 invalid (dccp_socket (name_connect)))) (macro nameconnect_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (name_connect)))) + (allow ARG1 invalid (sctp_socket (name_connect)))) (macro nameconnect_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (name_connect)))) + (allow ARG1 invalid (tcp_socket (name_connect)))) (macro nodebind_invalid_dccp_sockets ((type ARG1)) - (allow ARG1 invalid (dccp_socket (node_bind)))) + (allow ARG1 invalid (dccp_socket (node_bind)))) (macro nodebind_invalid_icmp_sockets ((type ARG1)) - (allow ARG1 invalid (icmp_socket (node_bind)))) + (allow ARG1 invalid (icmp_socket (node_bind)))) (macro nodebind_invalid_rawip_sockets ((type ARG1)) - (allow ARG1 invalid (rawip_socket (node_bind)))) + (allow ARG1 invalid (rawip_socket (node_bind)))) (macro nodebind_invalid_sctp_sockets ((type ARG1)) - (allow ARG1 invalid (sctp_socket (node_bind)))) + (allow ARG1 invalid (sctp_socket (node_bind)))) (macro nodebind_invalid_tcp_sockets ((type ARG1)) - (allow ARG1 invalid (tcp_socket (node_bind)))) + (allow ARG1 invalid (tcp_socket (node_bind)))) (macro nodebind_invalid_udp_sockets ((type ARG1)) - (allow ARG1 invalid (udp_socket (node_bind)))) + (allow ARG1 invalid (udp_socket (node_bind)))) (macro readwrite_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid readwrite_unix_dgram_socket)) + (allow ARG1 invalid readwrite_unix_dgram_socket)) (macro readwrite_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid readwrite_unix_stream_socket)) + (allow ARG1 invalid readwrite_unix_stream_socket)) (macro sendto_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid (unix_dgram_socket (sendto)))) + (allow ARG1 invalid (unix_dgram_socket (sendto)))) (macro write_invalid_unix_dgram_sockets ((type ARG1)) - (allow ARG1 invalid write_unix_dgram_socket)) + (allow ARG1 invalid write_unix_dgram_socket)) (macro write_invalid_unix_stream_sockets ((type ARG1)) - (allow ARG1 invalid write_unix_stream_socket)) + (allow ARG1 invalid write_unix_stream_socket)) (in ibac (constrain (constrainsocketsubject (create relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -1479,15 +1479,15 @@ (allow typeattr .invalid (alg_socket (accept listen))) (allow typeattr .invalid (bluetooth_socket (accept listen))) (allow typeattr .invalid - (dccp_socket (accept listen name_bind name_connect node_bind))) + (dccp_socket (accept listen name_bind name_connect node_bind))) (allow typeattr .invalid (icmp_socket (name_bind node_bind))) (allow typeattr .invalid (rawip_socket (name_bind node_bind))) (allow typeattr .invalid - (sctp_socket (association accept listen name_bind name_connect - node_bind))) + (sctp_socket (association accept listen name_bind name_connect + node_bind))) (allow typeattr .invalid (udp_socket (name_bind node_bind))) (allow typeattr .invalid - (tcp_socket (accept listen name_bind name_connect node_bind))) + (tcp_socket (accept listen name_bind name_connect node_bind))) (allow typeattr .invalid (tun_socket (attach_queue))) (allow typeattr .invalid (unix_dgram_socket (sendto))) (allow typeattr .invalid (unix_stream_socket (accept connectto listen))) @@ -1496,92 +1496,92 @@ (in mcs (mlsconstrain (constrainsocketobject (nameconnect nodebind)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) (mlsconstrain - (constrainsocketsubject (append association attachqueue connectto create - getattr read relabelto sendto setattr - write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (constrainsocketsubject (append association attachqueue connectto create + getattr read relabelto sendto setattr + write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in rbac (constrain (constrainsocketsubject (create relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 subjchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) (in rbacsep (constrain (constrainsocketsubject (append getattr read setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr))))) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) (in subj.all_macro_template (macro association_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (association)))) + (allow ARG1 typeattr (sctp_socket (association)))) (macro connectto_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr (unix_stream_socket (connectto)))) + (allow ARG1 typeattr (unix_stream_socket (connectto)))) (macro getattr_all_sockets ((type ARG1)) - (allow ARG1 typeattr (sockets (getattr)))) + (allow ARG1 typeattr (sockets (getattr)))) (macro readwrite_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr readwrite_unix_dgram_socket)) + (allow ARG1 typeattr readwrite_unix_dgram_socket)) (macro readwrite_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr readwrite_unix_stream_socket)) + (allow ARG1 typeattr readwrite_unix_stream_socket)) (macro sendto_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr (unix_dgram_socket (sendto)))) + (allow ARG1 typeattr (unix_dgram_socket (sendto)))) (macro write_all_unix_dgram_sockets ((type ARG1)) - (allow ARG1 typeattr write_unix_dgram_socket)) + (allow ARG1 typeattr write_unix_dgram_socket)) (macro write_all_unix_stream_sockets ((type ARG1)) - (allow ARG1 typeattr write_unix_stream_socket))) + (allow ARG1 typeattr write_unix_stream_socket))) (in subj.macro_template (macro association_subj_sctp_sockets ((type ARG1)) - (allow ARG1 subj (sctp_socket (association)))) + (allow ARG1 subj (sctp_socket (association)))) (macro connectto_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj (unix_stream_socket (connectto)))) + (allow ARG1 subj (unix_stream_socket (connectto)))) (macro getattr_subj_sockets ((type ARG1)) - (allow ARG1 subj (sockets (getattr)))) + (allow ARG1 subj (sockets (getattr)))) (macro readwrite_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj readwrite_unix_dgram_socket)) + (allow ARG1 subj readwrite_unix_dgram_socket)) (macro readwrite_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj readwrite_unix_stream_socket)) + (allow ARG1 subj readwrite_unix_stream_socket)) (macro sendto_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj (unix_dgram_socket (sendto)))) + (allow ARG1 subj (unix_dgram_socket (sendto)))) (macro write_subj_unix_dgram_sockets ((type ARG1)) - (allow ARG1 subj write_unix_dgram_socket)) + (allow ARG1 subj write_unix_dgram_socket)) (macro write_subj_unix_stream_sockets ((type ARG1)) - (allow ARG1 subj write_unix_stream_socket))) + (allow ARG1 subj write_unix_stream_socket))) (in subj.unconfined (allow typeattr self - (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay - nlmsg_tty_audit nlmsg_write))) + (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write))) (allow typeattr self (netlink_route_socket (nlmsg_read nlmsg_write))) (allow typeattr self (netlink_tcpdiag_socket (nlmsg_read nlmsg_write))) (allow typeattr self (netlink_xfrm_socket (nlmsg_read nlmsg_write))) @@ -1597,5 +1597,5 @@ (allow typeattr subj.typeattr (tun_socket (attach_queue relabelfrom))) (allow typeattr subj.typeattr (unix_dgram_socket (sendto))) (allow typeattr subj.typeattr - (unix_stream_socket (accept connectto listen))) + (unix_stream_socket (accept connectto listen))) (allow typeattr subj.typeattr (vsock_socket (accept listen)))) diff --git a/src/misc/av/systemav.cil b/src/misc/av/systemav.cil index be9cb11..61d8f8a 100644 --- a/src/misc/av/systemav.cil +++ b/src/misc/av/systemav.cil @@ -1,59 +1,59 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class system - (halt ipc_info module_load module_request reboot reload start status - stop syslog_console syslog_mod syslog_read)) + (halt ipc_info module_load module_request reboot reload start status + stop syslog_console syslog_mod syslog_read)) (classorder (unordered system)) (in sys (macro ipcinfo_system ((type ARG1)) - (allow ARG1 subj (system (ipc_info)))) + (allow ARG1 subj (system (ipc_info)))) (macro modulerequest_system ((type ARG1)) - (allow ARG1 subj (system (module_request)))) + (allow ARG1 subj (system (module_request)))) (macro syslogconsole_system ((type ARG1)) - (allow ARG1 subj (system (syslog_console)))) + (allow ARG1 subj (system (syslog_console)))) (macro syslogmod_system ((type ARG1)) - (allow ARG1 subj (system (syslog_mod)))) + (allow ARG1 subj (system (syslog_mod)))) (macro syslogread_system ((type ARG1)) - (allow ARG1 subj (system (syslog_read)))) + (allow ARG1 subj (system (syslog_read)))) (block moduleload - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (system (module_load)))) + (neverallow not_typeattr self (system (module_load)))) (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr self (system (module_load))) - (allow typeattr subj - (system (ipc_info module_request syslog_console syslog_mod - syslog_read))) + (allow typeattr self (system (module_load))) + (allow typeattr subj + (system (ipc_info module_request syslog_console syslog_mod + syslog_read))) - ;; potentially happens in autorelabel.target on policy model change - (allow typeattr .invalid (system (module_load))) + ;; potentially happens in autorelabel.target on policy model change + (allow typeattr .invalid (system (module_load))) - ;; potentially happens in autorelabel.target on fresh install - (allow typeattr .unlabeled (system (module_load))) + ;; potentially happens in autorelabel.target on fresh install + (allow typeattr .unlabeled (system (module_load))) - (call moduleload.type (typeattr)))) + (call moduleload.type (typeattr)))) (in unconfined diff --git a/src/misc/av/usernamespaceav.cil b/src/misc/av/usernamespaceav.cil index fe73e30..f5012f5 100644 --- a/src/misc/av/usernamespaceav.cil +++ b/src/misc/av/usernamespaceav.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class user_namespace (create)) diff --git a/src/misc/conf.cil b/src/misc/conf.cil index 1a376dd..63549c9 100644 --- a/src/misc/conf.cil +++ b/src/misc/conf.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (handleunknown allow) diff --git a/src/misc/constrain/ibac.cil b/src/misc/constrain/ibac.cil index 38302ee..1ed7ee4 100644 --- a/src/misc/constrain/ibac.cil +++ b/src/misc/constrain/ibac.cil @@ -1,83 +1,83 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ibac - (constrain (constrainobject (create relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 objchangesys.typeattr) - (eq u2 .sys.id))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr))) + (constrain (constrainobject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) + (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) - (constrain (process (dyntransition transition)) - (or (or (or (eq u1 u2) - (and (eq t1 subjchange.typeattr) - (eq t2 subjchangetarget.typeattr))) - (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 exempt.typeattr))) + (constrain (process (dyntransition transition)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 exempt.typeattr))) - (block change + (block change - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchange.type (typeattr)) - (call subjchange.type (typeattr))) + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) - (block changesys + (block changesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchangesys.type (typeattr)) - (call subjchangesys.type (typeattr))) + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) - (block exempt + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchange + (block objchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchangesys + (block objchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchange + (block subjchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangesys + (block subjchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangetarget + (block subjchangetarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj.unconfined diff --git a/src/misc/constrain/mcs.cil b/src/misc/constrain/mcs.cil index 925933a..aaf7dc0 100644 --- a/src/misc/constrain/mcs.cil +++ b/src/misc/constrain/mcs.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (defaultrange blk_file source low) @@ -11,28 +11,28 @@ (block mcs - (mlsconstrain (constrainobject (create relabelto)) - (or (neq t1 constrained.typeattr) - (and (dom h1 h2) (eq l2 h2)))) + (mlsconstrain (constrainobject (create relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) - (mlsconstrain (constrainobject (append getattr read setattr write)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain (constrainobject (append getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (mlsconstrain - (process (dyntransition getrlimit getsched ptrace setrlimit setsched - sigchld sigkill signal signull sigstop - transition)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain + (process (dyntransition getrlimit getsched ptrace setrlimit setsched + sigchld sigkill signal signull sigstop + transition)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (mlsconstrain (fifo_file (append getattr read write setattr)) - (or (dom h1 h2) - (neq t1 constrained.typeattr))) + (mlsconstrain (fifo_file (append getattr read write setattr)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) - (block constrained + (block constrained - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) diff --git a/src/misc/constrain/rbac.cil b/src/misc/constrain/rbac.cil index 32b7350..3f836ab 100644 --- a/src/misc/constrain/rbac.cil +++ b/src/misc/constrain/rbac.cil @@ -1,83 +1,83 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rbac - (constrain (constrainobject (create relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 objchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr))) + (constrain (constrainobject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) - (constrain (process (dyntransition transition)) - (or (or (or (eq r1 r2) - (and (eq t1 subjchange.typeattr) - (eq t2 subjchangetarget.typeattr))) - (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) - (eq t1 exempt.typeattr))) + (constrain (process (dyntransition transition)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) + (eq t1 exempt.typeattr))) - (block change + (block change - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchange.type (typeattr)) - (call subjchange.type (typeattr))) + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) - (block changesys + (block changesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call objchangesys.type (typeattr)) - (call subjchangesys.type (typeattr))) + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) - (block exempt + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchange + (block objchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block objchangesys + (block objchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchange + (block subjchange - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangesys + (block subjchangesys - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block subjchangetarget + (block subjchangetarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in subj.unconfined diff --git a/src/misc/constrain/rbacsep.cil b/src/misc/constrain/rbacsep.cil index 2e15592..27c4f00 100644 --- a/src/misc/constrain/rbacsep.cil +++ b/src/misc/constrain/rbacsep.cil @@ -1,103 +1,103 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block rbacsep - (constrain (fifo_file (append getattr read setattr write)) - (or (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr)) - (and (eq t1 exemptsource.typeattr) - (eq t2 exempttarget.typeattr)))) - - (constrain (constrainobject (append setattr write)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr))) - - (constrain (constrainobject (getattr read)) - (or (or (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) - (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (eq t2 exempt.obj.typeattr)) - (and (eq r2 exempt.roleattr) (eq t2 typeattr))) - (and - (eq t1 readstatesource.typeattr) - (eq t2 readstatetarget.typeattr)))) - - (constrain - (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill - signal signull sigstop)) - (or (or (or (eq r1 r2) - (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) - (eq t1 exempt.subj.typeattr)) - (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) - - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) - - (typeattribute typeattr) - - (block constrained + (constrain (fifo_file (append getattr read setattr write)) + (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr)))) + + (constrain (constrainobject (append setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr))) + + (constrain (constrainobject (getattr read)) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and + (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr)))) + + (constrain + (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill + signal signull sigstop)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr) - (block exempt + (block constrained - (macro role ((role ARG1)) - (roleattributeset roleattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (roleattribute roleattr) + (typeattribute typeattr)) - (block obj + (block exempt - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) - (typeattribute typeattr)) + (roleattribute roleattr) - (block subj + (block obj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr)) - (block exemptsource + (block subj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr))) - (block exempttarget + (block exemptsource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block readstatesource + (block exempttarget - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) - (block readstatetarget + (block readstatesource - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in obj diff --git a/src/misc/default.cil b/src/misc/default.cil index 2d47e70..727787a 100644 --- a/src/misc/default.cil +++ b/src/misc/default.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (defaultrole blk_file source) diff --git a/src/misc/isid.cil b/src/misc/isid.cil index 7b71a95..34b30f2 100644 --- a/src/misc/isid.cil +++ b/src/misc/isid.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sid devnull) @@ -31,7 +31,7 @@ (sid tcp_socket) (sidorder - (kernel security unlabeled fs file file_labels init any_socket port netif - netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl - sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev - kmod policy scmp_packet devnull)) + (kernel security unlabeled fs file file_labels init any_socket port netif + netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl + sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev + kmod policy scmp_packet devnull)) diff --git a/src/misc/map.cil b/src/misc/map.cil index 6a0bd4f..70c17ab 100644 --- a/src/misc/map.cil +++ b/src/misc/map.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classmap constrainobject (append create getattr read relabelto setattr write)) (classmap files - (create delete manage read readwrite relabel relabelfrom relabelto - rename watch write)) + (create delete manage read readwrite relabel relabelfrom relabelto + rename watch write)) (classmapping constrainobject append (blk_file (append))) (classmapping constrainobject append (chr_file (append))) diff --git a/src/misc/mls.cil b/src/misc/mls.cil index b54fe2a..66620e1 100644 --- a/src/misc/mls.cil +++ b/src/misc/mls.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (category c0) @@ -1027,74 +1027,74 @@ (category c1023) (categoryorder - (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 - c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 - c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 - c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 - c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 - c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 - c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 - c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 - c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 - c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 - c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 - c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 - c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 - c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 - c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 - c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 - c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 - c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 - c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 - c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 - c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 - c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 - c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 - c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 - c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 - c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 - c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 - c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 - c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 - c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 - c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 - c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 - c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 - c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 - c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 - c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 - c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 - c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 - c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 - c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 - c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 - c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 - c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 - c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 - c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 - c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 - c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 - c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 - c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 - c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 - c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 - c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 - c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 - c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 - c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 - c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 - c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 - c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 - c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 - c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 - c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 - c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 - c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 - c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 - c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 - c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 - c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 - c1023)) + (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 + c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 + c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 + c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 + c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 + c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 + c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 + c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 + c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 + c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 + c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 + c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 + c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 + c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 + c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 + c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 + c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 + c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 + c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 + c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 + c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 + c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 + c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 + c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 + c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 + c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 + c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 + c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 + c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 + c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 + c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 + c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 + c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 + c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 + c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 + c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 + c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 + c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 + c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 + c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 + c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 + c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 + c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 + c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 + c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 + c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 + c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 + c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 + c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 + c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 + c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 + c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 + c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 + c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 + c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 + c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 + c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 + c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 + c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 + c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 + c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 + c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 + c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 + c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 + c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 + c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 + c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 + c1023)) (categoryset catset (range c0 c1023)) diff --git a/src/misc/modular.cil b/src/misc/modular.cil index 667a179..2a1b79a 100644 --- a/src/misc/modular.cil +++ b/src/misc/modular.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (selinuxuserdefault sys.id sys.lowlow) diff --git a/src/misc/obj.cil b/src/misc/obj.cil index 812b50e..30f9acc 100644 --- a/src/misc/obj.cil +++ b/src/misc/obj.cil @@ -1,16 +1,16 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block obj - (macro role ((role ARG1)) - (roleattributeset roleattr ARG1)) + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (roleattribute roleattr) + (roleattribute roleattr) - (typeattribute typeattr) + (typeattribute typeattr) - (roletype roleattr typeattr)) + (roletype roleattr typeattr)) diff --git a/src/misc/perm.cil b/src/misc/perm.cil index 11cfb91..a770c0e 100644 --- a/src/misc/perm.cil +++ b/src/misc/perm.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classpermission addname_dir) @@ -129,20 +129,20 @@ (classpermission writeinherited_sock_file) (classpermissionset addname_dir - (dir (add_name getattr ioctl lock open read search write))) + (dir (add_name getattr ioctl lock open read search write))) (classpermissionset append_blk_file (blk_file (append getattr ioctl lock open))) (classpermissionset append_chr_file (chr_file (append getattr ioctl lock open))) (classpermissionset append_fifo_file - (fifo_file (append getattr ioctl lock open))) + (fifo_file (append getattr ioctl lock open))) (classpermissionset append_file (file (append getattr ioctl lock open))) (classpermissionset appendinherited_blk_file - (blk_file (append getattr ioctl lock))) + (blk_file (append getattr ioctl lock))) (classpermissionset appendinherited_chr_file - (chr_file (append getattr ioctl lock))) + (chr_file (append getattr ioctl lock))) (classpermissionset appendinherited_fifo_file - (fifo_file (append getattr ioctl lock))) + (fifo_file (append getattr ioctl lock))) (classpermissionset appendinherited_file (file (append getattr ioctl lock))) (classpermissionset create_blk_file (blk_file (create getattr))) @@ -162,39 +162,39 @@ (classpermissionset delete_sock_file (sock_file (getattr unlink))) (classpermissionset deletename_dir - (dir (getattr ioctl lock open read remove_name search - write))) + (dir (getattr ioctl lock open read remove_name search + write))) (classpermissionset execute_file - (file (execute execute_no_trans getattr ioctl map open - read))) + (file (execute execute_no_trans getattr ioctl map open + read))) (classpermissionset list_dir (dir (getattr ioctl lock open read search))) (classpermissionset listinherited_dir (dir (getattr ioctl lock read search))) (classpermissionset manage_blk_file - (blk_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (blk_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_chr_file - (chr_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (chr_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_dir - (dir (add_name create getattr ioctl link lock open read - setattr remove_name rename reparent rmdir - search write))) + (dir (add_name create getattr ioctl link lock open read + setattr remove_name rename reparent rmdir + search write))) (classpermissionset manage_fifo_file - (fifo_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (fifo_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_file - (file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset manage_lnk_file - (lnk_file (append create getattr link lock read rename - setattr unlink write))) + (lnk_file (append create getattr link lock read rename + setattr unlink write))) (classpermissionset manage_sock_file - (sock_file (append create getattr ioctl link lock open read - rename setattr unlink write))) + (sock_file (append create getattr ioctl link lock open read + rename setattr unlink write))) (classpermissionset mapexecute_chr_file (chr_file (execute map))) (classpermissionset mapexecute_file (file (execute map))) @@ -213,50 +213,50 @@ (classpermissionset readinherited_blk_file (blk_file (getattr ioctl lock read))) (classpermissionset readinherited_chr_file (chr_file (getattr ioctl lock read))) (classpermissionset readinherited_fifo_file - (fifo_file (getattr ioctl lock read))) + (fifo_file (getattr ioctl lock read))) (classpermissionset readinherited_file (file (getattr ioctl lock read))) (classpermissionset readinherited_sock_file - (sock_file (getattr ioctl lock read))) + (sock_file (getattr ioctl lock read))) (classpermissionset readwrite_blk_file - (blk_file (append getattr ioctl lock open read write))) + (blk_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_chr_file - (chr_file (append getattr ioctl lock open read write))) + (chr_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_dir - (dir (add_name getattr ioctl lock open read remove_name - search write))) + (dir (add_name getattr ioctl lock open read remove_name + search write))) (classpermissionset readwrite_fifo_file - (fifo_file (append getattr ioctl lock open read write))) + (fifo_file (append getattr ioctl lock open read write))) (classpermissionset readwrite_file - (file (append getattr ioctl lock open read write))) + (file (append getattr ioctl lock open read write))) (classpermissionset readwrite_lnk_file - (lnk_file (append getattr lock read write))) + (lnk_file (append getattr lock read write))) (classpermissionset readwrite_sock_file - (sock_file (append getattr ioctl lock open read write))) + (sock_file (append getattr ioctl lock open read write))) (classpermissionset readwriteinherited_blk_file - (blk_file (append getattr ioctl lock read write))) + (blk_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_chr_file - (chr_file (append getattr ioctl lock read write))) + (chr_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_dir - (dir (add_name getattr ioctl lock read remove_name search - write))) + (dir (add_name getattr ioctl lock read remove_name search + write))) (classpermissionset readwriteinherited_fifo_file - (fifo_file (append getattr ioctl lock read write))) + (fifo_file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_file - (file (append getattr ioctl lock read write))) + (file (append getattr ioctl lock read write))) (classpermissionset readwriteinherited_sock_file - (sock_file (append getattr ioctl lock read write))) + (sock_file (append getattr ioctl lock read write))) (classpermissionset relabel_blk_file (blk_file (getattr relabelfrom relabelto))) (classpermissionset relabel_chr_file (chr_file (getattr relabelfrom relabelto))) (classpermissionset relabel_dir (dir (getattr relabelfrom relabelto))) (classpermissionset relabel_fifo_file - (fifo_file (getattr relabelfrom relabelto))) + (fifo_file (getattr relabelfrom relabelto))) (classpermissionset relabel_file (file (getattr relabelfrom relabelto))) (classpermissionset relabel_lnk_file (lnk_file (getattr relabelfrom relabelto))) (classpermissionset relabel_sock_file - (sock_file (getattr relabelfrom relabelto))) + (sock_file (getattr relabelfrom relabelto))) (classpermissionset relabelfrom_blk_file (blk_file (getattr relabelfrom))) (classpermissionset relabelfrom_chr_file (chr_file (getattr relabelfrom))) @@ -285,30 +285,30 @@ (classpermissionset search_dir (dir (getattr search))) (classpermissionset write_blk_file - (blk_file (append getattr ioctl lock open write))) + (blk_file (append getattr ioctl lock open write))) (classpermissionset write_chr_file - (chr_file (append getattr ioctl lock open write))) + (chr_file (append getattr ioctl lock open write))) (classpermissionset write_dir - (dir (add_name getattr ioctl lock open remove_name search - write))) + (dir (add_name getattr ioctl lock open remove_name search + write))) (classpermissionset write_fifo_file - (fifo_file (append getattr ioctl lock open write))) + (fifo_file (append getattr ioctl lock open write))) (classpermissionset write_file - (file (append getattr ioctl lock open write))) + (file (append getattr ioctl lock open write))) (classpermissionset write_lnk_file (lnk_file (append getattr lock write))) (classpermissionset write_sock_file - (sock_file (append getattr ioctl lock open write))) + (sock_file (append getattr ioctl lock open write))) (classpermissionset writeinherited_blk_file - (blk_file (append getattr ioctl lock write))) + (blk_file (append getattr ioctl lock write))) (classpermissionset writeinherited_chr_file - (chr_file (append getattr ioctl lock write))) + (chr_file (append getattr ioctl lock write))) (classpermissionset writeinherited_dir - (dir (add_name getattr ioctl lock remove_name search - write))) + (dir (add_name getattr ioctl lock remove_name search + write))) (classpermissionset writeinherited_fifo_file - (fifo_file (append getattr ioctl lock write))) + (fifo_file (append getattr ioctl lock write))) (classpermissionset writeinherited_file - (file (append getattr ioctl lock write))) + (file (append getattr ioctl lock write))) (classpermissionset writeinherited_sock_file - (sock_file (append getattr ioctl lock write))) + (sock_file (append getattr ioctl lock write))) diff --git a/src/misc/unconfined.cil b/src/misc/unconfined.cil index 1a5b0cc..f8d9730 100644 --- a/src/misc/unconfined.cil +++ b/src/misc/unconfined.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)) + (typeattribute typeattr)) diff --git a/src/misc/xperm/consolexperm.cil b/src/misc/xperm/consolexperm.cil index 3b49284..7480653 100644 --- a/src/misc/xperm/consolexperm.cil +++ b/src/misc/xperm/consolexperm.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLCONSOLE_NOT_TIOCLINUX - (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 - 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 - 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 - 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a - 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 - 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a - 0x4b4c 0x4b4d 0x4b4e 0x4bfa 0x4bfb))) + (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 + 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 + 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 + 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a + 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 + 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a + 0x4b4c 0x4b4d 0x4b4e 0x4bfa 0x4bfb))) ;; Font handling (permissionx KDFONTOP (ioctl chr_file (0x4b72))) diff --git a/src/misc/xperm/ttyxperm.cil b/src/misc/xperm/ttyxperm.cil index 15a4241..17d3f6e 100644 --- a/src/misc/xperm/ttyxperm.cil +++ b/src/misc/xperm/ttyxperm.cil @@ -1,17 +1,17 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLTTY_NOT_TIOCSTI - (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 - 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 - 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 - 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f - 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 - 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c - 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 - 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 - 0x545c 0x545d 0x5419 0x541a 0x541e - 0x5459))) + (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 + 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 + 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 + 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f + 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 + 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c + 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 + 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 + 0x545c 0x545d 0x5419 0x541a 0x541e + 0x5459))) ;; Get the current serial port settings (permissionx TCGETS (ioctl chr_file (0x5405 0x542a 0x540d 0x5401))) diff --git a/src/misc/xperm/vtxperm.cil b/src/misc/xperm/vtxperm.cil index b13cea9..794976b 100644 --- a/src/misc/xperm/vtxperm.cil +++ b/src/misc/xperm/vtxperm.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (permissionx IOCTLVT - (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 - 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 - 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E - 0x560F))) + (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 + 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 + 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E + 0x560F))) ;; Console switch (permissionx VT_EVENT_SWITCH (ioctl chr_file (0x0001))) diff --git a/src/net.cil b/src/net.cil index 2592359..b36fb70 100644 --- a/src/net.cil +++ b/src/net.cil @@ -1,14 +1,14 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block net - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) (in unconfined diff --git a/src/net/ibnet.cil b/src/net/ibnet.cil index cda4939..9bef422 100644 --- a/src/net/ibnet.cil +++ b/src/net/ibnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in net @@ -7,9 +7,9 @@ (block ib - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr)))) + (typeattribute typeattr)))) diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil index d942909..031f9b9 100644 --- a/src/net/ibnet/endportibnet.cil +++ b/src/net/ibnet/endportibnet.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class infiniband_endport (manage_subnet)) (classorder (unordered infiniband_endport)) (macro managesubnet_invalid_endports ((type ARG1)) - (allow ARG1 invalid (infiniband_endport (manage_subnet)))) + (allow ARG1 invalid (infiniband_endport (manage_subnet)))) (in invalid.unconfined @@ -14,8 +14,8 @@ (in mcs (mlsconstrain (infiniband_endport (manage_subnet)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net.ib @@ -23,53 +23,53 @@ (block endport - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro managesubnet_all_endports ((type ARG1)) - (allow ARG1 typeattr (infiniband_endport (manage_subnet))))) + (macro managesubnet_all_endports ((type ARG1)) + (allow ARG1 typeattr (infiniband_endport (manage_subnet))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context endport_context (.sys.id .sys.role endport .sys.lowlow)) + (context endport_context (.sys.id .sys.role endport .sys.lowlow)) - (type endport) - (call .net.ib.endport.type (endport))) + (type endport) + (call .net.ib.endport.type (endport))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro managesubnet_endports ((type ARG1)) - (allow ARG1 endport (infiniband_endport (manage_subnet))))) + (macro managesubnet_endports ((type ARG1)) + (allow ARG1 endport (infiniband_endport (manage_subnet))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.ib.endport.base_template) - (blockinherit .net.ib.endport.macro_template)) + (blockinherit .net.ib.endport.base_template) + (blockinherit .net.ib.endport.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr endport.typeattr (infiniband_endport (all)))))) + (allow typeattr endport.typeattr (infiniband_endport (all)))))) (in net.ib.unconfined diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil index 4908076..27d38c8 100644 --- a/src/net/ibnet/pkeyibnet.cil +++ b/src/net/ibnet/pkeyibnet.cil @@ -1,11 +1,11 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class infiniband_pkey (access)) (classorder (unordered infiniband_pkey)) (macro access_invalid_pkeys ((type ARG1)) - (allow ARG1 invalid (infiniband_pkey (access)))) + (allow ARG1 invalid (infiniband_pkey (access)))) (in invalid.unconfined @@ -14,8 +14,8 @@ (in mcs (mlsconstrain (infiniband_pkey (access)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net.ib @@ -23,53 +23,53 @@ (block pkey - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro access_all_pkeys ((type ARG1)) - (allow ARG1 typeattr (infiniband_pkey (access))))) + (macro access_all_pkeys ((type ARG1)) + (allow ARG1 typeattr (infiniband_pkey (access))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context pkey_context (.sys.id .sys.role pkey .sys.lowlow)) + (context pkey_context (.sys.id .sys.role pkey .sys.lowlow)) - (type pkey) - (call .net.ib.pkey.type (pkey))) + (type pkey) + (call .net.ib.pkey.type (pkey))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro access_pkeys ((type ARG1)) - (allow ARG1 pkey (infiniband_pkey (access))))) + (macro access_pkeys ((type ARG1)) + (allow ARG1 pkey (infiniband_pkey (access))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.ib.pkey.base_template) - (blockinherit .net.ib.pkey.macro_template)) + (blockinherit .net.ib.pkey.base_template) + (blockinherit .net.ib.pkey.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr pkey.typeattr (infiniband_pkey (all)))))) + (allow typeattr pkey.typeattr (infiniband_pkey (all)))))) (in net.ib.unconfined diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil index af818e1..2a24282 100644 --- a/src/net/netifnet.cil +++ b/src/net/netifnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext netif (sys.id sys.role net.netif sys.lowlow)) @@ -7,18 +7,18 @@ (classorder (unordered netif)) (macro egress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (egress)))) + (allow ARG1 invalid (netif (egress)))) (macro egressingress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (egress ingress)))) + (allow ARG1 invalid (netif (egress ingress)))) (macro ingress_invalid_netifs ((type ARG1)) - (allow ARG1 invalid (netif (ingress)))) + (allow ARG1 invalid (netif (ingress)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call net.netif.egressingress_all_netifs (invalid)))) + (call net.netif.egressingress_all_netifs (invalid)))) (in invalid.unconfined @@ -27,8 +27,8 @@ (in mcs (mlsconstrain (netif (egress ingress)) - (or (dom h1 h2) - (neq t1 constrained.typeattr)))) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) (in net @@ -36,65 +36,65 @@ (block netif - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro egress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (egress)))) + (macro egress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress)))) - (macro egressingress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (egress ingress)))) + (macro egressingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (egress ingress)))) - (macro ingress_all_netifs ((type ARG1)) - (allow ARG1 typeattr (netif (ingress))))) + (macro ingress_all_netifs ((type ARG1)) + (allow ARG1 typeattr (netif (ingress))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context netif_context (.sys.id .sys.role netif .sys.lowlow)) + (context netif_context (.sys.id .sys.role netif .sys.lowlow)) - (type netif) - (call .net.netif.type (netif))) + (type netif) + (call .net.netif.type (netif))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro egress_netifs ((type ARG1)) - (allow ARG1 netif (netif (egress)))) + (macro egress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress)))) - (macro egressingress_netifs ((type ARG1)) - (allow ARG1 netif (netif (egress ingress)))) + (macro egressingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (egress ingress)))) - (macro ingress_netifs ((type ARG1)) - (allow ARG1 netif (netif (ingress))))) + (macro ingress_netifs ((type ARG1)) + (allow ARG1 netif (netif (ingress))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.netif.base_template) - (blockinherit .net.netif.macro_template)) + (blockinherit .net.netif.base_template) + (blockinherit .net.netif.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr netif.typeattr (netif (all)))))) + (allow typeattr netif.typeattr (netif (all)))))) (in net.unconfined diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil index 2f1fc55..dec1baa 100644 --- a/src/net/nodenet.cil +++ b/src/net/nodenet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext node (sys.id sys.role net.netnode sys.lowlow)) @@ -7,18 +7,18 @@ (classorder (unordered node)) (macro recvfrom_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (recvfrom)))) + (allow ARG1 invalid (node (recvfrom)))) (macro recvfromsendto_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (recvfrom sendto)))) + (allow ARG1 invalid (node (recvfrom sendto)))) (macro sendto_invalid_nodes ((type ARG1)) - (allow ARG1 invalid (node (sendto)))) + (allow ARG1 invalid (node (sendto)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call net.netnode.recvfromsendto_all_nodes (invalid)))) + (call net.netnode.recvfromsendto_all_nodes (invalid)))) (in invalid.unconfined @@ -27,10 +27,10 @@ (in mcs (mlsconstrain (node (recvfrom sendto)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -38,107 +38,107 @@ (block netnode - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro nodebind_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (node_bind)))) + (macro nodebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (node_bind)))) - (macro nodebind_all_icmp_sockets ((type ARG1)) - (allow ARG1 typeattr (icmp_socket (node_bind)))) + (macro nodebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (node_bind)))) - (macro nodebind_all_rawip_sockets ((type ARG1)) - (allow ARG1 typeattr (rawip_socket (node_bind)))) + (macro nodebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (node_bind)))) - (macro nodebind_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (node_bind)))) + (macro nodebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (node_bind)))) - (macro nodebind_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (node_bind)))) + (macro nodebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (node_bind)))) - (macro nodebind_all_udp_sockets ((type ARG1)) - (allow ARG1 typeattr (udp_socket (node_bind)))) + (macro nodebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (node_bind)))) - (macro recvfrom_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (recvfrom)))) + (macro recvfrom_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom)))) - (macro recvfromsendto_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (recvfrom sendto)))) + (macro recvfromsendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (recvfrom sendto)))) - (macro sendto_all_nodes ((type ARG1)) - (allow ARG1 typeattr (node (sendto))))) + (macro sendto_all_nodes ((type ARG1)) + (allow ARG1 typeattr (node (sendto))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context netnode_context (.sys.id .sys.role netnode .sys.lowlow)) + (context netnode_context (.sys.id .sys.role netnode .sys.lowlow)) - (type netnode) - (call .net.netnode.type (netnode))) + (type netnode) + (call .net.netnode.type (netnode))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro nodebind_netnode_dccp_sockets ((type ARG1)) - (allow ARG1 netnode (dccp_socket (node_bind)))) + (macro nodebind_netnode_dccp_sockets ((type ARG1)) + (allow ARG1 netnode (dccp_socket (node_bind)))) - (macro nodebind_netnode_icmp_sockets ((type ARG1)) - (allow ARG1 netnode (icmp_socket (node_bind)))) + (macro nodebind_netnode_icmp_sockets ((type ARG1)) + (allow ARG1 netnode (icmp_socket (node_bind)))) - (macro nodebind_netnode_rawip_sockets ((type ARG1)) - (allow ARG1 netnode (rawip_socket (node_bind)))) + (macro nodebind_netnode_rawip_sockets ((type ARG1)) + (allow ARG1 netnode (rawip_socket (node_bind)))) - (macro nodebind_netnode_sctp_sockets ((type ARG1)) - (allow ARG1 netnode (sctp_socket (node_bind)))) + (macro nodebind_netnode_sctp_sockets ((type ARG1)) + (allow ARG1 netnode (sctp_socket (node_bind)))) - (macro nodebind_netnode_tcp_sockets ((type ARG1)) - (allow ARG1 netnode (tcp_socket (node_bind)))) + (macro nodebind_netnode_tcp_sockets ((type ARG1)) + (allow ARG1 netnode (tcp_socket (node_bind)))) - (macro nodebind_netnode_udp_sockets ((type ARG1)) - (allow ARG1 netnode (udp_socket (node_bind)))) + (macro nodebind_netnode_udp_sockets ((type ARG1)) + (allow ARG1 netnode (udp_socket (node_bind)))) - (macro recvfrom_nodes ((type ARG1)) - (allow ARG1 netnode (node (recvfrom)))) + (macro recvfrom_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom)))) - (macro recvfromsendto_nodes ((type ARG1)) - (allow ARG1 netnode (node (recvfrom sendto)))) + (macro recvfromsendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (recvfrom sendto)))) - (macro sendto_nodes ((type ARG1)) - (allow ARG1 netnode (node (sendto))))) + (macro sendto_nodes ((type ARG1)) + (allow ARG1 netnode (node (sendto))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.netnode.base_template) - (blockinherit .net.netnode.macro_template)) + (blockinherit .net.netnode.base_template) + (blockinherit .net.netnode.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr netnode.typeattr (dccp_socket (node_bind))) - (allow typeattr netnode.typeattr (icmp_socket (node_bind))) - (allow typeattr netnode.typeattr (node (all))) - (allow typeattr netnode.typeattr (rawip_socket (node_bind))) - (allow typeattr netnode.typeattr (sctp_socket (node_bind))) - (allow typeattr netnode.typeattr (tcp_socket (node_bind))) - (allow typeattr netnode.typeattr (udp_socket (node_bind)))))) + (allow typeattr netnode.typeattr (dccp_socket (node_bind))) + (allow typeattr netnode.typeattr (icmp_socket (node_bind))) + (allow typeattr netnode.typeattr (node (all))) + (allow typeattr netnode.typeattr (rawip_socket (node_bind))) + (allow typeattr netnode.typeattr (sctp_socket (node_bind))) + (allow typeattr netnode.typeattr (tcp_socket (node_bind))) + (allow typeattr netnode.typeattr (udp_socket (node_bind)))))) (in net.unconfined diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil index afb0225..89f2d37 100644 --- a/src/net/packetnet.cil +++ b/src/net/packetnet.cil @@ -1,50 +1,50 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class packet (forward_in forward_out recv relabelto send)) (classorder (unordered packet)) (macro forward_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_in forward_out)))) + (allow ARG1 invalid (packet (forward_in forward_out)))) (macro forwardin_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_in)))) + (allow ARG1 invalid (packet (forward_in)))) (macro forwardout_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (forward_out)))) + (allow ARG1 invalid (packet (forward_out)))) (macro recv_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (recv)))) + (allow ARG1 invalid (packet (recv)))) (macro recvsend_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (recv send)))) + (allow ARG1 invalid (packet (recv send)))) (macro relabelto_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (relabelto)))) + (allow ARG1 invalid (packet (relabelto)))) (macro send_invalid_packets ((type ARG1)) - (allow ARG1 invalid (packet (send)))) + (allow ARG1 invalid (packet (send)))) (tunableif invalid_packets - (true + (true - (call forward_invalid_packets (invalidpackets.except.typeattr)) - (call recvsend_invalid_packets (invalidpackets.except.typeattr)))) + (call forward_invalid_packets (invalidpackets.except.typeattr)) + (call recvsend_invalid_packets (invalidpackets.except.typeattr)))) (tunableif (or invalid_associations invalid_peers) - (true + (true - (call forward_invalid_packets (invalid)) + (call forward_invalid_packets (invalid)) - (call net.packet.forward_all_packets (invalid)))) + (call net.packet.forward_all_packets (invalid)))) (in ibac (constrain (packet (relabelto)) - (or (or (or (eq u1 u2) - (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in invalid.unconfined @@ -53,23 +53,23 @@ (in mcs (mlsconstrain (packet (relabelto)) - (or (neq t1 constrained.typeattr) - (and (dom h1 h2) (eq l2 h2)))) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) (mlsconstrain (packet (forward_in forward_out send recv)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in rbac (constrain (packet (relabelto)) - (or (or (or (eq r1 r2) - (and (eq t1 objchangesys.typeattr) - (eq r2 .sys.role))) - (eq t1 objchange.typeattr)) - (eq t1 exempt.typeattr)))) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr)))) (in net @@ -77,91 +77,91 @@ (block packet - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .mcs.constrained.type (typeattr)) + (call .mcs.constrained.type (typeattr)) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro forward_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_in forward_out)))) + (macro forward_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in forward_out)))) - (macro forwardin_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_in)))) + (macro forwardin_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_in)))) - (macro forwardout_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (forward_out)))) + (macro forwardout_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (forward_out)))) - (macro recv_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (recv)))) + (macro recv_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv)))) - (macro recvsend_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (recv send)))) + (macro recvsend_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (recv send)))) - (macro relabelto_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (relabelto)))) + (macro relabelto_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (relabelto)))) - (macro send_all_packets ((type ARG1)) - (allow ARG1 typeattr (packet (send))))) + (macro send_all_packets ((type ARG1)) + (allow ARG1 typeattr (packet (send))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context packet_context (.sys.id .sys.role packet .sys.lowlow)) + (context packet_context (.sys.id .sys.role packet .sys.lowlow)) - (type packet) - (call .net.packet.type (packet))) + (type packet) + (call .net.packet.type (packet))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro forward_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_in forward_out)))) + (macro forward_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in forward_out)))) - (macro forwardin_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_in)))) + (macro forwardin_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_in)))) - (macro forwardout_packets ((type ARG1)) - (allow ARG1 packet (packet (forward_out)))) + (macro forwardout_packets ((type ARG1)) + (allow ARG1 packet (packet (forward_out)))) - (macro recv_packets ((type ARG1)) - (allow ARG1 packet (packet (recv)))) + (macro recv_packets ((type ARG1)) + (allow ARG1 packet (packet (recv)))) - (macro recvsend_packets ((type ARG1)) - (allow ARG1 packet (packet (recv send)))) + (macro recvsend_packets ((type ARG1)) + (allow ARG1 packet (packet (recv send)))) - (macro relabelto_packets ((type ARG1)) - (allow ARG1 packet (packet (relabelto)))) + (macro relabelto_packets ((type ARG1)) + (allow ARG1 packet (packet (relabelto)))) - (macro send_packets ((type ARG1)) - (allow ARG1 packet (packet (send))))) + (macro send_packets ((type ARG1)) + (allow ARG1 packet (packet (send))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.packet.base_template) - (blockinherit .net.packet.macro_template)) + (blockinherit .net.packet.base_template) + (blockinherit .net.packet.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr packet.typeattr (packet (all)))))) + (allow typeattr packet.typeattr (packet (all)))))) (in net.unconfined diff --git a/src/net/peernet.cil b/src/net/peernet.cil index f3f3564..d0ad803 100644 --- a/src/net/peernet.cil +++ b/src/net/peernet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext netmsg (sys.id sys.role net.peer sys.lowlow)) @@ -7,14 +7,14 @@ (classorder (unordered peer)) (macro recv_invalid_peers ((type ARG1)) - (allow ARG1 invalid (peer (recv)))) + (allow ARG1 invalid (peer (recv)))) (tunableif invalid_peers - (true + (true - (call association_invalid_sctp_sockets - (invalidpeers.except.typeattr)) - (call recv_invalid_peers (invalidpeers.except.typeattr)))) + (call association_invalid_sctp_sockets + (invalidpeers.except.typeattr)) + (call recv_invalid_peers (invalidpeers.except.typeattr)))) (in invalid.unconfined @@ -23,10 +23,10 @@ (in mcs (mlsconstrain (peer (recv)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -34,62 +34,62 @@ (block peer - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .mcs.constrained.type (typeattr)) + (call .mcs.constrained.type (typeattr)) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro recv_all_peers ((type ARG1)) - (allow ARG1 typeattr (peer (recv)))) + (macro recv_all_peers ((type ARG1)) + (allow ARG1 typeattr (peer (recv)))) - (macro association_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (association))))) + (macro association_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (association))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context peer_context (.sys.id .sys.role peer .sys.lowlow)) + (context peer_context (.sys.id .sys.role peer .sys.lowlow)) - (type peer) - (call .net.peer.type (peer))) + (type peer) + (call .net.peer.type (peer))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro recv_peers ((type ARG1)) - (allow ARG1 peer (peer (recv)))) + (macro recv_peers ((type ARG1)) + (allow ARG1 peer (peer (recv)))) - (macro association_peer_sctp_sockets ((type ARG1)) - (allow ARG1 peer (sctp_socket (association))))) + (macro association_peer_sctp_sockets ((type ARG1)) + (allow ARG1 peer (sctp_socket (association))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.peer.base_template) - (blockinherit .net.peer.macro_template)) + (blockinherit .net.peer.base_template) + (blockinherit .net.peer.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr peer.typeattr (peer (all))) - (allow typeattr peer.typeattr (sctp_socket (association)))))) + (allow typeattr peer.typeattr (peer (all))) + (allow typeattr peer.typeattr (sctp_socket (association)))))) (in net.unconfined @@ -98,12 +98,12 @@ (in subj (macro recv_all_peers ((type ARG1)) - (allow ARG1 typeattr (peer (recv))))) + (allow ARG1 typeattr (peer (recv))))) (in subj.macro_template (macro recv_subj_peers ((type ARG1)) - (allow ARG1 subj (peer (recv))))) + (allow ARG1 subj (peer (recv))))) (in subj.unconfined diff --git a/src/net/portnet.cil b/src/net/portnet.cil index 8547217..e1ea2b1 100644 --- a/src/net/portnet.cil +++ b/src/net/portnet.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext port (sys.id sys.role net.port sys.lowlow)) @@ -9,106 +9,106 @@ (block port - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro namebind_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (name_bind)))) + (macro namebind_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_bind)))) - (macro namebind_all_icmp_sockets ((type ARG1)) - (allow ARG1 typeattr (icmp_socket (name_bind)))) + (macro namebind_all_icmp_sockets ((type ARG1)) + (allow ARG1 typeattr (icmp_socket (name_bind)))) - (macro namebind_all_rawip_sockets ((type ARG1)) - (allow ARG1 typeattr (rawip_socket (name_bind)))) + (macro namebind_all_rawip_sockets ((type ARG1)) + (allow ARG1 typeattr (rawip_socket (name_bind)))) - (macro namebind_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (name_bind)))) + (macro namebind_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_bind)))) - (macro namebind_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (name_bind)))) + (macro namebind_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_bind)))) - (macro namebind_all_udp_sockets ((type ARG1)) - (allow ARG1 typeattr (udp_socket (name_bind)))) + (macro namebind_all_udp_sockets ((type ARG1)) + (allow ARG1 typeattr (udp_socket (name_bind)))) - (macro nameconnect_all_dccp_sockets ((type ARG1)) - (allow ARG1 typeattr (dccp_socket (name_connect)))) + (macro nameconnect_all_dccp_sockets ((type ARG1)) + (allow ARG1 typeattr (dccp_socket (name_connect)))) - (macro nameconnect_all_sctp_sockets ((type ARG1)) - (allow ARG1 typeattr (sctp_socket (name_connect)))) + (macro nameconnect_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (name_connect)))) - (macro nameconnect_all_tcp_sockets ((type ARG1)) - (allow ARG1 typeattr (tcp_socket (name_connect))))) + (macro nameconnect_all_tcp_sockets ((type ARG1)) + (allow ARG1 typeattr (tcp_socket (name_connect))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context port_context (.sys.id .sys.role port .sys.lowlow)) + (context port_context (.sys.id .sys.role port .sys.lowlow)) - (type port) - (call .net.port.type (port))) + (type port) + (call .net.port.type (port))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro namebind_port_dccp_sockets ((type ARG1)) - (allow ARG1 port (dccp_socket (name_bind)))) + (macro namebind_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_bind)))) - (macro namebind_port_icmp_sockets ((type ARG1)) - (allow ARG1 port (icmp_socket (name_bind)))) + (macro namebind_port_icmp_sockets ((type ARG1)) + (allow ARG1 port (icmp_socket (name_bind)))) - (macro namebind_port_rawip_sockets ((type ARG1)) - (allow ARG1 port (rawip_socket (name_bind)))) + (macro namebind_port_rawip_sockets ((type ARG1)) + (allow ARG1 port (rawip_socket (name_bind)))) - (macro namebind_port_sctp_sockets ((type ARG1)) - (allow ARG1 port (sctp_socket (name_bind)))) + (macro namebind_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_bind)))) - (macro namebind_port_tcp_sockets ((type ARG1)) - (allow ARG1 port (tcp_socket (name_bind)))) + (macro namebind_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_bind)))) - (macro namebind_port_udp_sockets ((type ARG1)) - (allow ARG1 port (udp_socket (name_bind)))) + (macro namebind_port_udp_sockets ((type ARG1)) + (allow ARG1 port (udp_socket (name_bind)))) - (macro nameconnect_port_dccp_sockets ((type ARG1)) - (allow ARG1 port (dccp_socket (name_connect)))) + (macro nameconnect_port_dccp_sockets ((type ARG1)) + (allow ARG1 port (dccp_socket (name_connect)))) - (macro nameconnect_port_sctp_sockets ((type ARG1)) - (allow ARG1 port (sctp_socket (name_connect)))) + (macro nameconnect_port_sctp_sockets ((type ARG1)) + (allow ARG1 port (sctp_socket (name_connect)))) - (macro nameconnect_port_tcp_sockets ((type ARG1)) - (allow ARG1 port (tcp_socket (name_connect))))) + (macro nameconnect_port_tcp_sockets ((type ARG1)) + (allow ARG1 port (tcp_socket (name_connect))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.base_template) - (blockinherit .net.port.macro_template)) + (blockinherit .net.port.base_template) + (blockinherit .net.port.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr port.typeattr (dccp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (icmp_socket (name_bind))) - (allow typeattr port.typeattr (rawip_socket (name_bind))) - (allow typeattr port.typeattr (sctp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (tcp_socket (name_bind name_connect))) - (allow typeattr port.typeattr (udp_socket (name_bind)))))) + (allow typeattr port.typeattr (dccp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (icmp_socket (name_bind))) + (allow typeattr port.typeattr (rawip_socket (name_bind))) + (allow typeattr port.typeattr (sctp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (tcp_socket (name_bind name_connect))) + (allow typeattr port.typeattr (udp_socket (name_bind)))))) (in net.unconfined diff --git a/src/net/portnet/ephemeralportnet.cil b/src/net/portnet/ephemeralportnet.cil index 6f8f42e..abdcbb0 100644 --- a/src/net/portnet/ephemeralportnet.cil +++ b/src/net/portnet/ephemeralportnet.cil @@ -1,39 +1,39 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ephemeral - (portcon "dccp" (32768 60999) port_context) - (portcon "sctp" (32768 60999) port_context) - (portcon "tcp" (32768 60999) port_context) - (portcon "udp" (32768 60999) port_context) + (portcon "dccp" (32768 60999) port_context) + (portcon "sctp" (32768 60999) port_context) + (portcon "tcp" (32768 60999) port_context) + (portcon "udp" (32768 60999) port_context) - (blockinherit .net.port.ephemeral.template)) + (blockinherit .net.port.ephemeral.template)) (in net.port (block ephemeral - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.ephemeral.type (port))) + (call .net.port.ephemeral.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.ephemeral.base_template) - (blockinherit .net.port.macro_template)))) + (blockinherit .net.port.ephemeral.base_template) + (blockinherit .net.port.macro_template)))) diff --git a/src/net/portnet/reservedportnet.cil b/src/net/portnet/reservedportnet.cil index b86c9fe..983c993 100644 --- a/src/net/portnet/reservedportnet.cil +++ b/src/net/portnet/reservedportnet.cil @@ -1,39 +1,39 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block reserved - (portcon "dccp" (1 1023) port_context) - (portcon "sctp" (1 1023) port_context) - (portcon "tcp" (1 1023) port_context) - (portcon "udp" (1 1023) port_context) + (portcon "dccp" (1 1023) port_context) + (portcon "sctp" (1 1023) port_context) + (portcon "tcp" (1 1023) port_context) + (portcon "udp" (1 1023) port_context) - (blockinherit .net.port.reserved.template)) + (blockinherit .net.port.reserved.template)) (in net.port (block reserved - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.reserved.type (port))) + (call .net.port.reserved.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.macro_template) - (blockinherit .net.port.reserved.base_template)))) + (blockinherit .net.port.macro_template) + (blockinherit .net.port.reserved.base_template)))) diff --git a/src/net/portnet/unreservedportnet.cil b/src/net/portnet/unreservedportnet.cil index 6359d64..c372493 100644 --- a/src/net/portnet/unreservedportnet.cil +++ b/src/net/portnet/unreservedportnet.cil @@ -1,43 +1,43 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unreserved - (portcon "dccp" (1024 32767) port_context) - (portcon "dccp" (61000 65535) port_context) - (portcon "sctp" (1024 32767) port_context) - (portcon "sctp" (61000 65535) port_context) - (portcon "tcp" (1024 32767) port_context) - (portcon "tcp" (61000 65535) port_context) - (portcon "udp" (1024 32767) port_context) - (portcon "udp" (61000 65535) port_context) + (portcon "dccp" (1024 32767) port_context) + (portcon "dccp" (61000 65535) port_context) + (portcon "sctp" (1024 32767) port_context) + (portcon "sctp" (61000 65535) port_context) + (portcon "tcp" (1024 32767) port_context) + (portcon "tcp" (61000 65535) port_context) + (portcon "udp" (1024 32767) port_context) + (portcon "udp" (61000 65535) port_context) - (blockinherit .net.port.unreserved.template)) + (blockinherit .net.port.unreserved.template)) (in net.port (block unreserved - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .net.port.all_macro_template) + (blockinherit .net.port.all_macro_template) - (typeattribute typeattr) + (typeattribute typeattr) - (call .net.port.type (typeattr)) + (call .net.port.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .net.port.base_template) + (blockinherit .net.port.base_template) - (call .net.port.unreserved.type (port))) + (call .net.port.unreserved.type (port))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.port.macro_template) - (blockinherit .net.port.unreserved.base_template)))) + (blockinherit .net.port.macro_template) + (blockinherit .net.port.unreserved.base_template)))) diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil index 668afb1..0d6c02e 100644 --- a/src/net/spdnet.cil +++ b/src/net/spdnet.cil @@ -1,34 +1,34 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (class association (polmatch recvfrom sendto setcontext)) (classorder (unordered association)) (macro polmatch_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (polmatch)))) + (allow ARG1 invalid (association (polmatch)))) (macro polmatchsetcontext_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (polmatch setcontext)))) + (allow ARG1 invalid (association (polmatch setcontext)))) (macro recvfrom_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (recvfrom)))) + (allow ARG1 invalid (association (recvfrom)))) (macro recvfromsendto_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (recvfrom sendto)))) + (allow ARG1 invalid (association (recvfrom sendto)))) (macro sendto_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (sendto)))) + (allow ARG1 invalid (association (sendto)))) (macro setcontext_invalid_associations ((type ARG1)) - (allow ARG1 invalid (association (setcontext)))) + (allow ARG1 invalid (association (setcontext)))) (tunableif invalid_associations - (true + (true - (call association_invalid_sctp_sockets - (invalidassociations.except.typeattr)) - (call recvfromsendto_invalid_associations - (invalidassociations.except.typeattr)))) + (call association_invalid_sctp_sockets + (invalidassociations.except.typeattr)) + (call recvfromsendto_invalid_associations + (invalidassociations.except.typeattr)))) (in invalid.unconfined @@ -37,10 +37,10 @@ (in mcs (mlsconstrain (association (sendto recvfrom)) - (or (dom h1 h2) - (and - (neq t1 constrained.typeattr) - (neq t2 constrained.typeattr))))) + (or (dom h1 h2) + (and + (neq t1 constrained.typeattr) + (neq t2 constrained.typeattr))))) (in net @@ -48,65 +48,65 @@ (block spd - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro polmatch_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (polmatch)))) + (macro polmatch_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch)))) - (macro polmatchsetcontext_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (polmatch setcontext)))) + (macro polmatchsetcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (polmatch setcontext)))) - (macro setcontext_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (setcontext))))) + (macro setcontext_all_associations ((type ARG1)) + (allow ARG1 typeattr (association (setcontext))))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context spd_context (.sys.id .sys.role spd .sys.lowlow)) + (context spd_context (.sys.id .sys.role spd .sys.lowlow)) - (type spd) - (call .net.spd.type (spd))) + (type spd) + (call .net.spd.type (spd))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro polmatch_spd_associations ((type ARG1)) - (allow ARG1 spd (association (polmatch)))) + (macro polmatch_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch)))) - (macro polmatchsetcontext_spd_associations ((type ARG1)) - (allow ARG1 spd (association (polmatch setcontext)))) + (macro polmatchsetcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (polmatch setcontext)))) - (macro setcontext_spd_associations ((type ARG1)) - (allow ARG1 spd (association (setcontext))))) + (macro setcontext_spd_associations ((type ARG1)) + (allow ARG1 spd (association (setcontext))))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .net.spd.base_template) - (blockinherit .net.spd.macro_template)) + (blockinherit .net.spd.base_template) + (blockinherit .net.spd.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr spd.typeattr (association (polmatch setcontext)))))) + (allow typeattr spd.typeattr (association (polmatch setcontext)))))) (in net.unconfined @@ -115,24 +115,24 @@ (in subj (macro recvfrom_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (recvfrom)))) + (allow ARG1 typeattr (association (recvfrom)))) (macro recvfromsendto_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (recvfrom sendto)))) + (allow ARG1 typeattr (association (recvfrom sendto)))) (macro sendto_all_associations ((type ARG1)) - (allow ARG1 typeattr (association (sendto))))) + (allow ARG1 typeattr (association (sendto))))) (in subj.macro_template (macro recvfrom_subj_associations ((type ARG1)) - (allow ARG1 subj (association (recvfrom)))) + (allow ARG1 subj (association (recvfrom)))) (macro recvfromsendto_subj_associations ((type ARG1)) - (allow ARG1 subj (association (recvfrom sendto)))) + (allow ARG1 subj (association (recvfrom sendto)))) (macro sendto_subj_associations ((type ARG1)) - (allow ARG1 subj (association (sendto))))) + (allow ARG1 subj (association (sendto))))) (in subj.unconfined diff --git a/src/selinux.cil b/src/selinux.cil index a7544e7..38ef5c8 100644 --- a/src/selinux.cil +++ b/src/selinux.cil @@ -1,106 +1,106 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext security (sys.id sys.role selinux sys.lowlow)) (class security - (check_context compute_av compute_create compute_member compute_relabel - compute_user load_policy read_policy setbool - setcheckreqprot setenforce setsecparam validate_trans)) + (check_context compute_av compute_create compute_member compute_relabel + compute_user load_policy read_policy setbool + setcheckreqprot setenforce setsecparam validate_trans)) (classorder (unordered security)) (macro checkcontext_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (check_context)))) + (allow ARG1 selinux (security (check_context)))) (macro computeav_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (compute_av)))) + (allow ARG1 selinux (security (compute_av)))) (macro computecreate_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (compute_create)))) + (allow ARG1 selinux (security (compute_create)))) (macro computemember_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (compute_member)))) + (allow ARG1 selinux (security (compute_member)))) (macro computerelabel_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (compute_relabel)))) + (allow ARG1 selinux (security (compute_relabel)))) (macro computeuser_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (compute_user)))) + (allow ARG1 selinux (security (compute_user)))) (macro loadpolicy_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (load_policy)))) + (allow ARG1 selinux (security (load_policy)))) (macro readpolicy_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (read_policy)))) + (allow ARG1 selinux (security (read_policy)))) (macro setbool_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (setbool)))) + (allow ARG1 selinux (security (setbool)))) (macro setcheckreqprot_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (setcheckreqprot)))) + (allow ARG1 selinux (security (setcheckreqprot)))) (macro setenforce_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (setenforce)))) + (allow ARG1 selinux (security (setenforce)))) (macro setsecparam_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (setsecparam)))) + (allow ARG1 selinux (security (setsecparam)))) (macro validatetrans_selinux_security ((type ARG1)) - (allow ARG1 selinux (security (validate_trans)))) + (allow ARG1 selinux (security (validate_trans)))) (type selinux) (roletype sys.role selinux) (block selinux - (block loadpolicy + (block loadpolicy - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr .selinux (security (load_policy)))) + (neverallow not_typeattr .selinux (security (load_policy)))) - (block setenforce + (block setenforce - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr .selinux (security (setenforce)))) + (neverallow not_typeattr .selinux (security (setenforce)))) - (block setsecparam + (block setsecparam - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr .selinux (security (setsecparam)))) + (neverallow not_typeattr .selinux (security (setsecparam)))) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr .selinux (security (all))) + (allow typeattr .selinux (security (all))) - (call loadpolicy.type (typeattr)) - (call setenforce.type (typeattr)) - (call setsecparam.type (typeattr)))) + (call loadpolicy.type (typeattr)) + (call setenforce.type (typeattr)) + (call setsecparam.type (typeattr)))) (in unconfined diff --git a/src/selinux/booleanfile.cil b/src/selinux/booleanfile.cil index a8839c1..5edd1b4 100644 --- a/src/selinux/booleanfile.cil +++ b/src/selinux/booleanfile.cil @@ -1,92 +1,92 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block booleanfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context booleanfile_context (.sys.id .sys.role booleanfile .sys.lowlow)) + (context booleanfile_context (.sys.id .sys.role booleanfile .sys.lowlow)) - (type booleanfile) - (call .booleanfile.type (booleanfile))) + (type booleanfile) + (call .booleanfile.type (booleanfile))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile append_file)) + (macro append_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile append_file)) - (macro appendinherited_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile appendinherited_file)) + (macro appendinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile appendinherited_file)) - (macro create_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile create_file)) + (macro create_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile create_file)) - (macro delete_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile delete_file)) + (macro delete_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile delete_file)) - (macro execute_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile execute_file)) + (macro execute_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile execute_file)) - (macro manage_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile manage_file)) + (macro manage_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile manage_file)) - (macro mapexecute_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile mapexecute_file)) + (macro mapexecute_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile mapexecute_file)) - (macro mounton_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile mounton_file)) + (macro mounton_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile mounton_file)) - (macro read_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile read_file)) + (macro read_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile read_file)) - (macro readinherited_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile readinherited_file)) + (macro readinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readinherited_file)) - (macro readwrite_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile readwrite_file)) + (macro readwrite_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readwrite_file)) - (macro readwriteinherited_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile readwriteinherited_file)) + (macro readwriteinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile readwriteinherited_file)) - (macro rename_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile rename_file)) + (macro rename_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile rename_file)) - (macro write_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile write_file)) + (macro write_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile write_file)) - (macro writeinherited_booleanfile_files ((type ARG1)) - (allow ARG1 booleanfile writeinherited_file))) + (macro writeinherited_booleanfile_files ((type ARG1)) + (allow ARG1 booleanfile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .booleanfile.base_template) - (blockinherit .booleanfile.macro_template_files)) + (blockinherit .booleanfile.base_template) + (blockinherit .booleanfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr booleanfile.typeattr - (file (not (audit_access entrypoint execmod relabelfrom - relabelto)))))) + (allow typeattr booleanfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) (in selinux.unconfined diff --git a/src/selinux/booleanfile/invalidassociationsbooleanfile.cil b/src/selinux/booleanfile/invalidassociationsbooleanfile.cil index 6ca3a88..a044850 100644 --- a/src/selinux/booleanfile/invalidassociationsbooleanfile.cil +++ b/src/selinux/booleanfile/invalidassociationsbooleanfile.cil @@ -1,35 +1,35 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (tunable invalid_associations true) (block invalid_associations - (genfscon "selinuxfs" "/booleans/invalid_associations" booleanfile_context) + (genfscon "selinuxfs" "/booleans/invalid_associations" booleanfile_context) - (blockinherit .booleanfile.template)) + (blockinherit .booleanfile.template)) (block invalidassociations - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and invalidassociations.typeattr - (not (exception.typeattr))))) + (typeattributeset typeattr + (and invalidassociations.typeattr + (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) diff --git a/src/selinux/booleanfile/invalidpacketsbooleanfile.cil b/src/selinux/booleanfile/invalidpacketsbooleanfile.cil index 7d2909c..9a642c7 100644 --- a/src/selinux/booleanfile/invalidpacketsbooleanfile.cil +++ b/src/selinux/booleanfile/invalidpacketsbooleanfile.cil @@ -1,34 +1,34 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (tunable invalid_packets true) (block invalid_packets - (genfscon "selinuxfs" "/booleans/invalid_packets" booleanfile_context) + (genfscon "selinuxfs" "/booleans/invalid_packets" booleanfile_context) - (blockinherit .booleanfile.template)) + (blockinherit .booleanfile.template)) (block invalidpackets - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and invalidpackets.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr + (and invalidpackets.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) diff --git a/src/selinux/booleanfile/invalidpeersbooleanfile.cil b/src/selinux/booleanfile/invalidpeersbooleanfile.cil index 83b707e..295a6ee 100644 --- a/src/selinux/booleanfile/invalidpeersbooleanfile.cil +++ b/src/selinux/booleanfile/invalidpeersbooleanfile.cil @@ -1,34 +1,34 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (tunable invalid_peers true) (block invalid_peers - (genfscon "selinuxfs" "/booleans/invalid_peers" booleanfile_context) + (genfscon "selinuxfs" "/booleans/invalid_peers" booleanfile_context) - (blockinherit .booleanfile.template)) + (blockinherit .booleanfile.template)) (block invalidpeers - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and invalidpeers.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr + (and invalidpeers.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr))) + (typeattribute typeattr))) diff --git a/src/subj.cil b/src/subj.cil index fe4f788..60ddc04 100644 --- a/src/subj.cil +++ b/src/subj.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (classmap state (ps read)) @@ -10,230 +10,230 @@ (block subj - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit all_macro_template) + (blockinherit all_macro_template) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow typeattr not_typeattr (process (dyntransition transition))) - (neverallow typeattr not_typeattr - (process2 (nnp_transition nosuid_transition))) + (neverallow typeattr not_typeattr (process (dyntransition transition))) + (neverallow typeattr not_typeattr + (process2 (nnp_transition nosuid_transition))) - (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh))) + (dontaudit typeattr typeattr (process (noatsecure rlimitinh siginh))) - (block all_macro_template + (block all_macro_template - (blockabstract all_macro_template) + (blockabstract all_macro_template) - (macro getrlimit_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (getrlimit)))) + (macro getrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getrlimit)))) - (macro getsched_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (getsched)))) + (macro getsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (getsched)))) - (macro nnptransition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process2 (nnp_transition)))) + (macro nnptransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nnp_transition)))) - (macro noatsecure_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (noatsecure)))) + (macro noatsecure_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (noatsecure)))) - (macro nosuidtransition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process2 (nosuid_transition)))) + (macro nosuidtransition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process2 (nosuid_transition)))) - (macro ps_all_states ((type ARG1)) - (allow ARG1 typeattr (state (ps)))) + (macro ps_all_states ((type ARG1)) + (allow ARG1 typeattr (state (ps)))) - (macro ptrace_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (ptrace)))) + (macro ptrace_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (ptrace)))) - (macro read_all_states ((type ARG1)) - (allow ARG1 typeattr (state (read)))) + (macro read_all_states ((type ARG1)) + (allow ARG1 typeattr (state (read)))) - (macro readinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readinherited_fifo_file)) + (macro readinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readinherited_fifo_file)) - (macro readwriteinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr readwriteinherited_fifo_file)) + (macro readwriteinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr readwriteinherited_fifo_file)) - (macro rlimitinh_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (rlimitinh)))) + (macro rlimitinh_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (rlimitinh)))) - (macro setrlimit_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (setrlimit)))) + (macro setrlimit_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setrlimit)))) - (macro setsched_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (setsched)))) + (macro setsched_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (setsched)))) - (macro sigchld_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigchld)))) + (macro sigchld_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigchld)))) - (macro sigkill_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigkill)))) + (macro sigkill_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigkill)))) - (macro signal_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (signal)))) + (macro signal_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signal)))) - (macro signull_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (signull)))) + (macro signull_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (signull)))) - (macro sigstop_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (sigstop)))) + (macro sigstop_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (sigstop)))) - (macro transition_all_processes ((type ARG1)) - (allow ARG1 typeattr (process (transition)))) + (macro transition_all_processes ((type ARG1)) + (allow ARG1 typeattr (process (transition)))) - (macro writeinherited_all_fifo_files ((type ARG1)) - (allow ARG1 typeattr writeinherited_fifo_file))) + (macro writeinherited_all_fifo_files ((type ARG1)) + (allow ARG1 typeattr writeinherited_fifo_file))) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (type subj) - (call .subj.type (subj))) + (type subj) + (call .subj.type (subj))) - (block entry + (block entry - (macro entrypoint_all_files ((type ARG1)) - (allow ARG1 typeattr (file (entrypoint)))) + (macro entrypoint_all_files ((type ARG1)) + (allow ARG1 typeattr (file (entrypoint)))) - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_files) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow subj.typeattr not_typeattr (file (entrypoint)))) + (neverallow subj.typeattr not_typeattr (file (entrypoint)))) - (block execheap + (block execheap - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (process (execheap)))) + (neverallow not_typeattr self (process (execheap)))) - (block execstack + (block execstack - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr self (process (execstack)))) + (neverallow not_typeattr self (process (execstack)))) - (block macro_template + (block macro_template - (blockabstract macro_template) + (blockabstract macro_template) - (macro getrlimit_subj_processes ((type ARG1)) - (allow ARG1 subj (process (getrlimit)))) + (macro getrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getrlimit)))) - (macro getsched_subj_processes ((type ARG1)) - (allow ARG1 subj (process (getsched)))) + (macro getsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (getsched)))) - (macro nnptransition_subj_processes ((type ARG1)) - (allow ARG1 subj (process2 (nnp_transition)))) + (macro nnptransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nnp_transition)))) - (macro noatsecure_subj_processes ((type ARG1)) - (allow ARG1 subj (process (noatsecure)))) + (macro noatsecure_subj_processes ((type ARG1)) + (allow ARG1 subj (process (noatsecure)))) - (macro nosuidtransition_subj_processes ((type ARG1)) - (allow ARG1 subj (process2 (nosuid_transition)))) + (macro nosuidtransition_subj_processes ((type ARG1)) + (allow ARG1 subj (process2 (nosuid_transition)))) - (macro ps_subj_states ((type ARG1)) - (allow ARG1 subj (state (ps)))) + (macro ps_subj_states ((type ARG1)) + (allow ARG1 subj (state (ps)))) - (macro ptrace_subj_processes ((type ARG1)) - (allow ARG1 subj (process (ptrace)))) + (macro ptrace_subj_processes ((type ARG1)) + (allow ARG1 subj (process (ptrace)))) - (macro read_subj_states ((type ARG1)) - (allow ARG1 subj (state (read)))) + (macro read_subj_states ((type ARG1)) + (allow ARG1 subj (state (read)))) - (macro readinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj readinherited_fifo_file)) + (macro readinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readinherited_fifo_file)) - (macro readwriteinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj readwriteinherited_fifo_file)) + (macro readwriteinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj readwriteinherited_fifo_file)) - (macro rlimitinh_subj_processes ((type ARG1)) - (allow ARG1 subj (process (rlimitinh)))) + (macro rlimitinh_subj_processes ((type ARG1)) + (allow ARG1 subj (process (rlimitinh)))) - (macro setrlimit_subj_processes ((type ARG1)) - (allow ARG1 subj (process (setrlimit)))) + (macro setrlimit_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setrlimit)))) - (macro setsched_subj_processes ((type ARG1)) - (allow ARG1 subj (process (setsched)))) + (macro setsched_subj_processes ((type ARG1)) + (allow ARG1 subj (process (setsched)))) - (macro sigchld_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigchld)))) + (macro sigchld_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigchld)))) - (macro sigkill_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigkill)))) + (macro sigkill_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigkill)))) - (macro signal_subj_processes ((type ARG1)) - (allow ARG1 subj (process (signal)))) + (macro signal_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signal)))) - (macro signull_subj_processes ((type ARG1)) - (allow ARG1 subj (process (signull)))) + (macro signull_subj_processes ((type ARG1)) + (allow ARG1 subj (process (signull)))) - (macro sigstop_subj_processes ((type ARG1)) - (allow ARG1 subj (process (sigstop)))) + (macro sigstop_subj_processes ((type ARG1)) + (allow ARG1 subj (process (sigstop)))) - (macro transition_subj_processes ((type ARG1)) - (allow ARG1 subj (process (transition)))) + (macro transition_subj_processes ((type ARG1)) + (allow ARG1 subj (process (transition)))) - (macro writeinherited_subj_fifo_files ((type ARG1)) - (allow ARG1 subj writeinherited_fifo_file))) + (macro writeinherited_subj_fifo_files ((type ARG1)) + (allow ARG1 subj writeinherited_fifo_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .subj.base_template) - (blockinherit .subj.macro_template)) + (blockinherit .subj.base_template) + (blockinherit .subj.macro_template)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr subj.entry.typeattr (file (entrypoint))) + (allow typeattr subj.entry.typeattr (file (entrypoint))) - (allow typeattr subj.typeattr (process (all))) - ;; nosuid_transition should not be needed and indicates - ;; misconfiguration. when used properly it is worth blocking this - ;; access to prevent domain transitions on untrusted removeable - ;; storage. just be sure to always mount untrusted remote storage - ;; with nosuid, because otherwise this does not work. - (allow typeattr subj.typeattr (process2 (not nosuid_transition))) + (allow typeattr subj.typeattr (process (all))) + ;; nosuid_transition should not be needed and indicates + ;; misconfiguration. when used properly it is worth blocking this + ;; access to prevent domain transitions on untrusted removeable + ;; storage. just be sure to always mount untrusted remote storage + ;; with nosuid, because otherwise this does not work. + (allow typeattr subj.typeattr (process2 (not nosuid_transition))) - (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton)))) - (allow typeattr subj.typeattr list_dir) - (allow typeattr subj.typeattr mounton_file) - (allow typeattr subj.typeattr read_lnk_file) - (allow typeattr subj.typeattr readwrite_file) + (allow typeattr subj.typeattr (fifo_file (not (execmod map mounton)))) + (allow typeattr subj.typeattr list_dir) + (allow typeattr subj.typeattr mounton_file) + (allow typeattr subj.typeattr read_lnk_file) + (allow typeattr subj.typeattr readwrite_file) - (call execheap.type (typeattr)) - (call execstack.type (typeattr)))) + (call execheap.type (typeattr)) + (call execstack.type (typeattr)))) (in unconfined diff --git a/src/sys.cil b/src/sys.cil index 76b231e..983c7ef 100644 --- a/src/sys.cil +++ b/src/sys.cil @@ -1,27 +1,27 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext kernel (sys.id sys.role sys.subj sys.lowlow)) (block sys - (level low (s0)) - (level high (s0 .catset)) + (level low (s0)) + (level high (s0 .catset)) - (levelrange lowlow (low low)) - (levelrange lowhigh (low high)) + (levelrange lowlow (low low)) + (levelrange lowhigh (low high)) - (role role) - (roletype role subj) + (role role) + (roletype role subj) - (user id) - (userrole id role) + (user id) + (userrole id role) - (userlevel id low) - (userrange id lowhigh) + (userlevel id low) + (userrange id lowhigh) - (blockinherit .subj.template) + (blockinherit .subj.template) - (call .obj.role (role)) + (call .obj.role (role)) - (call .unconfined.type (subj))) + (call .unconfined.type (subj))) diff --git a/src/sys/bpffile.cil b/src/sys/bpffile.cil index 82c88b4..31acd47 100644 --- a/src/sys/bpffile.cil +++ b/src/sys/bpffile.cil @@ -1,143 +1,143 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bpffile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .bpf.associate_fs (typeattr)) + (call .bpf.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context bpffile_context (.sys.id .sys.role bpffile .sys.lowlow)) + (context bpffile_context (.sys.id .sys.role bpffile .sys.lowlow)) - (type bpffile) - (call .bpffile.type (bpffile))) + (type bpffile) + (call .bpffile.type (bpffile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile addname_dir)) + (macro addname_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile addname_dir)) - (macro create_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile create_dir)) + (macro create_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile create_dir)) - (macro delete_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile delete_dir)) + (macro delete_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile delete_dir)) - (macro deletename_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile deletename_dir)) + (macro deletename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile deletename_dir)) - (macro list_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile list_dir)) + (macro list_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile list_dir)) - (macro listinherited_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile listinherited_dir)) + (macro listinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile listinherited_dir)) - (macro manage_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile manage_dir)) + (macro manage_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile manage_dir)) - (macro mounton_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile mounton_dir)) + (macro mounton_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile mounton_dir)) - (macro readwrite_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile readwrite_dir)) + (macro readwrite_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwrite_dir)) - (macro readwriteinherited_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile readwriteinherited_dir)) + (macro readwriteinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_dir)) - (macro rename_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile rename_dir)) + (macro rename_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile rename_dir)) - (macro search_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile search_dir)) + (macro search_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile search_dir)) - (macro write_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile write_dir)) + (macro write_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile write_dir)) - (macro writeinherited_bpffile_dirs ((type ARG1)) - (allow ARG1 bpffile writeinherited_dir))) + (macro writeinherited_bpffile_dirs ((type ARG1)) + (allow ARG1 bpffile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_bpffile_files ((type ARG1)) - (allow ARG1 bpffile append_file)) + (macro append_bpffile_files ((type ARG1)) + (allow ARG1 bpffile append_file)) - (macro appendinherited_bpffile_files ((type ARG1)) - (allow ARG1 bpffile appendinherited_file)) + (macro appendinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile appendinherited_file)) - (macro create_bpffile_files ((type ARG1)) - (allow ARG1 bpffile create_file)) + (macro create_bpffile_files ((type ARG1)) + (allow ARG1 bpffile create_file)) - (macro delete_bpffile_files ((type ARG1)) - (allow ARG1 bpffile delete_file)) + (macro delete_bpffile_files ((type ARG1)) + (allow ARG1 bpffile delete_file)) - (macro execute_bpffile_files ((type ARG1)) - (allow ARG1 bpffile execute_file)) + (macro execute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile execute_file)) - (macro manage_bpffile_files ((type ARG1)) - (allow ARG1 bpffile manage_file)) + (macro manage_bpffile_files ((type ARG1)) + (allow ARG1 bpffile manage_file)) - (macro mapexecute_bpffile_files ((type ARG1)) - (allow ARG1 bpffile mapexecute_file)) + (macro mapexecute_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mapexecute_file)) - (macro mounton_bpffile_files ((type ARG1)) - (allow ARG1 bpffile mounton_file)) + (macro mounton_bpffile_files ((type ARG1)) + (allow ARG1 bpffile mounton_file)) - (macro read_bpffile_files ((type ARG1)) - (allow ARG1 bpffile read_file)) + (macro read_bpffile_files ((type ARG1)) + (allow ARG1 bpffile read_file)) - (macro readinherited_bpffile_files ((type ARG1)) - (allow ARG1 bpffile readinherited_file)) + (macro readinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readinherited_file)) - (macro readwrite_bpffile_files ((type ARG1)) - (allow ARG1 bpffile readwrite_file)) + (macro readwrite_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwrite_file)) - (macro readwriteinherited_bpffile_files ((type ARG1)) - (allow ARG1 bpffile readwriteinherited_file)) + (macro readwriteinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile readwriteinherited_file)) - (macro rename_bpffile_files ((type ARG1)) - (allow ARG1 bpffile rename_file)) + (macro rename_bpffile_files ((type ARG1)) + (allow ARG1 bpffile rename_file)) - (macro write_bpffile_files ((type ARG1)) - (allow ARG1 bpffile write_file)) + (macro write_bpffile_files ((type ARG1)) + (allow ARG1 bpffile write_file)) - (macro writeinherited_bpffile_files ((type ARG1)) - (allow ARG1 bpffile writeinherited_file))) + (macro writeinherited_bpffile_files ((type ARG1)) + (allow ARG1 bpffile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .bpffile.base_template) - (blockinherit .bpffile.macro_template_files)) + (blockinherit .bpffile.base_template) + (blockinherit .bpffile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr bpffile.typeattr - (dir (not (audit_access execmod relabelfrom relabelto)))) - (allow typeattr bpffile.typeattr - (file (not (audit_access entrypoint execmod relabelfrom - relabelto)))))) + (allow typeattr bpffile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr bpffile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) (in sys.unconfined diff --git a/src/sys/cgroupfile.cil b/src/sys/cgroupfile.cil index c4692ef..46ffc69 100644 --- a/src/sys/cgroupfile.cil +++ b/src/sys/cgroupfile.cil @@ -1,141 +1,141 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cgroupfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .cgroup.associate_fs (typeattr)) + (call .cgroup.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context cgroupfile_context (.sys.id .sys.role cgroupfile .sys.lowlow)) + (context cgroupfile_context (.sys.id .sys.role cgroupfile .sys.lowlow)) - (type cgroupfile) - (call .cgroupfile.type (cgroupfile))) + (type cgroupfile) + (call .cgroupfile.type (cgroupfile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile addname_dir)) + (macro addname_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile addname_dir)) - (macro create_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile create_dir)) + (macro create_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile create_dir)) - (macro delete_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile delete_dir)) + (macro delete_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile delete_dir)) - (macro deletename_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile deletename_dir)) + (macro deletename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile deletename_dir)) - (macro list_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile list_dir)) + (macro list_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile list_dir)) - (macro listinherited_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile listinherited_dir)) + (macro listinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile listinherited_dir)) - (macro manage_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile manage_dir)) + (macro manage_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile manage_dir)) - (macro mounton_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile mounton_dir)) + (macro mounton_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile mounton_dir)) - (macro readwrite_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile readwrite_dir)) + (macro readwrite_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwrite_dir)) - (macro readwriteinherited_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile readwriteinherited_dir)) + (macro readwriteinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_dir)) - (macro rename_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile rename_dir)) + (macro rename_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile rename_dir)) - (macro search_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile search_dir)) + (macro search_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile search_dir)) - (macro write_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile write_dir)) + (macro write_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile write_dir)) - (macro writeinherited_cgroupfile_dirs ((type ARG1)) - (allow ARG1 cgroupfile writeinherited_dir))) + (macro writeinherited_cgroupfile_dirs ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile append_file)) + (macro append_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile append_file)) - (macro appendinherited_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile appendinherited_file)) + (macro appendinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile appendinherited_file)) - (macro create_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile create_file)) + (macro create_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile create_file)) - (macro delete_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile delete_file)) + (macro delete_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile delete_file)) - (macro execute_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile execute_file)) + (macro execute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile execute_file)) - (macro manage_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile manage_file)) + (macro manage_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile manage_file)) - (macro mapexecute_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile mapexecute_file)) + (macro mapexecute_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mapexecute_file)) - (macro mounton_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile mounton_file)) + (macro mounton_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile mounton_file)) - (macro read_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile read_file)) + (macro read_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile read_file)) - (macro readinherited_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile readinherited_file)) + (macro readinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readinherited_file)) - (macro readwrite_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile readwrite_file)) + (macro readwrite_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwrite_file)) - (macro readwriteinherited_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile readwriteinherited_file)) + (macro readwriteinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile readwriteinherited_file)) - (macro rename_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile rename_file)) + (macro rename_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile rename_file)) - (macro write_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile write_file)) + (macro write_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile write_file)) - (macro writeinherited_cgroupfile_files ((type ARG1)) - (allow ARG1 cgroupfile writeinherited_file))) + (macro writeinherited_cgroupfile_files ((type ARG1)) + (allow ARG1 cgroupfile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .cgroupfile.base_template) - (blockinherit .cgroupfile.macro_template_files)) + (blockinherit .cgroupfile.base_template) + (blockinherit .cgroupfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr cgroupfile.typeattr (dir (not (audit_access execmod)))) - (allow typeattr cgroupfile.typeattr - (file (not (audit_access entrypoint execmod)))))) + (allow typeattr cgroupfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr cgroupfile.typeattr + (file (not (audit_access entrypoint execmod)))))) (in sys.unconfined diff --git a/src/sys/debugfile.cil b/src/sys/debugfile.cil index 1f22606..aba09a9 100644 --- a/src/sys/debugfile.cil +++ b/src/sys/debugfile.cil @@ -1,141 +1,141 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block debugfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .debug.associate_fs (typeattr)) + (call .debug.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context debugfile_context (.sys.id .sys.role debugfile .sys.lowlow)) + (context debugfile_context (.sys.id .sys.role debugfile .sys.lowlow)) - (type debugfile) - (call .debugfile.type (debugfile))) + (type debugfile) + (call .debugfile.type (debugfile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile addname_dir)) + (macro addname_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile addname_dir)) - (macro create_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile create_dir)) + (macro create_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile create_dir)) - (macro delete_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile delete_dir)) + (macro delete_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile delete_dir)) - (macro deletename_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile deletename_dir)) + (macro deletename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile deletename_dir)) - (macro list_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile list_dir)) + (macro list_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile list_dir)) - (macro listinherited_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile listinherited_dir)) + (macro listinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile listinherited_dir)) - (macro manage_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile manage_dir)) + (macro manage_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile manage_dir)) - (macro mounton_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile mounton_dir)) + (macro mounton_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile mounton_dir)) - (macro readwrite_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile readwrite_dir)) + (macro readwrite_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwrite_dir)) - (macro readwriteinherited_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile readwriteinherited_dir)) + (macro readwriteinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_dir)) - (macro rename_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile rename_dir)) + (macro rename_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile rename_dir)) - (macro search_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile search_dir)) + (macro search_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile search_dir)) - (macro write_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile write_dir)) + (macro write_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile write_dir)) - (macro writeinherited_debugfile_dirs ((type ARG1)) - (allow ARG1 debugfile writeinherited_dir))) + (macro writeinherited_debugfile_dirs ((type ARG1)) + (allow ARG1 debugfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_debugfile_files ((type ARG1)) - (allow ARG1 debugfile append_file)) + (macro append_debugfile_files ((type ARG1)) + (allow ARG1 debugfile append_file)) - (macro appendinherited_debugfile_files ((type ARG1)) - (allow ARG1 debugfile appendinherited_file)) + (macro appendinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile appendinherited_file)) - (macro create_debugfile_files ((type ARG1)) - (allow ARG1 debugfile create_file)) + (macro create_debugfile_files ((type ARG1)) + (allow ARG1 debugfile create_file)) - (macro delete_debugfile_files ((type ARG1)) - (allow ARG1 debugfile delete_file)) + (macro delete_debugfile_files ((type ARG1)) + (allow ARG1 debugfile delete_file)) - (macro execute_debugfile_files ((type ARG1)) - (allow ARG1 debugfile execute_file)) + (macro execute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile execute_file)) - (macro manage_debugfile_files ((type ARG1)) - (allow ARG1 debugfile manage_file)) + (macro manage_debugfile_files ((type ARG1)) + (allow ARG1 debugfile manage_file)) - (macro mapexecute_debugfile_files ((type ARG1)) - (allow ARG1 debugfile mapexecute_file)) + (macro mapexecute_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mapexecute_file)) - (macro mounton_debugfile_files ((type ARG1)) - (allow ARG1 debugfile mounton_file)) + (macro mounton_debugfile_files ((type ARG1)) + (allow ARG1 debugfile mounton_file)) - (macro read_debugfile_files ((type ARG1)) - (allow ARG1 debugfile read_file)) + (macro read_debugfile_files ((type ARG1)) + (allow ARG1 debugfile read_file)) - (macro readinherited_debugfile_files ((type ARG1)) - (allow ARG1 debugfile readinherited_file)) + (macro readinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readinherited_file)) - (macro readwrite_debugfile_files ((type ARG1)) - (allow ARG1 debugfile readwrite_file)) + (macro readwrite_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwrite_file)) - (macro readwriteinherited_debugfile_files ((type ARG1)) - (allow ARG1 debugfile readwriteinherited_file)) + (macro readwriteinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile readwriteinherited_file)) - (macro rename_debugfile_files ((type ARG1)) - (allow ARG1 debugfile rename_file)) + (macro rename_debugfile_files ((type ARG1)) + (allow ARG1 debugfile rename_file)) - (macro write_debugfile_files ((type ARG1)) - (allow ARG1 debugfile write_file)) + (macro write_debugfile_files ((type ARG1)) + (allow ARG1 debugfile write_file)) - (macro writeinherited_debugfile_files ((type ARG1)) - (allow ARG1 debugfile writeinherited_file))) + (macro writeinherited_debugfile_files ((type ARG1)) + (allow ARG1 debugfile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .debugfile.base_template) - (blockinherit .debugfile.macro_template_files)) + (blockinherit .debugfile.base_template) + (blockinherit .debugfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr debugfile.typeattr (dir (not (audit_access execmod)))) - (allow typeattr debugfile.typeattr - (file (not (audit_access entrypoint execmod)))))) + (allow typeattr debugfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr debugfile.typeattr + (file (not (audit_access entrypoint execmod)))))) (in sys.unconfined diff --git a/src/sys/procfile.cil b/src/sys/procfile.cil index 85ef97a..068725e 100644 --- a/src/sys/procfile.cil +++ b/src/sys/procfile.cil @@ -1,192 +1,192 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block procfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context procfile_context (.sys.id .sys.role procfile .sys.lowlow)) + (context procfile_context (.sys.id .sys.role procfile .sys.lowlow)) - (type procfile) - (call .procfile.type (procfile))) + (type procfile) + (call .procfile.type (procfile))) - (block except + (block except - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (blockinherit file.all_macro_template_dirs) - (blockinherit file.all_macro_template_files) - (blockinherit file.all_macro_template_lnk_files) + (blockinherit file.all_macro_template_dirs) + (blockinherit file.all_macro_template_files) + (blockinherit file.all_macro_template_lnk_files) - (typeattribute typeattr) + (typeattribute typeattr) - (typeattributeset typeattr - (and procfile.typeattr (not (exception.typeattr))))) + (typeattributeset typeattr + (and procfile.typeattr (not (exception.typeattr))))) - (block exception + (block exception - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call procfile.type (typeattr))) + (call procfile.type (typeattr))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_procfile_dirs ((type ARG1)) - (allow ARG1 procfile addname_dir)) + (macro addname_procfile_dirs ((type ARG1)) + (allow ARG1 procfile addname_dir)) - (macro create_procfile_dirs ((type ARG1)) - (allow ARG1 procfile create_dir)) + (macro create_procfile_dirs ((type ARG1)) + (allow ARG1 procfile create_dir)) - (macro delete_procfile_dirs ((type ARG1)) - (allow ARG1 procfile delete_dir)) + (macro delete_procfile_dirs ((type ARG1)) + (allow ARG1 procfile delete_dir)) - (macro deletename_procfile_dirs ((type ARG1)) - (allow ARG1 procfile deletename_dir)) + (macro deletename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile deletename_dir)) - (macro list_procfile_dirs ((type ARG1)) - (allow ARG1 procfile list_dir)) + (macro list_procfile_dirs ((type ARG1)) + (allow ARG1 procfile list_dir)) - (macro listinherited_procfile_dirs ((type ARG1)) - (allow ARG1 procfile listinherited_dir)) + (macro listinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile listinherited_dir)) - (macro manage_procfile_dirs ((type ARG1)) - (allow ARG1 procfile manage_dir)) + (macro manage_procfile_dirs ((type ARG1)) + (allow ARG1 procfile manage_dir)) - (macro mounton_procfile_dirs ((type ARG1)) - (allow ARG1 procfile mounton_dir)) + (macro mounton_procfile_dirs ((type ARG1)) + (allow ARG1 procfile mounton_dir)) - (macro readwrite_procfile_dirs ((type ARG1)) - (allow ARG1 procfile readwrite_dir)) + (macro readwrite_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwrite_dir)) - (macro readwriteinherited_procfile_dirs ((type ARG1)) - (allow ARG1 procfile readwriteinherited_dir)) + (macro readwriteinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile readwriteinherited_dir)) - (macro rename_procfile_dirs ((type ARG1)) - (allow ARG1 procfile rename_dir)) + (macro rename_procfile_dirs ((type ARG1)) + (allow ARG1 procfile rename_dir)) - (macro search_procfile_dirs ((type ARG1)) - (allow ARG1 procfile search_dir)) + (macro search_procfile_dirs ((type ARG1)) + (allow ARG1 procfile search_dir)) - (macro write_procfile_dirs ((type ARG1)) - (allow ARG1 procfile write_dir)) + (macro write_procfile_dirs ((type ARG1)) + (allow ARG1 procfile write_dir)) - (macro writeinherited_procfile_dirs ((type ARG1)) - (allow ARG1 procfile writeinherited_dir))) + (macro writeinherited_procfile_dirs ((type ARG1)) + (allow ARG1 procfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_procfile_files ((type ARG1)) - (allow ARG1 procfile append_file)) + (macro append_procfile_files ((type ARG1)) + (allow ARG1 procfile append_file)) - (macro appendinherited_procfile_files ((type ARG1)) - (allow ARG1 procfile appendinherited_file)) + (macro appendinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile appendinherited_file)) - (macro create_procfile_files ((type ARG1)) - (allow ARG1 procfile create_file)) + (macro create_procfile_files ((type ARG1)) + (allow ARG1 procfile create_file)) - (macro delete_procfile_files ((type ARG1)) - (allow ARG1 procfile delete_file)) + (macro delete_procfile_files ((type ARG1)) + (allow ARG1 procfile delete_file)) - (macro execute_procfile_files ((type ARG1)) - (allow ARG1 procfile execute_file)) + (macro execute_procfile_files ((type ARG1)) + (allow ARG1 procfile execute_file)) - (macro manage_procfile_files ((type ARG1)) - (allow ARG1 procfile manage_file)) + (macro manage_procfile_files ((type ARG1)) + (allow ARG1 procfile manage_file)) - (macro mapexecute_procfile_files ((type ARG1)) - (allow ARG1 procfile mapexecute_file)) + (macro mapexecute_procfile_files ((type ARG1)) + (allow ARG1 procfile mapexecute_file)) - (macro mounton_procfile_files ((type ARG1)) - (allow ARG1 procfile mounton_file)) + (macro mounton_procfile_files ((type ARG1)) + (allow ARG1 procfile mounton_file)) - (macro read_procfile_files ((type ARG1)) - (allow ARG1 procfile read_file)) + (macro read_procfile_files ((type ARG1)) + (allow ARG1 procfile read_file)) - (macro readinherited_procfile_files ((type ARG1)) - (allow ARG1 procfile readinherited_file)) + (macro readinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readinherited_file)) - (macro readwrite_procfile_files ((type ARG1)) - (allow ARG1 procfile readwrite_file)) + (macro readwrite_procfile_files ((type ARG1)) + (allow ARG1 procfile readwrite_file)) - (macro readwriteinherited_procfile_files ((type ARG1)) - (allow ARG1 procfile readwriteinherited_file)) + (macro readwriteinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile readwriteinherited_file)) - (macro rename_procfile_files ((type ARG1)) - (allow ARG1 procfile rename_file)) + (macro rename_procfile_files ((type ARG1)) + (allow ARG1 procfile rename_file)) - (macro write_procfile_files ((type ARG1)) - (allow ARG1 procfile write_file)) + (macro write_procfile_files ((type ARG1)) + (allow ARG1 procfile write_file)) - (macro writeinherited_procfile_files ((type ARG1)) - (allow ARG1 procfile writeinherited_file))) + (macro writeinherited_procfile_files ((type ARG1)) + (allow ARG1 procfile writeinherited_file))) - (block macro_template_lnk_files + (block macro_template_lnk_files - (blockabstract macro_template_lnk_files) + (blockabstract macro_template_lnk_files) - (macro create_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile create_lnk_file)) + (macro create_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile create_lnk_file)) - (macro delete_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile delete_lnk_file)) + (macro delete_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile delete_lnk_file)) - (macro manage_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile manage_lnk_file)) + (macro manage_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile manage_lnk_file)) - (macro read_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile read_lnk_file)) + (macro read_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile read_lnk_file)) - (macro readwrite_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile readwrite_lnk_file)) + (macro readwrite_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile readwrite_lnk_file)) - (macro rename_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile rename_lnk_file)) + (macro rename_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile rename_lnk_file)) - (macro write_procfile_lnk_files ((type ARG1)) - (allow ARG1 procfile write_lnk_file))) + (macro write_procfile_lnk_files ((type ARG1)) + (allow ARG1 procfile write_lnk_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .procfile.base_template) - (blockinherit .procfile.macro_template_files)) + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr procfile.typeattr - (dir (not (audit_access execmod relabelfrom relabelto)))) - (allow typeattr procfile.typeattr - (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) - (allow typeattr procfile.typeattr - (lnk_file (not (audit_access execmod map mounton relabelfrom - relabelto)))))) + (allow typeattr procfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr procfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) (in sys.unconfined diff --git a/src/sys/procfile/acpiprocfile.cil b/src/sys/procfile/acpiprocfile.cil index 474e9c8..7386f17 100644 --- a/src/sys/procfile/acpiprocfile.cil +++ b/src/sys/procfile/acpiprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block acpi - (genfscon "proc" "/acpi" procfile_context) + (genfscon "proc" "/acpi" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/asoundprocfile.cil b/src/sys/procfile/asoundprocfile.cil index 45a9667..b83129a 100644 --- a/src/sys/procfile/asoundprocfile.cil +++ b/src/sys/procfile/asoundprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block asound - (genfscon "proc" "/asound" procfile_context) + (genfscon "proc" "/asound" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/bootconfigprocfile.cil b/src/sys/procfile/bootconfigprocfile.cil index e4a0a88..67ef54b 100644 --- a/src/sys/procfile/bootconfigprocfile.cil +++ b/src/sys/procfile/bootconfigprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bootconfig - (genfscon "proc" "/bootconfig" procfile_context) + (genfscon "proc" "/bootconfig" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/buddyinfoprocfile.cil b/src/sys/procfile/buddyinfoprocfile.cil index 9efb15f..88e77b1 100644 --- a/src/sys/procfile/buddyinfoprocfile.cil +++ b/src/sys/procfile/buddyinfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block buddyinfo - (genfscon "proc" "/buddyinfo" procfile_context) + (genfscon "proc" "/buddyinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/busprocfile.cil b/src/sys/procfile/busprocfile.cil index 0c8e2b4..272fe71 100644 --- a/src/sys/procfile/busprocfile.cil +++ b/src/sys/procfile/busprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in bus diff --git a/src/sys/procfile/cgroupsprocfile.cil b/src/sys/procfile/cgroupsprocfile.cil index c791614..3051b9d 100644 --- a/src/sys/procfile/cgroupsprocfile.cil +++ b/src/sys/procfile/cgroupsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cgroups - (genfscon "proc" "/cgroups" procfile_context) + (genfscon "proc" "/cgroups" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cmdlineprocfile.cil b/src/sys/procfile/cmdlineprocfile.cil index 4b72d65..beab982 100644 --- a/src/sys/procfile/cmdlineprocfile.cil +++ b/src/sys/procfile/cmdlineprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cmdline - (genfscon "proc" "/cmdline" procfile_context) + (genfscon "proc" "/cmdline" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/consolesprocfile.cil b/src/sys/procfile/consolesprocfile.cil index 9f22626..f0b7275 100644 --- a/src/sys/procfile/consolesprocfile.cil +++ b/src/sys/procfile/consolesprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block consoles - (genfscon "proc" "/consoles" procfile_context) + (genfscon "proc" "/consoles" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuinfoprocfile.cil b/src/sys/procfile/cpuinfoprocfile.cil index 6e22857..830d84c 100644 --- a/src/sys/procfile/cpuinfoprocfile.cil +++ b/src/sys/procfile/cpuinfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block cpuinfo - (genfscon "proc" "/cpuinfo" procfile_context) + (genfscon "proc" "/cpuinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/cpuprocfile.cil b/src/sys/procfile/cpuprocfile.cil index 516610c..b225fc7 100644 --- a/src/sys/procfile/cpuprocfile.cil +++ b/src/sys/procfile/cpuprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in cpu diff --git a/src/sys/procfile/cryptoprocfile.cil b/src/sys/procfile/cryptoprocfile.cil index cab3e66..eb6700b 100644 --- a/src/sys/procfile/cryptoprocfile.cil +++ b/src/sys/procfile/cryptoprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in crypto diff --git a/src/sys/procfile/devicesprocfile.cil b/src/sys/procfile/devicesprocfile.cil index a82c1bf..6715db8 100644 --- a/src/sys/procfile/devicesprocfile.cil +++ b/src/sys/procfile/devicesprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in devices diff --git a/src/sys/procfile/diskstatsprocfile.cil b/src/sys/procfile/diskstatsprocfile.cil index 047c45f..62ebbf5 100644 --- a/src/sys/procfile/diskstatsprocfile.cil +++ b/src/sys/procfile/diskstatsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block diskstats - (genfscon "proc" "/diskstats" procfile_context) + (genfscon "proc" "/diskstats" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dmaprocfile.cil b/src/sys/procfile/dmaprocfile.cil index daff60b..f206b9f 100644 --- a/src/sys/procfile/dmaprocfile.cil +++ b/src/sys/procfile/dmaprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dma - (genfscon "proc" "/dma" procfile_context) + (genfscon "proc" "/dma" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/driverprocfile.cil b/src/sys/procfile/driverprocfile.cil index 09ea110..7873fe8 100644 --- a/src/sys/procfile/driverprocfile.cil +++ b/src/sys/procfile/driverprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block driver - (genfscon "proc" "/driver" procfile_context) + (genfscon "proc" "/driver" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/dynamicdebugprocfile.cil b/src/sys/procfile/dynamicdebugprocfile.cil index 580c13e..d2f739b 100644 --- a/src/sys/procfile/dynamicdebugprocfile.cil +++ b/src/sys/procfile/dynamicdebugprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block dynamicdebug - (genfscon "proc" "/dynamic_debug" procfile_context) + (genfscon "proc" "/dynamic_debug" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.base_template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.base_template)) diff --git a/src/sys/procfile/execdomainsprocfile.cil b/src/sys/procfile/execdomainsprocfile.cil index 50d728b..a7cf172 100644 --- a/src/sys/procfile/execdomainsprocfile.cil +++ b/src/sys/procfile/execdomainsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block execdomains - (genfscon "proc" "/execdomains" procfile_context) + (genfscon "proc" "/execdomains" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fbprocfile.cil b/src/sys/procfile/fbprocfile.cil index cdfeeea..a828599 100644 --- a/src/sys/procfile/fbprocfile.cil +++ b/src/sys/procfile/fbprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fb diff --git a/src/sys/procfile/filesystemsprocfile.cil b/src/sys/procfile/filesystemsprocfile.cil index 285a9f9..428081f 100644 --- a/src/sys/procfile/filesystemsprocfile.cil +++ b/src/sys/procfile/filesystemsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block filesystems - (genfscon "proc" "/filesystems" procfile_context) + (genfscon "proc" "/filesystems" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/fsprocfile.cil b/src/sys/procfile/fsprocfile.cil index 7e1887c..053da22 100644 --- a/src/sys/procfile/fsprocfile.cil +++ b/src/sys/procfile/fsprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fs diff --git a/src/sys/procfile/interruptsprocfile.cil b/src/sys/procfile/interruptsprocfile.cil index 43ab72c..fc2f54e 100644 --- a/src/sys/procfile/interruptsprocfile.cil +++ b/src/sys/procfile/interruptsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block interrupts - (genfscon "proc" "/interrupts" procfile_context) + (genfscon "proc" "/interrupts" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/iomemprocfile.cil b/src/sys/procfile/iomemprocfile.cil index 3576e07..ed926e8 100644 --- a/src/sys/procfile/iomemprocfile.cil +++ b/src/sys/procfile/iomemprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block iomem - (genfscon "proc" "/iomem" procfile_context) + (genfscon "proc" "/iomem" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ioportsprocfile.cil b/src/sys/procfile/ioportsprocfile.cil index 452c017..45123a0 100644 --- a/src/sys/procfile/ioportsprocfile.cil +++ b/src/sys/procfile/ioportsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ioports - (genfscon "proc" "/ioports" procfile_context) + (genfscon "proc" "/ioports" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/irqprocfile.cil b/src/sys/procfile/irqprocfile.cil index 5dec01f..0c35353 100644 --- a/src/sys/procfile/irqprocfile.cil +++ b/src/sys/procfile/irqprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block irq - (genfscon "proc" "/irq" procfile_context) + (genfscon "proc" "/irq" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/jffs2bbcprocfile.cil b/src/sys/procfile/jffs2bbcprocfile.cil index 01fed13..75038ed 100644 --- a/src/sys/procfile/jffs2bbcprocfile.cil +++ b/src/sys/procfile/jffs2bbcprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block jffs2bbc - (genfscon "proc" "/jffs2_bbc" procfile_context) + (genfscon "proc" "/jffs2_bbc" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kallsymsprocfile.cil b/src/sys/procfile/kallsymsprocfile.cil index 7043b3d..e9b2648 100644 --- a/src/sys/procfile/kallsymsprocfile.cil +++ b/src/sys/procfile/kallsymsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kallsyms - (genfscon "proc" "/kallsyms" procfile_context) + (genfscon "proc" "/kallsyms" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kcoreprocfile.cil b/src/sys/procfile/kcoreprocfile.cil index f6cfe61..f7c1a64 100644 --- a/src/sys/procfile/kcoreprocfile.cil +++ b/src/sys/procfile/kcoreprocfile.cil @@ -1,47 +1,47 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kcore - (genfscon "proc" "/kcore" procfile_context) + (genfscon "proc" "/kcore" procfile_context) - (blockinherit .procfile.template) + (blockinherit .procfile.template) - (call .procfile.exception.type (procfile)) + (call .procfile.exception.type (procfile)) - (block read + (block read - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr procfile (file (read)))) + (neverallow not_typeattr procfile (file (read)))) - (block readwrite + (block readwrite - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (call read.type (typeattr)) - (call write.type (typeattr))) + (call read.type (typeattr)) + (call write.type (typeattr))) - (block write + (block write - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute not_typeattr) - (typeattribute typeattr) + (typeattribute not_typeattr) + (typeattribute typeattr) - (typeattributeset not_typeattr (not typeattr)) + (typeattributeset not_typeattr (not typeattr)) - (neverallow not_typeattr procfile (file (append write))))) + (neverallow not_typeattr procfile (file (append write))))) (in procfile.unconfined diff --git a/src/sys/procfile/keysprocfile.cil b/src/sys/procfile/keysprocfile.cil index db8164c..92ef55a 100644 --- a/src/sys/procfile/keysprocfile.cil +++ b/src/sys/procfile/keysprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block keys - (genfscon "proc" "/keys" procfile_context) + (genfscon "proc" "/keys" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/keyusersprocfile.cil b/src/sys/procfile/keyusersprocfile.cil index 6431035..f10090e 100644 --- a/src/sys/procfile/keyusersprocfile.cil +++ b/src/sys/procfile/keyusersprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block keyusers - (genfscon "proc" "/key-users" procfile_context) + (genfscon "proc" "/key-users" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kmsgprocfile.cil b/src/sys/procfile/kmsgprocfile.cil index a85c7ad..b7de676 100644 --- a/src/sys/procfile/kmsgprocfile.cil +++ b/src/sys/procfile/kmsgprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in kmsg diff --git a/src/sys/procfile/kpagecgroupprocfile.cil b/src/sys/procfile/kpagecgroupprocfile.cil index eacb8fc..e22fcb1 100644 --- a/src/sys/procfile/kpagecgroupprocfile.cil +++ b/src/sys/procfile/kpagecgroupprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kpagecgroup - (genfscon "proc" "/kpagecgroup" procfile_context) + (genfscon "proc" "/kpagecgroup" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpagecountprocfile.cil b/src/sys/procfile/kpagecountprocfile.cil index 1c698c5..0005c3c 100644 --- a/src/sys/procfile/kpagecountprocfile.cil +++ b/src/sys/procfile/kpagecountprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kpagecount - (genfscon "proc" "/kpagecount" procfile_context) + (genfscon "proc" "/kpagecount" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/kpageflagsprocfile.cil b/src/sys/procfile/kpageflagsprocfile.cil index e4c639c..b21f97f 100644 --- a/src/sys/procfile/kpageflagsprocfile.cil +++ b/src/sys/procfile/kpageflagsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kpageflags - (genfscon "proc" "/kpageflags" procfile_context) + (genfscon "proc" "/kpageflags" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/latencystatsprocfile.cil b/src/sys/procfile/latencystatsprocfile.cil index fb479bf..0bbebfb 100644 --- a/src/sys/procfile/latencystatsprocfile.cil +++ b/src/sys/procfile/latencystatsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block latencystats - (genfscon "proc" "/latency_stats" procfile_context) + (genfscon "proc" "/latency_stats" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/loadavgprocfile.cil b/src/sys/procfile/loadavgprocfile.cil index 2bf731b..af2f762 100644 --- a/src/sys/procfile/loadavgprocfile.cil +++ b/src/sys/procfile/loadavgprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block loadavg - (genfscon "proc" "/loadavg" procfile_context) + (genfscon "proc" "/loadavg" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepchainsprocfile.cil b/src/sys/procfile/lockdepchainsprocfile.cil index 992c2cb..3954b36 100644 --- a/src/sys/procfile/lockdepchainsprocfile.cil +++ b/src/sys/procfile/lockdepchainsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lockdepchains - (genfscon "proc" "/lockdep_chains" procfile_context) + (genfscon "proc" "/lockdep_chains" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepprocfile.cil b/src/sys/procfile/lockdepprocfile.cil index 4f9d227..10e2cab 100644 --- a/src/sys/procfile/lockdepprocfile.cil +++ b/src/sys/procfile/lockdepprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lockdep - (genfscon "proc" "/lockdep" procfile_context) + (genfscon "proc" "/lockdep" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockdepstatsprocfile.cil b/src/sys/procfile/lockdepstatsprocfile.cil index d4d81a8..e4d98e6 100644 --- a/src/sys/procfile/lockdepstatsprocfile.cil +++ b/src/sys/procfile/lockdepstatsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lockdepstats - (genfscon "proc" "/lockdep_stats" procfile_context) + (genfscon "proc" "/lockdep_stats" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/locksprocfile.cil b/src/sys/procfile/locksprocfile.cil index 3c24537..310a7f0 100644 --- a/src/sys/procfile/locksprocfile.cil +++ b/src/sys/procfile/locksprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block locks - (genfscon "proc" "/locks" procfile_context) + (genfscon "proc" "/locks" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/lockstatprocfile.cil b/src/sys/procfile/lockstatprocfile.cil index 6874bc8..0ddaa4a 100644 --- a/src/sys/procfile/lockstatprocfile.cil +++ b/src/sys/procfile/lockstatprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block lockstat - (genfscon "proc" "/lock_stat" procfile_context) + (genfscon "proc" "/lock_stat" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mdstatprocfile.cil b/src/sys/procfile/mdstatprocfile.cil index b5813e6..47066a8 100644 --- a/src/sys/procfile/mdstatprocfile.cil +++ b/src/sys/procfile/mdstatprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mdstat - (genfscon "proc" "/mdstat" procfile_context) + (genfscon "proc" "/mdstat" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/meminfoprocfile.cil b/src/sys/procfile/meminfoprocfile.cil index 602f876..a158ecb 100644 --- a/src/sys/procfile/meminfoprocfile.cil +++ b/src/sys/procfile/meminfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block meminfo - (genfscon "proc" "/meminfo" procfile_context) + (genfscon "proc" "/meminfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/miscprocfile.cil b/src/sys/procfile/miscprocfile.cil index cb4c5b2..63b2caa 100644 --- a/src/sys/procfile/miscprocfile.cil +++ b/src/sys/procfile/miscprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block misc - (genfscon "proc" "/misc" procfile_context) + (genfscon "proc" "/misc" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/modulesprocfile.cil b/src/sys/procfile/modulesprocfile.cil index 7d209c8..81c48a6 100644 --- a/src/sys/procfile/modulesprocfile.cil +++ b/src/sys/procfile/modulesprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block modules - (genfscon "proc" "/modules" procfile_context) + (genfscon "proc" "/modules" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mptprocfile.cil b/src/sys/procfile/mptprocfile.cil index 02fe2cd..91f9890 100644 --- a/src/sys/procfile/mptprocfile.cil +++ b/src/sys/procfile/mptprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mpt - (genfscon "proc" "/mpt" procfile_context) + (genfscon "proc" "/mpt" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/mtdprocfile.cil b/src/sys/procfile/mtdprocfile.cil index 2e856e7..c33531f 100644 --- a/src/sys/procfile/mtdprocfile.cil +++ b/src/sys/procfile/mtdprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in mtd diff --git a/src/sys/procfile/mtrrprocfile.cil b/src/sys/procfile/mtrrprocfile.cil index a3e40ef..f88bc2d 100644 --- a/src/sys/procfile/mtrrprocfile.cil +++ b/src/sys/procfile/mtrrprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mtrr - (genfscon "proc" "/mtrr" procfile_context) + (genfscon "proc" "/mtrr" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/netprocfile.cil b/src/sys/procfile/netprocfile.cil index 2b18e74..6c61ebe 100644 --- a/src/sys/procfile/netprocfile.cil +++ b/src/sys/procfile/netprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in net diff --git a/src/sys/procfile/pagetypeinfoprocfile.cil b/src/sys/procfile/pagetypeinfoprocfile.cil index eb2b60b..94745ec 100644 --- a/src/sys/procfile/pagetypeinfoprocfile.cil +++ b/src/sys/procfile/pagetypeinfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pagetypeinfo - (genfscon "proc" "/pagetypeinfo" procfile_context) + (genfscon "proc" "/pagetypeinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/partitionsprocfile.cil b/src/sys/procfile/partitionsprocfile.cil index 2f32ff7..9f5d84e 100644 --- a/src/sys/procfile/partitionsprocfile.cil +++ b/src/sys/procfile/partitionsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block partitions - (genfscon "proc" "/partitions" procfile_context) + (genfscon "proc" "/partitions" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/pressureprocfile.cil b/src/sys/procfile/pressureprocfile.cil index 9dfc9fc..987e2c3 100644 --- a/src/sys/procfile/pressureprocfile.cil +++ b/src/sys/procfile/pressureprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pressure - (genfscon "proc" "/pressure" procfile_context) + (genfscon "proc" "/pressure" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scheddebugprocfile.cil b/src/sys/procfile/scheddebugprocfile.cil index 58eb532..5368784 100644 --- a/src/sys/procfile/scheddebugprocfile.cil +++ b/src/sys/procfile/scheddebugprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block scheddebug - (genfscon "proc" "/sched_debug" procfile_context) + (genfscon "proc" "/sched_debug" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/schedstatprocfile.cil b/src/sys/procfile/schedstatprocfile.cil index e8c6beb..3d828e6 100644 --- a/src/sys/procfile/schedstatprocfile.cil +++ b/src/sys/procfile/schedstatprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block schedstat - (genfscon "proc" "/schedstat" procfile_context) + (genfscon "proc" "/schedstat" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/scsiprocfile.cil b/src/sys/procfile/scsiprocfile.cil index 9b1b7f1..383f3f0 100644 --- a/src/sys/procfile/scsiprocfile.cil +++ b/src/sys/procfile/scsiprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block scsi - (genfscon "proc" "/scsi" procfile_context) + (genfscon "proc" "/scsi" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/slabinfoprocfile.cil b/src/sys/procfile/slabinfoprocfile.cil index 8c206b6..2ee0e18 100644 --- a/src/sys/procfile/slabinfoprocfile.cil +++ b/src/sys/procfile/slabinfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block slabinfo - (genfscon "proc" "/slabinfo" procfile_context) + (genfscon "proc" "/slabinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/softirqsprocfile.cil b/src/sys/procfile/softirqsprocfile.cil index d72bb19..1a8412a 100644 --- a/src/sys/procfile/softirqsprocfile.cil +++ b/src/sys/procfile/softirqsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block softirqs - (genfscon "proc" "/softirqs" procfile_context) + (genfscon "proc" "/softirqs" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/statprocfile.cil b/src/sys/procfile/statprocfile.cil index 989de56..b7e8023 100644 --- a/src/sys/procfile/statprocfile.cil +++ b/src/sys/procfile/statprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block stat - (genfscon "proc" "/stat" procfile_context) + (genfscon "proc" "/stat" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/swapsprocfile.cil b/src/sys/procfile/swapsprocfile.cil index 5124b0e..ea98b38 100644 --- a/src/sys/procfile/swapsprocfile.cil +++ b/src/sys/procfile/swapsprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block swaps - (genfscon "proc" "/swaps" procfile_context) + (genfscon "proc" "/swaps" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysctlfile.cil b/src/sys/procfile/sysctlfile.cil index 7813107..0278393 100644 --- a/src/sys/procfile/sysctlfile.cil +++ b/src/sys/procfile/sysctlfile.cil @@ -1,141 +1,141 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sysctlfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .procfile.type (typeattr)) + (call .procfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context sysctlfile_context (.sys.id .sys.role sysctlfile .sys.lowlow)) + (context sysctlfile_context (.sys.id .sys.role sysctlfile .sys.lowlow)) - (type sysctlfile) - (call .sysctlfile.type (sysctlfile))) + (type sysctlfile) + (call .sysctlfile.type (sysctlfile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile addname_dir)) + (macro addname_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile addname_dir)) - (macro create_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile create_dir)) + (macro create_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile create_dir)) - (macro delete_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile delete_dir)) + (macro delete_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile delete_dir)) - (macro deletename_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile deletename_dir)) + (macro deletename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile deletename_dir)) - (macro list_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile list_dir)) + (macro list_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile list_dir)) - (macro listinherited_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile listinherited_dir)) + (macro listinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile listinherited_dir)) - (macro manage_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile manage_dir)) + (macro manage_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile manage_dir)) - (macro mounton_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile mounton_dir)) + (macro mounton_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile mounton_dir)) - (macro readwrite_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile readwrite_dir)) + (macro readwrite_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwrite_dir)) - (macro readwriteinherited_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile readwriteinherited_dir)) + (macro readwriteinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_dir)) - (macro rename_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile rename_dir)) + (macro rename_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile rename_dir)) - (macro search_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile search_dir)) + (macro search_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile search_dir)) - (macro write_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile write_dir)) + (macro write_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile write_dir)) - (macro writeinherited_sysctlfile_dirs ((type ARG1)) - (allow ARG1 sysctlfile writeinherited_dir))) + (macro writeinherited_sysctlfile_dirs ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile append_file)) + (macro append_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile append_file)) - (macro appendinherited_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile appendinherited_file)) + (macro appendinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile appendinherited_file)) - (macro create_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile create_file)) + (macro create_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile create_file)) - (macro delete_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile delete_file)) + (macro delete_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile delete_file)) - (macro execute_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile execute_file)) + (macro execute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile execute_file)) - (macro manage_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile manage_file)) + (macro manage_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile manage_file)) - (macro mapexecute_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile mapexecute_file)) + (macro mapexecute_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mapexecute_file)) - (macro mounton_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile mounton_file)) + (macro mounton_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile mounton_file)) - (macro read_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile read_file)) + (macro read_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile read_file)) - (macro readinherited_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile readinherited_file)) + (macro readinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readinherited_file)) - (macro readwrite_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile readwrite_file)) + (macro readwrite_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwrite_file)) - (macro readwriteinherited_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile readwriteinherited_file)) + (macro readwriteinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile readwriteinherited_file)) - (macro rename_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile rename_file)) + (macro rename_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile rename_file)) - (macro write_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile write_file)) + (macro write_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile write_file)) - (macro writeinherited_sysctlfile_files ((type ARG1)) - (allow ARG1 sysctlfile writeinherited_file))) + (macro writeinherited_sysctlfile_files ((type ARG1)) + (allow ARG1 sysctlfile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.base_template) - (blockinherit .sysctlfile.macro_template_files)) + (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr sysctlfile.typeattr - (dir (not (audit_access execmod relabelfrom relabelto)))) - (allow typeattr sysctlfile.typeattr - (file (not (audit_access entrypoint execmod relabelfrom - relabelto)))))) + (allow typeattr sysctlfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr sysctlfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom + relabelto)))))) (in procfile.unconfined diff --git a/src/sys/procfile/sysctlfile/abisysctlfile.cil b/src/sys/procfile/sysctlfile/abisysctlfile.cil index 2830104..ff28c8a 100644 --- a/src/sys/procfile/sysctlfile/abisysctlfile.cil +++ b/src/sys/procfile/sysctlfile/abisysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block abi - (genfscon "proc" "/sys/abi" sysctlfile_context) + (genfscon "proc" "/sys/abi" sysctlfile_context) - (blockinherit .sysctlfile.abi.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.abi.template) + (blockinherit .sysctlfile.macro_template_dirs)) (in sysctlfile (block abi - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.abi.type (sysctlfile))) + (call .sysctlfile.abi.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.abi.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.abi.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/cryptosysctlfile.cil b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil index 2c94fc4..9048c8f 100644 --- a/src/sys/procfile/sysctlfile/cryptosysctlfile.cil +++ b/src/sys/procfile/sysctlfile/cryptosysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block crypto - (genfscon "proc" "/sys/crypto" sysctlfile_context) + (genfscon "proc" "/sys/crypto" sysctlfile_context) - (blockinherit .sysctlfile.crypto.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.crypto.template) + (blockinherit .sysctlfile.macro_template_dirs)) (in sysctlfile (block crypto - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.crypto.type (sysctlfile))) + (call .sysctlfile.crypto.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.crypto.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.crypto.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/debugsysctlfile.cil b/src/sys/procfile/sysctlfile/debugsysctlfile.cil index 83d5cc1..334dee8 100644 --- a/src/sys/procfile/sysctlfile/debugsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/debugsysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block debug - (genfscon "proc" "/sys/debug" sysctlfile_context) + (genfscon "proc" "/sys/debug" sysctlfile_context) - (blockinherit .sysctlfile.debug.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.debug.template) + (blockinherit .sysctlfile.macro_template_dirs)) (in sysctlfile (block debug - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.debug.type (sysctlfile))) + (call .sysctlfile.debug.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.debug.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.debug.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/devsysctlfile.cil b/src/sys/procfile/sysctlfile/devsysctlfile.cil index 09bea5b..98015e8 100644 --- a/src/sys/procfile/sysctlfile/devsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/devsysctlfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in dev @@ -12,27 +12,27 @@ (block dev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.dev.type (sysctlfile))) + (call .sysctlfile.dev.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.dev.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.dev.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/fssysctlfile.cil b/src/sys/procfile/sysctlfile/fssysctlfile.cil index 521453f..232712d 100644 --- a/src/sys/procfile/sysctlfile/fssysctlfile.cil +++ b/src/sys/procfile/sysctlfile/fssysctlfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fs @@ -12,27 +12,27 @@ (block fs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.fs.type (sysctlfile))) + (call .sysctlfile.fs.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.fs.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.fs.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil index 7add8ee..b5042ff 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block kernel - (genfscon "proc" "/sys/kernel" sysctlfile_context) + (genfscon "proc" "/sys/kernel" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) (in sysctlfile (block kernel - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.kernel.type (sysctlfile))) + (call .sysctlfile.kernel.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.kernel.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.kernel.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil index 1346ed4..8a26f12 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/caplastcapkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block caplastcap - (genfscon "proc" "/sys/kernel/cap_last_cap" sysctlfile_context) + (genfscon "proc" "/sys/kernel/cap_last_cap" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil index c5aa488..221f610 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepatternkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block corepattern - (genfscon "proc" "/sys/kernel/core_pattern" sysctlfile_context) + (genfscon "proc" "/sys/kernel/core_pattern" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil index 3d8e125..07c2c21 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/corepipelimitkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block corepipelimit - (genfscon "proc" "/sys/kernel/core_pipe_limit" sysctlfile_context) + (genfscon "proc" "/sys/kernel/core_pipe_limit" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil index 2883343..e748b52 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/firmwareconfigkernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block firmwareconfig - (genfscon "proc" "/sys/kernel/firmware_config" sysctlfile_context) + (genfscon "proc" "/sys/kernel/firmware_config" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil index bbd8959..04b1245 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/hostnamekernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hostname - (genfscon "proc" "/sys/kernel/hostname" sysctlfile_context) + (genfscon "proc" "/sys/kernel/hostname" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil index 33e904f..e0a5ebe 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/keyskernelsysctlfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in keys diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil index 6a36fdb..1215415 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/modprobekernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block modprobe - (genfscon "proc" "/sys/kernel/modprobe" sysctlfile_context) + (genfscon "proc" "/sys/kernel/modprobe" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil index 2f13fef..b93c838 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/nslastpidkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block nslastpid - (genfscon "proc" "/sys/kernel/ns_last_pid" sysctlfile_context) + (genfscon "proc" "/sys/kernel/ns_last_pid" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil index 19d8b11..7da0826 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/osreleasekernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block osrelease - (genfscon "proc" "/sys/kernel/osrelease" sysctlfile_context) + (genfscon "proc" "/sys/kernel/osrelease" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil index 1df73c2..683cbca 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/overflowuidkernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block overflowuid - (genfscon "proc" "/sys/kernel/overflowgid" sysctlfile_context) - (genfscon "proc" "/sys/kernel/overflowuid" sysctlfile_context) + (genfscon "proc" "/sys/kernel/overflowgid" sysctlfile_context) + (genfscon "proc" "/sys/kernel/overflowuid" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil index d9a21ff..e4f14fd 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/pidmaxkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pidmax - (genfscon "proc" "/sys/kernel/pid_max" sysctlfile_context) + (genfscon "proc" "/sys/kernel/pid_max" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil index 1e29497..244b7fd 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/poweroffcmdkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block poweroffcmd - (genfscon "proc" "/sys/kernel/poweroff_cmd" sysctlfile_context) + (genfscon "proc" "/sys/kernel/poweroff_cmd" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil index b9580ae..68699aa 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/ptykernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pty - (genfscon "proc" "/sys/kernel/pty" sysctlfile_context) + (genfscon "proc" "/sys/kernel/pty" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil index 73a6c6c..f31f9e6 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/randomkernelsysctlfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in kernel diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil index a8c2e02..c578b05 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/seccompkernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block seccomp - (genfscon "proc" "/sys/kernel/seccomp" sysctlfile_context) + (genfscon "proc" "/sys/kernel/seccomp" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil index 5ad8c6b..7ff0675 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/threadsmaxkernelsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block threadsmax - (genfscon "proc" "/sys/kernel/threads-max" sysctlfile_context) + (genfscon "proc" "/sys/kernel/threads-max" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template)) + (blockinherit .sysctlfile.kernel.template)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil index c11e8b3..33c519c 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/usermodehelperkernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block usermodehelper - (genfscon "proc" "/sys/kernel/usermodehelper" sysctlfile_context) + (genfscon "proc" "/sys/kernel/usermodehelper" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil index d013eff..92cb7f0 100644 --- a/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/kernelsysctlfile/yamakernelsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block yama - (genfscon "proc" "/sys/kernel/yama" sysctlfile_context) + (genfscon "proc" "/sys/kernel/yama" sysctlfile_context) - (blockinherit .sysctlfile.kernel.template) - (blockinherit .sysctlfile.macro_template_dirs)) + (blockinherit .sysctlfile.kernel.template) + (blockinherit .sysctlfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile.cil index fb473f6..a25cd5e 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in net @@ -12,27 +12,27 @@ (block net - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.net.type (sysctlfile))) + (call .sysctlfile.net.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.net.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.net.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil index 6be3c52..c69f268 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/corenetsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block core - (genfscon "proc" "/sys/net/core" sysctlfile_context) + (genfscon "proc" "/sys/net/core" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil index e49ec99..2c42170 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv4netsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ipv4 - (genfscon "proc" "/sys/net/ipv4" sysctlfile_context) + (genfscon "proc" "/sys/net/ipv4" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil index c432e1f..bbe1b31 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/ipv6netsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ipv6 - (genfscon "proc" "/sys/net/ipv6" sysctlfile_context) + (genfscon "proc" "/sys/net/ipv6" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil index 85931b8..f90c666 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/mptcpnetsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block mptcp - (genfscon "proc" "/sys/net/mptcp" sysctlfile_context) + (genfscon "proc" "/sys/net/mptcp" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil index 0345816..ac2e4b3 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/netfilternetsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block netfilter - (genfscon "proc" "/sys/net/netfilter" sysctlfile_context) + (genfscon "proc" "/sys/net/netfilter" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil index 7a6f5a6..1949de7 100644 --- a/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/netsysctlfile/unixnetsysctlfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block unix - (genfscon "proc" "/sys/net/unix" sysctlfile_context) + (genfscon "proc" "/sys/net/unix" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.net.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.net.template)) diff --git a/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil index e5a50d0..72694ae 100644 --- a/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/sunrpcsysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sunrpc - (genfscon "proc" "/sys/sunrpc" sysctlfile_context) + (genfscon "proc" "/sys/sunrpc" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.sunrpc.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.sunrpc.template)) (in sysctlfile (block sunrpc - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.sunrpc.type (sysctlfile))) + (call .sysctlfile.sunrpc.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.macro_template_files) - (blockinherit .sysctlfile.sunrpc.base_template)))) + (blockinherit .sysctlfile.macro_template_files) + (blockinherit .sysctlfile.sunrpc.base_template)))) diff --git a/src/sys/procfile/sysctlfile/usersysctlfile.cil b/src/sys/procfile/sysctlfile/usersysctlfile.cil index cd375d7..b948f70 100644 --- a/src/sys/procfile/sysctlfile/usersysctlfile.cil +++ b/src/sys/procfile/sysctlfile/usersysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block user - (genfscon "proc" "/sys/user" sysctlfile_context) + (genfscon "proc" "/sys/user" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.user.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.user.template)) (in sysctlfile (block user - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.user.type (sysctlfile))) + (call .sysctlfile.user.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.user.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.user.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile.cil index 0e874da..220f015 100644 --- a/src/sys/procfile/sysctlfile/vmsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/vmsysctlfile.cil @@ -1,38 +1,38 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vm - (genfscon "proc" "/sys/vm" sysctlfile_context) + (genfscon "proc" "/sys/vm" sysctlfile_context) - (blockinherit .sysctlfile.macro_template_dirs) - (blockinherit .sysctlfile.vm.template)) + (blockinherit .sysctlfile.macro_template_dirs) + (blockinherit .sysctlfile.vm.template)) (in sysctlfile (block vm - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .sysctlfile.type (typeattr)) + (call .sysctlfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysctlfile.base_template) + (blockinherit .sysctlfile.base_template) - (call .sysctlfile.vm.type (sysctlfile))) + (call .sysctlfile.vm.type (sysctlfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysctlfile.vm.base_template) - (blockinherit .sysctlfile.macro_template_files)))) + (blockinherit .sysctlfile.vm.base_template) + (blockinherit .sysctlfile.macro_template_files)))) diff --git a/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil index f4e04f5..a055ce1 100644 --- a/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil +++ b/src/sys/procfile/sysctlfile/vmsysctlfile/overcommitmemoryvmsysctlfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block overcommitmemory - (genfscon "proc" "/sys/vm/overcommit_memory" sysctlfile_context) + (genfscon "proc" "/sys/vm/overcommit_memory" sysctlfile_context) - (blockinherit .sysctlfile.vm.template)) + (blockinherit .sysctlfile.vm.template)) diff --git a/src/sys/procfile/sysctlprocfile.cil b/src/sys/procfile/sysctlprocfile.cil index 49ec73d..032b193 100644 --- a/src/sys/procfile/sysctlprocfile.cil +++ b/src/sys/procfile/sysctlprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sysctl - (genfscon "proc" "/sys" procfile_context) + (genfscon "proc" "/sys" procfile_context) - (blockinherit .procfile.base_template) - (blockinherit .procfile.macro_template_dirs)) + (blockinherit .procfile.base_template) + (blockinherit .procfile.macro_template_dirs)) diff --git a/src/sys/procfile/sysrqtriggerprocfile.cil b/src/sys/procfile/sysrqtriggerprocfile.cil index d621331..df041c7 100644 --- a/src/sys/procfile/sysrqtriggerprocfile.cil +++ b/src/sys/procfile/sysrqtriggerprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sysrqtrigger - (genfscon "proc" "/sysrq-trigger" procfile_context) + (genfscon "proc" "/sysrq-trigger" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/sysvipcprocfile.cil b/src/sys/procfile/sysvipcprocfile.cil index a0af69d..eb890d0 100644 --- a/src/sys/procfile/sysvipcprocfile.cil +++ b/src/sys/procfile/sysvipcprocfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sysvipc - (genfscon "proc" "/sysvipc" procfile_context) + (genfscon "proc" "/sysvipc" procfile_context) - (blockinherit .procfile.macro_template_dirs) - (blockinherit .procfile.template)) + (blockinherit .procfile.macro_template_dirs) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/timerlistprocfile.cil b/src/sys/procfile/timerlistprocfile.cil index db65876..c148df4 100644 --- a/src/sys/procfile/timerlistprocfile.cil +++ b/src/sys/procfile/timerlistprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block timerlist - (genfscon "proc" "/timer_list" procfile_context) + (genfscon "proc" "/timer_list" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/ttyprocfile.cil b/src/sys/procfile/ttyprocfile.cil index 573b5f7..f0a7c50 100644 --- a/src/sys/procfile/ttyprocfile.cil +++ b/src/sys/procfile/ttyprocfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in tty diff --git a/src/sys/procfile/uptimeprocfile.cil b/src/sys/procfile/uptimeprocfile.cil index 26155ac..d423f17 100644 --- a/src/sys/procfile/uptimeprocfile.cil +++ b/src/sys/procfile/uptimeprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block uptime - (genfscon "proc" "/uptime" procfile_context) + (genfscon "proc" "/uptime" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/versionprocfile.cil b/src/sys/procfile/versionprocfile.cil index 42fb962..27fd757 100644 --- a/src/sys/procfile/versionprocfile.cil +++ b/src/sys/procfile/versionprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block version - (genfscon "proc" "/version" procfile_context) + (genfscon "proc" "/version" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmallocprocfile.cil b/src/sys/procfile/vmallocprocfile.cil index 030659d..a1bc3fc 100644 --- a/src/sys/procfile/vmallocprocfile.cil +++ b/src/sys/procfile/vmallocprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vmallocinfo - (genfscon "proc" "/vmallocinfo" procfile_context) + (genfscon "proc" "/vmallocinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/vmstatprocfile.cil b/src/sys/procfile/vmstatprocfile.cil index 42b33a3..24d8e8d 100644 --- a/src/sys/procfile/vmstatprocfile.cil +++ b/src/sys/procfile/vmstatprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block vmstat - (genfscon "proc" "/vmstat" procfile_context) + (genfscon "proc" "/vmstat" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/procfile/zoneinfoprocfile.cil b/src/sys/procfile/zoneinfoprocfile.cil index ee1074f..d52fa01 100644 --- a/src/sys/procfile/zoneinfoprocfile.cil +++ b/src/sys/procfile/zoneinfoprocfile.cil @@ -1,8 +1,8 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block zoneinfo - (genfscon "proc" "/zoneinfo" procfile_context) + (genfscon "proc" "/zoneinfo" procfile_context) - (blockinherit .procfile.template)) + (blockinherit .procfile.template)) diff --git a/src/sys/pstorefile.cil b/src/sys/pstorefile.cil index 1806014..c5c96dd 100644 --- a/src/sys/pstorefile.cil +++ b/src/sys/pstorefile.cil @@ -1,140 +1,140 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block pstorefile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .pstore.associate_fs (typeattr)) + (call .pstore.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context pstorefile_context (.sys.id .sys.role pstorefile .sys.lowlow)) + (context pstorefile_context (.sys.id .sys.role pstorefile .sys.lowlow)) - (type pstorefile) - (call .pstorefile.type (pstorefile))) + (type pstorefile) + (call .pstorefile.type (pstorefile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile addname_dir)) + (macro addname_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile addname_dir)) - (macro create_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile create_dir)) + (macro create_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile create_dir)) - (macro delete_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile delete_dir)) + (macro delete_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile delete_dir)) - (macro deletename_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile deletename_dir)) + (macro deletename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile deletename_dir)) - (macro list_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile list_dir)) + (macro list_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile list_dir)) - (macro listinherited_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile listinherited_dir)) + (macro listinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile listinherited_dir)) - (macro manage_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile manage_dir)) + (macro manage_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile manage_dir)) - (macro mounton_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile mounton_dir)) + (macro mounton_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile mounton_dir)) - (macro readwrite_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile readwrite_dir)) + (macro readwrite_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwrite_dir)) - (macro readwriteinherited_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile readwriteinherited_dir)) + (macro readwriteinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_dir)) - (macro rename_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile rename_dir)) + (macro rename_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile rename_dir)) - (macro search_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile search_dir)) + (macro search_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile search_dir)) - (macro write_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile write_dir)) + (macro write_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile write_dir)) - (macro writeinherited_pstorefile_dirs ((type ARG1)) - (allow ARG1 pstorefile writeinherited_dir))) + (macro writeinherited_pstorefile_dirs ((type ARG1)) + (allow ARG1 pstorefile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile append_file)) + (macro append_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile append_file)) - (macro appendinherited_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile appendinherited_file)) + (macro appendinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile appendinherited_file)) - (macro create_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile create_file)) + (macro create_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile create_file)) - (macro delete_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile delete_file)) + (macro delete_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile delete_file)) - (macro execute_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile execute_file)) + (macro execute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile execute_file)) - (macro manage_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile manage_file)) + (macro manage_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile manage_file)) - (macro mapexecute_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile mapexecute_file)) + (macro mapexecute_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mapexecute_file)) - (macro mounton_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile mounton_file)) + (macro mounton_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile mounton_file)) - (macro read_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile read_file)) + (macro read_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile read_file)) - (macro readinherited_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile readinherited_file)) + (macro readinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readinherited_file)) - (macro readwrite_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile readwrite_file)) + (macro readwrite_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwrite_file)) - (macro readwriteinherited_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile readwriteinherited_file)) + (macro readwriteinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile readwriteinherited_file)) - (macro rename_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile rename_file)) + (macro rename_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile rename_file)) - (macro write_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile write_file)) + (macro write_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile write_file)) - (macro writeinherited_pstorefile_files ((type ARG1)) - (allow ARG1 pstorefile writeinherited_file))) + (macro writeinherited_pstorefile_files ((type ARG1)) + (allow ARG1 pstorefile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .pstorefile.base_template) - (blockinherit .pstorefile.macro_template_files)) + (blockinherit .pstorefile.base_template) + (blockinherit .pstorefile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr pstorefile.typeattr (dir (not execmod))) - (allow typeattr pstorefile.typeattr (file (not (entrypoint execmod)))))) + (allow typeattr pstorefile.typeattr (dir (not execmod))) + (allow typeattr pstorefile.typeattr (file (not (entrypoint execmod)))))) (in sys.unconfined diff --git a/src/sys/securityfile.cil b/src/sys/securityfile.cil index a89d5a9..a8f0da3 100644 --- a/src/sys/securityfile.cil +++ b/src/sys/securityfile.cil @@ -1,181 +1,181 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block securityfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .security.associate_fs (typeattr)) + (call .security.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context securityfile_context - (.sys.id .sys.role securityfile .sys.lowlow)) + (context securityfile_context + (.sys.id .sys.role securityfile .sys.lowlow)) - (type securityfile) - (call .securityfile.type (securityfile))) + (type securityfile) + (call .securityfile.type (securityfile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile addname_dir)) + (macro addname_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile addname_dir)) - (macro create_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile create_dir)) + (macro create_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile create_dir)) - (macro delete_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile delete_dir)) + (macro delete_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile delete_dir)) - (macro deletename_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile deletename_dir)) + (macro deletename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile deletename_dir)) - (macro list_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile list_dir)) + (macro list_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile list_dir)) - (macro listinherited_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile listinherited_dir)) + (macro listinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile listinherited_dir)) - (macro manage_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile manage_dir)) + (macro manage_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile manage_dir)) - (macro mounton_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile mounton_dir)) + (macro mounton_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile mounton_dir)) - (macro readwrite_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile readwrite_dir)) + (macro readwrite_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwrite_dir)) - (macro readwriteinherited_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile readwriteinherited_dir)) + (macro readwriteinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_dir)) - (macro rename_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile rename_dir)) + (macro rename_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile rename_dir)) - (macro search_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile search_dir)) + (macro search_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile search_dir)) - (macro write_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile write_dir)) + (macro write_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile write_dir)) - (macro writeinherited_securityfile_dirs ((type ARG1)) - (allow ARG1 securityfile writeinherited_dir))) + (macro writeinherited_securityfile_dirs ((type ARG1)) + (allow ARG1 securityfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_securityfile_files ((type ARG1)) - (allow ARG1 securityfile append_file)) + (macro append_securityfile_files ((type ARG1)) + (allow ARG1 securityfile append_file)) - (macro appendinherited_securityfile_files ((type ARG1)) - (allow ARG1 securityfile appendinherited_file)) + (macro appendinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile appendinherited_file)) - (macro create_securityfile_files ((type ARG1)) - (allow ARG1 securityfile create_file)) + (macro create_securityfile_files ((type ARG1)) + (allow ARG1 securityfile create_file)) - (macro delete_securityfile_files ((type ARG1)) - (allow ARG1 securityfile delete_file)) + (macro delete_securityfile_files ((type ARG1)) + (allow ARG1 securityfile delete_file)) - (macro execute_securityfile_files ((type ARG1)) - (allow ARG1 securityfile execute_file)) + (macro execute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile execute_file)) - (macro manage_securityfile_files ((type ARG1)) - (allow ARG1 securityfile manage_file)) + (macro manage_securityfile_files ((type ARG1)) + (allow ARG1 securityfile manage_file)) - (macro mapexecute_securityfile_files ((type ARG1)) - (allow ARG1 securityfile mapexecute_file)) + (macro mapexecute_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mapexecute_file)) - (macro mounton_securityfile_files ((type ARG1)) - (allow ARG1 securityfile mounton_file)) + (macro mounton_securityfile_files ((type ARG1)) + (allow ARG1 securityfile mounton_file)) - (macro read_securityfile_files ((type ARG1)) - (allow ARG1 securityfile read_file)) + (macro read_securityfile_files ((type ARG1)) + (allow ARG1 securityfile read_file)) - (macro readinherited_securityfile_files ((type ARG1)) - (allow ARG1 securityfile readinherited_file)) + (macro readinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readinherited_file)) - (macro readwrite_securityfile_files ((type ARG1)) - (allow ARG1 securityfile readwrite_file)) + (macro readwrite_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwrite_file)) - (macro readwriteinherited_securityfile_files ((type ARG1)) - (allow ARG1 securityfile readwriteinherited_file)) + (macro readwriteinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile readwriteinherited_file)) - (macro rename_securityfile_files ((type ARG1)) - (allow ARG1 securityfile rename_file)) + (macro rename_securityfile_files ((type ARG1)) + (allow ARG1 securityfile rename_file)) - (macro write_securityfile_files ((type ARG1)) - (allow ARG1 securityfile write_file)) + (macro write_securityfile_files ((type ARG1)) + (allow ARG1 securityfile write_file)) - (macro writeinherited_securityfile_files ((type ARG1)) - (allow ARG1 securityfile writeinherited_file))) + (macro writeinherited_securityfile_files ((type ARG1)) + (allow ARG1 securityfile writeinherited_file))) - (block macro_template_lnk_files + (block macro_template_lnk_files - (blockabstract macro_template_lnk_files) + (blockabstract macro_template_lnk_files) - (macro create_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile create_lnk_file)) + (macro create_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile create_lnk_file)) - (macro delete_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile delete_lnk_file)) + (macro delete_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile delete_lnk_file)) - (macro manage_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile manage_lnk_file)) + (macro manage_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile manage_lnk_file)) - (macro read_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile read_lnk_file)) + (macro read_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile read_lnk_file)) - (macro readwrite_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile readwrite_lnk_file)) + (macro readwrite_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile readwrite_lnk_file)) - (macro relabel_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile relabel_lnk_file)) + (macro relabel_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabel_lnk_file)) - (macro relabelfrom_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile relabelfrom_lnk_file)) + (macro relabelfrom_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelfrom_lnk_file)) - (macro relabelto_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile relabelto_lnk_file)) + (macro relabelto_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile relabelto_lnk_file)) - (macro rename_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile rename_lnk_file)) + (macro rename_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile rename_lnk_file)) - (macro write_securityfile_lnk_files ((type ARG1)) - (allow ARG1 securityfile write_lnk_file))) + (macro write_securityfile_lnk_files ((type ARG1)) + (allow ARG1 securityfile write_lnk_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .securityfile.base_template) - (blockinherit .securityfile.macro_template_files)) + (blockinherit .securityfile.base_template) + (blockinherit .securityfile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr securityfile.typeattr - (dir (not (audit_access execmod relabelfrom relabelto)))) - (allow typeattr securityfile.typeattr - (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) - (allow typeattr securityfile.typeattr - (lnk_file (not (audit_access execmod map mounton relabelfrom - relabelto)))))) + (allow typeattr securityfile.typeattr + (dir (not (audit_access execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (file (not (audit_access entrypoint execmod relabelfrom relabelto)))) + (allow typeattr securityfile.typeattr + (lnk_file (not (audit_access execmod map mounton relabelfrom + relabelto)))))) (in sys.unconfined diff --git a/src/sys/sysfile.cil b/src/sys/sysfile.cil index 6f73380..9d90eb1 100644 --- a/src/sys/sysfile.cil +++ b/src/sys/sysfile.cil @@ -1,171 +1,171 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block sysfile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .sys.associate_fs (typeattr)) + (call .sys.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context sysfile_context (.sys.id .sys.role sysfile .sys.lowlow)) + (context sysfile_context (.sys.id .sys.role sysfile .sys.lowlow)) - (type sysfile) - (call .sysfile.type (sysfile))) + (type sysfile) + (call .sysfile.type (sysfile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile addname_dir)) + (macro addname_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile addname_dir)) - (macro create_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile create_dir)) + (macro create_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile create_dir)) - (macro delete_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile delete_dir)) + (macro delete_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile delete_dir)) - (macro deletename_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile deletename_dir)) + (macro deletename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile deletename_dir)) - (macro list_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile list_dir)) + (macro list_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile list_dir)) - (macro listinherited_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile listinherited_dir)) + (macro listinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile listinherited_dir)) - (macro manage_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile manage_dir)) + (macro manage_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile manage_dir)) - (macro mounton_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile mounton_dir)) + (macro mounton_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile mounton_dir)) - (macro readwrite_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile readwrite_dir)) + (macro readwrite_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwrite_dir)) - (macro readwriteinherited_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile readwriteinherited_dir)) + (macro readwriteinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_dir)) - (macro rename_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile rename_dir)) + (macro rename_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile rename_dir)) - (macro search_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile search_dir)) + (macro search_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile search_dir)) - (macro write_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile write_dir)) + (macro write_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile write_dir)) - (macro writeinherited_sysfile_dirs ((type ARG1)) - (allow ARG1 sysfile writeinherited_dir))) + (macro writeinherited_sysfile_dirs ((type ARG1)) + (allow ARG1 sysfile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_sysfile_files ((type ARG1)) - (allow ARG1 sysfile append_file)) + (macro append_sysfile_files ((type ARG1)) + (allow ARG1 sysfile append_file)) - (macro appendinherited_sysfile_files ((type ARG1)) - (allow ARG1 sysfile appendinherited_file)) + (macro appendinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile appendinherited_file)) - (macro create_sysfile_files ((type ARG1)) - (allow ARG1 sysfile create_file)) + (macro create_sysfile_files ((type ARG1)) + (allow ARG1 sysfile create_file)) - (macro delete_sysfile_files ((type ARG1)) - (allow ARG1 sysfile delete_file)) + (macro delete_sysfile_files ((type ARG1)) + (allow ARG1 sysfile delete_file)) - (macro execute_sysfile_files ((type ARG1)) - (allow ARG1 sysfile execute_file)) + (macro execute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile execute_file)) - (macro manage_sysfile_files ((type ARG1)) - (allow ARG1 sysfile manage_file)) + (macro manage_sysfile_files ((type ARG1)) + (allow ARG1 sysfile manage_file)) - (macro mapexecute_sysfile_files ((type ARG1)) - (allow ARG1 sysfile mapexecute_file)) + (macro mapexecute_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mapexecute_file)) - (macro mounton_sysfile_files ((type ARG1)) - (allow ARG1 sysfile mounton_file)) + (macro mounton_sysfile_files ((type ARG1)) + (allow ARG1 sysfile mounton_file)) - (macro read_sysfile_files ((type ARG1)) - (allow ARG1 sysfile read_file)) + (macro read_sysfile_files ((type ARG1)) + (allow ARG1 sysfile read_file)) - (macro readinherited_sysfile_files ((type ARG1)) - (allow ARG1 sysfile readinherited_file)) + (macro readinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readinherited_file)) - (macro readwrite_sysfile_files ((type ARG1)) - (allow ARG1 sysfile readwrite_file)) + (macro readwrite_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwrite_file)) - (macro readwriteinherited_sysfile_files ((type ARG1)) - (allow ARG1 sysfile readwriteinherited_file)) + (macro readwriteinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile readwriteinherited_file)) - (macro rename_sysfile_files ((type ARG1)) - (allow ARG1 sysfile rename_file)) + (macro rename_sysfile_files ((type ARG1)) + (allow ARG1 sysfile rename_file)) - (macro write_sysfile_files ((type ARG1)) - (allow ARG1 sysfile write_file)) + (macro write_sysfile_files ((type ARG1)) + (allow ARG1 sysfile write_file)) - (macro writeinherited_sysfile_files ((type ARG1)) - (allow ARG1 sysfile writeinherited_file))) + (macro writeinherited_sysfile_files ((type ARG1)) + (allow ARG1 sysfile writeinherited_file))) - (block macro_template_lnk_files + (block macro_template_lnk_files - (blockabstract macro_template_lnk_files) + (blockabstract macro_template_lnk_files) - (macro create_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile create_lnk_file)) + (macro create_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile create_lnk_file)) - (macro delete_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile delete_lnk_file)) + (macro delete_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile delete_lnk_file)) - (macro manage_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile manage_lnk_file)) + (macro manage_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile manage_lnk_file)) - (macro read_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile read_lnk_file)) + (macro read_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile read_lnk_file)) - (macro readwrite_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile readwrite_lnk_file)) + (macro readwrite_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile readwrite_lnk_file)) - (macro rename_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile rename_lnk_file)) + (macro rename_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile rename_lnk_file)) - (macro write_sysfile_lnk_files ((type ARG1)) - (allow ARG1 sysfile write_lnk_file))) + (macro write_sysfile_lnk_files ((type ARG1)) + (allow ARG1 sysfile write_lnk_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.base_template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_files) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.base_template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_files) + (blockinherit .sysfile.macro_template_lnk_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr sysfile.typeattr (dir (not (audit_access execmod)))) - (allow typeattr sysfile.typeattr - (file (not (audit_access entrypoint execmod)))) - (allow typeattr sysfile.typeattr - (lnk_file (not (audit_access execmod map mounton)))))) + (allow typeattr sysfile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr sysfile.typeattr + (file (not (audit_access entrypoint execmod)))) + (allow typeattr sysfile.typeattr + (lnk_file (not (audit_access execmod map mounton)))))) (in sys.unconfined diff --git a/src/sys/sysfile/blocksysfile.cil b/src/sys/sysfile/blocksysfile.cil index a43c924..2bbe680 100644 --- a/src/sys/sysfile/blocksysfile.cil +++ b/src/sys/sysfile/blocksysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block block - (genfscon "sysfs" "/block" sysfile_context) + (genfscon "sysfs" "/block" sysfile_context) - (blockinherit .sysfile.block.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.block.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block block - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.block.type (sysfile))) + (call .sysfile.block.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.block.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.block.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/bussysfile.cil b/src/sys/sysfile/bussysfile.cil index ad8f867..ef5577a 100644 --- a/src/sys/sysfile/bussysfile.cil +++ b/src/sys/sysfile/bussysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bus - (genfscon "sysfs" "/bus" sysfile_context) + (genfscon "sysfs" "/bus" sysfile_context) - (blockinherit .sysfile.bus.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.bus.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block bus - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.bus.type (sysfile))) + (call .sysfile.bus.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.bus.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.bus.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile.cil b/src/sys/sysfile/classsysfile.cil index bfce0e0..7492964 100644 --- a/src/sys/sysfile/classsysfile.cil +++ b/src/sys/sysfile/classsysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block class - (genfscon "sysfs" "/class" sysfile_context) + (genfscon "sysfs" "/class" sysfile_context) - (blockinherit .sysfile.class.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block class - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.class.type (sysfile))) + (call .sysfile.class.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.class.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.class.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil index fb3a4a6..71ad51b 100644 --- a/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil +++ b/src/sys/sysfile/classsysfile/zramcontrolclasssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block zramcontrol - (genfscon "sysfs" "/class/zram-control" sysfile_context) + (genfscon "sysfs" "/class/zram-control" sysfile_context) - (blockinherit .sysfile.class.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.class.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/devicessysfile.cil b/src/sys/sysfile/devicessysfile.cil index f82e0ea..87a7513 100644 --- a/src/sys/sysfile/devicessysfile.cil +++ b/src/sys/sysfile/devicessysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block devices - (genfscon "sysfs" "/devices" sysfile_context) + (genfscon "sysfs" "/devices" sysfile_context) - (blockinherit .sysfile.devices.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block devices - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.devices.type (sysfile))) + (call .sysfile.devices.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.devices.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.devices.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil index 8290623..dcae8ff 100644 --- a/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil +++ b/src/sys/sysfile/devicessysfile/cpudevicessysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in cpu diff --git a/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil index 85eca32..98b4115 100644 --- a/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil +++ b/src/sys/sysfile/devicessysfile/memorydevicessysfile.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block memory - (genfscon "sysfs" "/devices/system/memory" sysfile_context) + (genfscon "sysfs" "/devices/system/memory" sysfile_context) - (blockinherit .sysfile.devices.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil index 0243019..491a2c9 100644 --- a/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil +++ b/src/sys/sysfile/devicessysfile/nodedevicessysfile.cil @@ -1,10 +1,10 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block node - (genfscon "sysfs" "/devices/system/node" sysfile_context) + (genfscon "sysfs" "/devices/system/node" sysfile_context) - (blockinherit .sysfile.devices.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.devices.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) diff --git a/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil index de2ea49..88937c6 100644 --- a/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil +++ b/src/sys/sysfile/devicessysfile/zramdevicessysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in zram diff --git a/src/sys/sysfile/devsysfile.cil b/src/sys/sysfile/devsysfile.cil index 635d02a..5eadf4e 100644 --- a/src/sys/sysfile/devsysfile.cil +++ b/src/sys/sysfile/devsysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in dev @@ -13,28 +13,28 @@ (block dev - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.dev.type (sysfile))) + (call .sysfile.dev.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.dev.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.dev.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/firmwaresysfile.cil b/src/sys/sysfile/firmwaresysfile.cil index 7399981..2ba838e 100644 --- a/src/sys/sysfile/firmwaresysfile.cil +++ b/src/sys/sysfile/firmwaresysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block firmware - (genfscon "sysfs" "/firmware" sysfile_context) + (genfscon "sysfs" "/firmware" sysfile_context) - (blockinherit .sysfile.firmware.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.firmware.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block firmware - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.firmware.type (sysfile))) + (call .sysfile.firmware.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.firmware.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.firmware.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile.cil b/src/sys/sysfile/fssysfile.cil index 16d34b6..559ad79 100644 --- a/src/sys/sysfile/fssysfile.cil +++ b/src/sys/sysfile/fssysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fs @@ -13,28 +13,28 @@ (block fs - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.fs.type (sysfile))) + (call .sysfile.fs.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.fs.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.fs.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/fssysfile/bcachefssysfile.cil b/src/sys/sysfile/fssysfile/bcachefssysfile.cil index 0f03921..edaf9b8 100644 --- a/src/sys/sysfile/fssysfile/bcachefssysfile.cil +++ b/src/sys/sysfile/fssysfile/bcachefssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block bcachefs - (genfscon "sysfs" "/fs/bcachefs" sysfile_context) + (genfscon "sysfs" "/fs/bcachefs" sysfile_context) - (blockinherit .sysfile.fs.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/btrfssysfile.cil b/src/sys/sysfile/fssysfile/btrfssysfile.cil index 97632ef..37e5beb 100644 --- a/src/sys/sysfile/fssysfile/btrfssysfile.cil +++ b/src/sys/sysfile/fssysfile/btrfssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block btrfs - (genfscon "sysfs" "/fs/btrfs" sysfile_context) + (genfscon "sysfs" "/fs/btrfs" sysfile_context) - (blockinherit .sysfile.fs.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/ext4fssysfile.cil b/src/sys/sysfile/fssysfile/ext4fssysfile.cil index 4bef76d..79f681f 100644 --- a/src/sys/sysfile/fssysfile/ext4fssysfile.cil +++ b/src/sys/sysfile/fssysfile/ext4fssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block ext4 - (genfscon "sysfs" "/fs/ext4" sysfile_context) + (genfscon "sysfs" "/fs/ext4" sysfile_context) - (blockinherit .sysfile.fs.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/f2fssysfile.cil b/src/sys/sysfile/fssysfile/f2fssysfile.cil index e00bc0b..a6850ea 100644 --- a/src/sys/sysfile/fssysfile/f2fssysfile.cil +++ b/src/sys/sysfile/fssysfile/f2fssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block f2fs - (genfscon "sysfs" "/fs/f2fs" sysfile_context) + (genfscon "sysfs" "/fs/f2fs" sysfile_context) - (blockinherit .sysfile.fs.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/fssysfile/fusefssysfile.cil b/src/sys/sysfile/fssysfile/fusefssysfile.cil index de62c6b..64f1f9d 100644 --- a/src/sys/sysfile/fssysfile/fusefssysfile.cil +++ b/src/sys/sysfile/fssysfile/fusefssysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in fuse diff --git a/src/sys/sysfile/fssysfile/xfssysfile.cil b/src/sys/sysfile/fssysfile/xfssysfile.cil index 09984a7..8f1816f 100644 --- a/src/sys/sysfile/fssysfile/xfssysfile.cil +++ b/src/sys/sysfile/fssysfile/xfssysfile.cil @@ -1,9 +1,9 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block xfs - (genfscon "sysfs" "/fs/xfs" sysfile_context) + (genfscon "sysfs" "/fs/xfs" sysfile_context) - (blockinherit .sysfile.fs.template) - (blockinherit .sysfile.macro_template_dirs)) + (blockinherit .sysfile.fs.template) + (blockinherit .sysfile.macro_template_dirs)) diff --git a/src/sys/sysfile/hypervisorsysfile.cil b/src/sys/sysfile/hypervisorsysfile.cil index 09fd77d..ee37010 100644 --- a/src/sys/sysfile/hypervisorsysfile.cil +++ b/src/sys/sysfile/hypervisorsysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block hypervisor - (genfscon "sysfs" "/hypervisor" sysfile_context) + (genfscon "sysfs" "/hypervisor" sysfile_context) - (blockinherit .sysfile.hypervisor.template) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files)) + (blockinherit .sysfile.hypervisor.template) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files)) (in sysfile (block hypervisor - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.hypervisor.type (sysfile))) + (call .sysfile.hypervisor.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.hypervisor.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.hypervisor.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile.cil b/src/sys/sysfile/kernelsysfile.cil index 1c6c98b..5a1aacb 100644 --- a/src/sys/sysfile/kernelsysfile.cil +++ b/src/sys/sysfile/kernelsysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in kernel @@ -13,28 +13,28 @@ (block kernel - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.kernel.type (sysfile))) + (call .sysfile.kernel.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.kernel.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.kernel.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil index 3a6682e..f020dfb 100644 --- a/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil +++ b/src/sys/sysfile/kernelsysfile/ksmkernelsysfile.cil @@ -1,4 +1,4 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (in ksm diff --git a/src/sys/sysfile/modulesysfile.cil b/src/sys/sysfile/modulesysfile.cil index 5b20a9d..21356e7 100644 --- a/src/sys/sysfile/modulesysfile.cil +++ b/src/sys/sysfile/modulesysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block module - (genfscon "sysfs" "/module" sysfile_context) + (genfscon "sysfs" "/module" sysfile_context) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files) - (blockinherit .sysfile.module.template)) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.module.template)) (in sysfile (block module - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.module.type (sysfile))) + (call .sysfile.module.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.module.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.module.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/sysfile/powersysfile.cil b/src/sys/sysfile/powersysfile.cil index aa14ba4..adf958c 100644 --- a/src/sys/sysfile/powersysfile.cil +++ b/src/sys/sysfile/powersysfile.cil @@ -1,40 +1,40 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block power - (genfscon "sysfs" "/power" sysfile_context) + (genfscon "sysfs" "/power" sysfile_context) - (blockinherit .sysfile.macro_template_dirs) - (blockinherit .sysfile.macro_template_lnk_files) - (blockinherit .sysfile.power.template)) + (blockinherit .sysfile.macro_template_dirs) + (blockinherit .sysfile.macro_template_lnk_files) + (blockinherit .sysfile.power.template)) (in sysfile (block power - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) - (blockinherit .file.all_macro_template_lnk_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_lnk_files) - (call .sysfile.type (typeattr)) + (call .sysfile.type (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (blockinherit .sysfile.base_template) + (blockinherit .sysfile.base_template) - (call .sysfile.power.type (sysfile))) + (call .sysfile.power.type (sysfile))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .sysfile.power.base_template) - (blockinherit .sysfile.macro_template_files)))) + (blockinherit .sysfile.power.base_template) + (blockinherit .sysfile.macro_template_files)))) diff --git a/src/sys/tracefile.cil b/src/sys/tracefile.cil index d9155cf..62f4b95 100644 --- a/src/sys/tracefile.cil +++ b/src/sys/tracefile.cil @@ -1,141 +1,141 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (block tracefile - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (blockinherit .file.all_macro_template_dirs) - (blockinherit .file.all_macro_template_files) + (blockinherit .file.all_macro_template_dirs) + (blockinherit .file.all_macro_template_files) - (call .obj.type (typeattr)) + (call .obj.type (typeattr)) - (call .trace.associate_fs (typeattr)) + (call .trace.associate_fs (typeattr)) - (block base_template + (block base_template - (blockabstract base_template) + (blockabstract base_template) - (context tracefile_context (.sys.id .sys.role tracefile .sys.lowlow)) + (context tracefile_context (.sys.id .sys.role tracefile .sys.lowlow)) - (type tracefile) - (call .tracefile.type (tracefile))) + (type tracefile) + (call .tracefile.type (tracefile))) - (block macro_template_dirs + (block macro_template_dirs - (blockabstract macro_template_dirs) + (blockabstract macro_template_dirs) - (macro addname_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile addname_dir)) + (macro addname_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile addname_dir)) - (macro create_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile create_dir)) + (macro create_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile create_dir)) - (macro delete_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile delete_dir)) + (macro delete_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile delete_dir)) - (macro deletename_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile deletename_dir)) + (macro deletename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile deletename_dir)) - (macro list_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile list_dir)) + (macro list_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile list_dir)) - (macro listinherited_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile listinherited_dir)) + (macro listinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile listinherited_dir)) - (macro manage_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile manage_dir)) + (macro manage_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile manage_dir)) - (macro mounton_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile mounton_dir)) + (macro mounton_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile mounton_dir)) - (macro readwrite_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile readwrite_dir)) + (macro readwrite_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwrite_dir)) - (macro readwriteinherited_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile readwriteinherited_dir)) + (macro readwriteinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_dir)) - (macro rename_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile rename_dir)) + (macro rename_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile rename_dir)) - (macro search_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile search_dir)) + (macro search_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile search_dir)) - (macro write_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile write_dir)) + (macro write_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile write_dir)) - (macro writeinherited_tracefile_dirs ((type ARG1)) - (allow ARG1 tracefile writeinherited_dir))) + (macro writeinherited_tracefile_dirs ((type ARG1)) + (allow ARG1 tracefile writeinherited_dir))) - (block macro_template_files + (block macro_template_files - (blockabstract macro_template_files) + (blockabstract macro_template_files) - (macro append_tracefile_files ((type ARG1)) - (allow ARG1 tracefile append_file)) + (macro append_tracefile_files ((type ARG1)) + (allow ARG1 tracefile append_file)) - (macro appendinherited_tracefile_files ((type ARG1)) - (allow ARG1 tracefile appendinherited_file)) + (macro appendinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile appendinherited_file)) - (macro create_tracefile_files ((type ARG1)) - (allow ARG1 tracefile create_file)) + (macro create_tracefile_files ((type ARG1)) + (allow ARG1 tracefile create_file)) - (macro delete_tracefile_files ((type ARG1)) - (allow ARG1 tracefile delete_file)) + (macro delete_tracefile_files ((type ARG1)) + (allow ARG1 tracefile delete_file)) - (macro execute_tracefile_files ((type ARG1)) - (allow ARG1 tracefile execute_file)) + (macro execute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile execute_file)) - (macro manage_tracefile_files ((type ARG1)) - (allow ARG1 tracefile manage_file)) + (macro manage_tracefile_files ((type ARG1)) + (allow ARG1 tracefile manage_file)) - (macro mapexecute_tracefile_files ((type ARG1)) - (allow ARG1 tracefile mapexecute_file)) + (macro mapexecute_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mapexecute_file)) - (macro mounton_tracefile_files ((type ARG1)) - (allow ARG1 tracefile mounton_file)) + (macro mounton_tracefile_files ((type ARG1)) + (allow ARG1 tracefile mounton_file)) - (macro read_tracefile_files ((type ARG1)) - (allow ARG1 tracefile read_file)) + (macro read_tracefile_files ((type ARG1)) + (allow ARG1 tracefile read_file)) - (macro readinherited_tracefile_files ((type ARG1)) - (allow ARG1 tracefile readinherited_file)) + (macro readinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readinherited_file)) - (macro readwrite_tracefile_files ((type ARG1)) - (allow ARG1 tracefile readwrite_file)) + (macro readwrite_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwrite_file)) - (macro readwriteinherited_tracefile_files ((type ARG1)) - (allow ARG1 tracefile readwriteinherited_file)) + (macro readwriteinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile readwriteinherited_file)) - (macro rename_tracefile_files ((type ARG1)) - (allow ARG1 tracefile rename_file)) + (macro rename_tracefile_files ((type ARG1)) + (allow ARG1 tracefile rename_file)) - (macro write_tracefile_files ((type ARG1)) - (allow ARG1 tracefile write_file)) + (macro write_tracefile_files ((type ARG1)) + (allow ARG1 tracefile write_file)) - (macro writeinherited_tracefile_files ((type ARG1)) - (allow ARG1 tracefile writeinherited_file))) + (macro writeinherited_tracefile_files ((type ARG1)) + (allow ARG1 tracefile writeinherited_file))) - (block template + (block template - (blockabstract template) + (blockabstract template) - (blockinherit .tracefile.base_template) - (blockinherit .tracefile.macro_template_files)) + (blockinherit .tracefile.base_template) + (blockinherit .tracefile.macro_template_files)) - (block unconfined + (block unconfined - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) - (typeattribute typeattr) + (typeattribute typeattr) - (allow typeattr tracefile.typeattr (dir (not (audit_access execmod)))) - (allow typeattr tracefile.typeattr - (file (not (audit_access entrypoint execmod)))))) + (allow typeattr tracefile.typeattr (dir (not (audit_access execmod)))) + (allow typeattr tracefile.typeattr + (file (not (audit_access entrypoint execmod)))))) (in sys.unconfined diff --git a/src/unlabeled.cil b/src/unlabeled.cil index e8055c6..1c29798 100644 --- a/src/unlabeled.cil +++ b/src/unlabeled.cil @@ -1,353 +1,353 @@ -;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl> +;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense (sidcontext file (sys.id sys.role unlabeled sys.lowlow)) (macro addname_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled addname_dir)) + (allow ARG1 unlabeled addname_dir)) (macro append_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled append_blk_file)) + (allow ARG1 unlabeled append_blk_file)) (macro append_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled append_chr_file)) + (allow ARG1 unlabeled append_chr_file)) (macro append_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled append_fifo_file)) + (allow ARG1 unlabeled append_fifo_file)) (macro append_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled append_file)) + (allow ARG1 unlabeled append_file)) (macro appendinherited_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled appendinherited_blk_file)) + (allow ARG1 unlabeled appendinherited_blk_file)) (macro appendinherited_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled appendinherited_chr_file)) + (allow ARG1 unlabeled appendinherited_chr_file)) (macro appendinherited_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled appendinherited_fifo_file)) + (allow ARG1 unlabeled appendinherited_fifo_file)) (macro appendinherited_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled appendinherited_file)) + (allow ARG1 unlabeled appendinherited_file)) (macro create_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (create)))) + (allow ARG1 unlabeled (files (create)))) (macro create_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled create_blk_file)) + (allow ARG1 unlabeled create_blk_file)) (macro create_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled create_chr_file)) + (allow ARG1 unlabeled create_chr_file)) (macro create_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled create_dir)) + (allow ARG1 unlabeled create_dir)) (macro create_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled create_fifo_file)) + (allow ARG1 unlabeled create_fifo_file)) (macro create_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled create_file)) + (allow ARG1 unlabeled create_file)) (macro create_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled create_lnk_file)) + (allow ARG1 unlabeled create_lnk_file)) (macro create_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled create_sock_file)) + (allow ARG1 unlabeled create_sock_file)) (macro delete_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (delete)))) + (allow ARG1 unlabeled (files (delete)))) (macro delete_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled delete_blk_file)) + (allow ARG1 unlabeled delete_blk_file)) (macro delete_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled delete_chr_file)) + (allow ARG1 unlabeled delete_chr_file)) (macro delete_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled delete_dir)) + (allow ARG1 unlabeled delete_dir)) (macro delete_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled delete_fifo_file)) + (allow ARG1 unlabeled delete_fifo_file)) (macro delete_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled delete_file)) + (allow ARG1 unlabeled delete_file)) (macro delete_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled delete_lnk_file)) + (allow ARG1 unlabeled delete_lnk_file)) (macro delete_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled delete_sock_file)) + (allow ARG1 unlabeled delete_sock_file)) (macro deletename_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled deletename_dir)) + (allow ARG1 unlabeled deletename_dir)) (macro execute_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled execute_file)) + (allow ARG1 unlabeled execute_file)) (macro list_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled list_dir)) + (allow ARG1 unlabeled list_dir)) (macro listinherited_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled listinherited_dir)) + (allow ARG1 unlabeled listinherited_dir)) (macro manage_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (manage)))) + (allow ARG1 unlabeled (files (manage)))) (macro manage_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled manage_blk_file)) + (allow ARG1 unlabeled manage_blk_file)) (macro manage_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled manage_chr_file)) + (allow ARG1 unlabeled manage_chr_file)) (macro manage_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled manage_dir)) + (allow ARG1 unlabeled manage_dir)) (macro manage_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled manage_fifo_file)) + (allow ARG1 unlabeled manage_fifo_file)) (macro manage_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled manage_file)) + (allow ARG1 unlabeled manage_file)) (macro manage_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled manage_lnk_file)) + (allow ARG1 unlabeled manage_lnk_file)) (macro manage_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled manage_sock_file)) + (allow ARG1 unlabeled manage_sock_file)) (macro mapexecute_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled mapexecute_chr_file)) + (allow ARG1 unlabeled mapexecute_chr_file)) (macro mapexecute_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled mapexecute_file)) + (allow ARG1 unlabeled mapexecute_file)) (macro mounton_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled mounton_dir)) + (allow ARG1 unlabeled mounton_dir)) (macro mounton_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled mounton_file)) + (allow ARG1 unlabeled mounton_file)) (macro read_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (read)))) + (allow ARG1 unlabeled (files (read)))) (macro read_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled read_blk_file)) + (allow ARG1 unlabeled read_blk_file)) (macro read_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled read_chr_file)) + (allow ARG1 unlabeled read_chr_file)) (macro read_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled read_fifo_file)) + (allow ARG1 unlabeled read_fifo_file)) (macro read_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled read_file)) + (allow ARG1 unlabeled read_file)) (macro read_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled read_lnk_file)) + (allow ARG1 unlabeled read_lnk_file)) (macro read_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled read_sock_file)) + (allow ARG1 unlabeled read_sock_file)) (macro readinherited_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled readinherited_blk_file)) + (allow ARG1 unlabeled readinherited_blk_file)) (macro readinherited_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled readinherited_chr_file)) + (allow ARG1 unlabeled readinherited_chr_file)) (macro readinherited_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled readinherited_fifo_file)) + (allow ARG1 unlabeled readinherited_fifo_file)) (macro readinherited_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled readinherited_file)) + (allow ARG1 unlabeled readinherited_file)) (macro readinherited_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled readinherited_sock_file)) + (allow ARG1 unlabeled readinherited_sock_file)) (macro readwrite_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (readwrite)))) + (allow ARG1 unlabeled (files (readwrite)))) (macro readwrite_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_blk_file)) + (allow ARG1 unlabeled readwrite_blk_file)) (macro readwrite_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_chr_file)) + (allow ARG1 unlabeled readwrite_chr_file)) (macro readwrite_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled readwrite_dir)) + (allow ARG1 unlabeled readwrite_dir)) (macro readwrite_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_fifo_file)) + (allow ARG1 unlabeled readwrite_fifo_file)) (macro readwrite_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_file)) + (allow ARG1 unlabeled readwrite_file)) (macro readwrite_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_lnk_file)) + (allow ARG1 unlabeled readwrite_lnk_file)) (macro readwrite_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled readwrite_sock_file)) + (allow ARG1 unlabeled readwrite_sock_file)) (macro readwriteinherited_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_blk_file)) + (allow ARG1 unlabeled readwriteinherited_blk_file)) (macro readwriteinherited_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_chr_file)) + (allow ARG1 unlabeled readwriteinherited_chr_file)) (macro readwriteinherited_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_dir)) + (allow ARG1 unlabeled readwriteinherited_dir)) (macro readwriteinherited_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_fifo_file)) + (allow ARG1 unlabeled readwriteinherited_fifo_file)) (macro readwriteinherited_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_file)) + (allow ARG1 unlabeled readwriteinherited_file)) (macro readwriteinherited_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled readwriteinherited_sock_file)) + (allow ARG1 unlabeled readwriteinherited_sock_file)) (macro relabel_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (relabel)))) + (allow ARG1 unlabeled (files (relabel)))) (macro relabel_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled relabel_blk_file)) + (allow ARG1 unlabeled relabel_blk_file)) (macro relabel_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled relabel_chr_file)) + (allow ARG1 unlabeled relabel_chr_file)) (macro relabel_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled relabel_dir)) + (allow ARG1 unlabeled relabel_dir)) (macro relabel_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled relabel_fifo_file)) + (allow ARG1 unlabeled relabel_fifo_file)) (macro relabel_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled relabel_file)) + (allow ARG1 unlabeled relabel_file)) (macro relabel_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled relabel_lnk_file)) + (allow ARG1 unlabeled relabel_lnk_file)) (macro relabel_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled relabel_sock_file)) + (allow ARG1 unlabeled relabel_sock_file)) (macro relabelfrom_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (relabelfrom)))) + (allow ARG1 unlabeled (files (relabelfrom)))) (macro relabelfrom_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_blk_file)) + (allow ARG1 unlabeled relabelfrom_blk_file)) (macro relabelfrom_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_chr_file)) + (allow ARG1 unlabeled relabelfrom_chr_file)) (macro relabelfrom_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_dir)) + (allow ARG1 unlabeled relabelfrom_dir)) (macro relabelfrom_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_fifo_file)) + (allow ARG1 unlabeled relabelfrom_fifo_file)) (macro relabelfrom_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_file)) + (allow ARG1 unlabeled relabelfrom_file)) (macro relabelfrom_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_lnk_file)) + (allow ARG1 unlabeled relabelfrom_lnk_file)) (macro relabelfrom_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled relabelfrom_sock_file)) + (allow ARG1 unlabeled relabelfrom_sock_file)) (macro relabelto_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (relabelto)))) + (allow ARG1 unlabeled (files (relabelto)))) (macro relabelto_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_blk_file)) + (allow ARG1 unlabeled relabelto_blk_file)) (macro relabelto_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_chr_file)) + (allow ARG1 unlabeled relabelto_chr_file)) (macro relabelto_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled relabelto_dir)) + (allow ARG1 unlabeled relabelto_dir)) (macro relabelto_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_fifo_file)) + (allow ARG1 unlabeled relabelto_fifo_file)) (macro relabelto_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_file)) + (allow ARG1 unlabeled relabelto_file)) (macro relabelto_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_lnk_file)) + (allow ARG1 unlabeled relabelto_lnk_file)) (macro relabelto_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled relabelto_sock_file)) + (allow ARG1 unlabeled relabelto_sock_file)) (macro rename_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (rename)))) + (allow ARG1 unlabeled (files (rename)))) (macro rename_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled rename_blk_file)) + (allow ARG1 unlabeled rename_blk_file)) (macro rename_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled rename_chr_file)) + (allow ARG1 unlabeled rename_chr_file)) (macro rename_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled rename_dir)) + (allow ARG1 unlabeled rename_dir)) (macro rename_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled rename_fifo_file)) + (allow ARG1 unlabeled rename_fifo_file)) (macro rename_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled rename_file)) + (allow ARG1 unlabeled rename_file)) (macro rename_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled rename_lnk_file)) + (allow ARG1 unlabeled rename_lnk_file)) (macro rename_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled rename_sock_file)) + (allow ARG1 unlabeled rename_sock_file)) (macro search_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled search_dir)) + (allow ARG1 unlabeled search_dir)) (macro unlabeled_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4)) - (typetransition ARG1 unlabeled ARG3 ARG4 ARG2) - (call addname_unlabeled_dirs (ARG1))) + (typetransition ARG1 unlabeled ARG3 ARG4 ARG2) + (call addname_unlabeled_dirs (ARG1))) (macro write_unlabeled ((type ARG1)) - (allow ARG1 unlabeled (files (write)))) + (allow ARG1 unlabeled (files (write)))) (macro write_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled write_blk_file)) + (allow ARG1 unlabeled write_blk_file)) (macro write_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled write_chr_file)) + (allow ARG1 unlabeled write_chr_file)) (macro write_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled write_dir)) + (allow ARG1 unlabeled write_dir)) (macro write_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled write_fifo_file)) + (allow ARG1 unlabeled write_fifo_file)) (macro write_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled write_file)) + (allow ARG1 unlabeled write_file)) (macro write_unlabeled_lnk_files ((type ARG1)) - (allow ARG1 unlabeled write_lnk_file)) + (allow ARG1 unlabeled write_lnk_file)) (macro write_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled write_sock_file)) + (allow ARG1 unlabeled write_sock_file)) (macro writeinherited_unlabeled_blk_files ((type ARG1)) - (allow ARG1 unlabeled writeinherited_blk_file)) + (allow ARG1 unlabeled writeinherited_blk_file)) (macro writeinherited_unlabeled_chr_files ((type ARG1)) - (allow ARG1 unlabeled writeinherited_chr_file)) + (allow ARG1 unlabeled writeinherited_chr_file)) (macro writeinherited_unlabeled_dirs ((type ARG1)) - (allow ARG1 unlabeled writeinherited_dir)) + (allow ARG1 unlabeled writeinherited_dir)) (macro writeinherited_unlabeled_fifo_files ((type ARG1)) - (allow ARG1 unlabeled writeinherited_fifo_file)) + (allow ARG1 unlabeled writeinherited_fifo_file)) (macro writeinherited_unlabeled_files ((type ARG1)) - (allow ARG1 unlabeled writeinherited_file)) + (allow ARG1 unlabeled writeinherited_file)) (macro writeinherited_unlabeled_sock_files ((type ARG1)) - (allow ARG1 unlabeled writeinherited_sock_file)) + (allow ARG1 unlabeled writeinherited_sock_file)) (type unlabeled) (roletype sys.role unlabeled) @@ -356,26 +356,26 @@ (block unlabeled - (block unconfined - - (macro type ((type ARG1)) - (typeattributeset typeattr ARG1)) - - (typeattribute typeattr) - - (allow typeattr .unlabeled - (blk_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .unlabeled - (chr_file (not (audit_access execmod mounton relabelto)))) - (allow typeattr .unlabeled (dir (not (audit_access execmod relabelto)))) - (allow typeattr .unlabeled - (fifo_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .unlabeled - (file (not (audit_access entrypoint execmod relabelto)))) - (allow typeattr .unlabeled - (lnk_file (not (audit_access execmod map mounton relabelto)))) - (allow typeattr .unlabeled - (sock_file (not (audit_access execmod map mounton relabelto)))))) + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr .unlabeled + (blk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (chr_file (not (audit_access execmod mounton relabelto)))) + (allow typeattr .unlabeled (dir (not (audit_access execmod relabelto)))) + (allow typeattr .unlabeled + (fifo_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (file (not (audit_access entrypoint execmod relabelto)))) + (allow typeattr .unlabeled + (lnk_file (not (audit_access execmod map mounton relabelto)))) + (allow typeattr .unlabeled + (sock_file (not (audit_access execmod map mounton relabelto)))))) (in unconfined |