From 0c187b6ff97f91c41dab65a6426dc61f77305cdf Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sun, 20 Aug 2023 15:44:41 +0200 Subject: Import dssp5 Signed-off-by: Dominick Grift --- src/misc/av.cil | 48 ++ src/misc/av/binderav.cil | 41 + src/misc/av/bpfav.cil | 30 + src/misc/av/capabilityav.cil | 38 + src/misc/av/fdav.cil | 92 +++ src/misc/av/iouringav.cil | 98 +++ src/misc/av/ipcav.cil | 140 ++++ src/misc/av/kernelserviceav.cil | 48 ++ src/misc/av/keyav.cil | 46 ++ src/misc/av/memprotectav.cil | 25 + src/misc/av/msgav.cil | 31 + src/misc/av/perfeventav.cil | 30 + src/misc/av/socketav.cil | 1601 +++++++++++++++++++++++++++++++++++++++ src/misc/av/systemav.cil | 60 ++ src/misc/av/usernamespaceav.cil | 9 + src/misc/conf.cil | 16 + src/misc/constrain/ibac.cil | 84 ++ src/misc/constrain/mcs.cil | 38 + src/misc/constrain/rbac.cil | 84 ++ src/misc/constrain/rbacsep.cil | 112 +++ src/misc/default.cil | 10 + src/misc/isid.cil | 37 + src/misc/map.cil | 161 ++++ src/misc/mls.cil | 1110 +++++++++++++++++++++++++++ src/misc/modular.cil | 5 + src/misc/obj.cil | 16 + src/misc/perm.cil | 314 ++++++++ src/misc/unconfined.cil | 9 + src/misc/xperm.cil | 8 + src/misc/xperm/consolexperm.cil | 145 ++++ src/misc/xperm/ttyxperm.cil | 139 ++++ src/misc/xperm/vtxperm.cil | 68 ++ 32 files changed, 4693 insertions(+) create mode 100644 src/misc/av.cil create mode 100644 src/misc/av/binderav.cil create mode 100644 src/misc/av/bpfav.cil create mode 100644 src/misc/av/capabilityav.cil create mode 100644 src/misc/av/fdav.cil create mode 100644 src/misc/av/iouringav.cil create mode 100644 src/misc/av/ipcav.cil create mode 100644 src/misc/av/kernelserviceav.cil create mode 100644 src/misc/av/keyav.cil create mode 100644 src/misc/av/memprotectav.cil create mode 100644 src/misc/av/msgav.cil create mode 100644 src/misc/av/perfeventav.cil create mode 100644 src/misc/av/socketav.cil create mode 100644 src/misc/av/systemav.cil create mode 100644 src/misc/av/usernamespaceav.cil create mode 100644 src/misc/conf.cil create mode 100644 src/misc/constrain/ibac.cil create mode 100644 src/misc/constrain/mcs.cil create mode 100644 src/misc/constrain/rbac.cil create mode 100644 src/misc/constrain/rbacsep.cil create mode 100644 src/misc/default.cil create mode 100644 src/misc/isid.cil create mode 100644 src/misc/map.cil create mode 100644 src/misc/mls.cil create mode 100644 src/misc/modular.cil create mode 100644 src/misc/obj.cil create mode 100644 src/misc/perm.cil create mode 100644 src/misc/unconfined.cil create mode 100644 src/misc/xperm.cil create mode 100644 src/misc/xperm/consolexperm.cil create mode 100644 src/misc/xperm/ttyxperm.cil create mode 100644 src/misc/xperm/vtxperm.cil (limited to 'src/misc') diff --git a/src/misc/av.cil b/src/misc/av.cil new file mode 100644 index 0000000..e366d81 --- /dev/null +++ b/src/misc/av.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class blk_file ()) +(classorder (unordered blk_file)) + +(class chr_file ()) +(classorder (unordered chr_file)) + +(class dir (add_name remove_name reparent rmdir search)) +(classorder (unordered dir)) + +(class fifo_file ()) +(classorder (unordered fifo_file)) + +(class file (entrypoint execute_no_trans)) +(classorder (unordered file)) + +(class lnk_file ()) +(classorder (unordered lnk_file)) + +(class process + (dyntransition execheap execmem execstack fork getattr getcap getpgid + getrlimit getsched getsession noatsecure ptrace rlimitinh + setexec setcap setcurrent setfscreate setkeycreate setpgid + setrlimit setsched setsockcreate share sigchld siginh + sigkill signal signull sigstop transition)) +(classorder (unordered process)) + +(class process2 (nnp_transition nosuid_transition)) +(classorder (unordered process2)) + +(class sock_file ()) +(classorder (unordered sock_file)) + +(classcommon blk_file common_file) +(classcommon chr_file common_file) +(classcommon dir common_file) +(classcommon fifo_file common_file) +(classcommon file common_file) +(classcommon lnk_file common_file) +(classcommon sock_file common_file) + +(common common_file + (append audit_access create execmod execute getattr ioctl lock link map + mounton open quotaon read relabelfrom relabelto rename setattr + unlink watch watch_mount watch_reads watch_sb watch_with_perm + write)) diff --git a/src/misc/av/binderav.cil b/src/misc/av/binderav.cil new file mode 100644 index 0000000..a6108c4 --- /dev/null +++ b/src/misc/av/binderav.cil @@ -0,0 +1,41 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class binder (call impersonate set_context_mgr transfer)) +(classorder (unordered binder)) + +(macro call_invalid_binders ((type ARG1)) + (allow ARG1 .invalid (binder (call)))) + +(macro transfer_invalid_binders ((type ARG1)) + (allow ARG1 .invalid (binder (transfer)))) + +(in invalid.unconfined + + (allow typeattr .invalid (binder (not (impersonate set_context_mgr))))) + +(in subj + + (macro call_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (call)))) + + (macro impersonate_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (impersonate)))) + + (macro transfer_all_binders ((type ARG1)) + (allow ARG1 typeattr (binder (transfer))))) + +(in subj.macro_template + + (macro call_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (call)))) + + (macro impersonate_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (impersonate)))) + + (macro transfer_subj_binders ((type ARG1)) + (allow ARG1 subj (binder (transfer))))) + +(in subj.unconfined + + (allow typeattr .subj.typeattr (binder (all)))) diff --git a/src/misc/av/bpfav.cil b/src/misc/av/bpfav.cil new file mode 100644 index 0000000..8258a1d --- /dev/null +++ b/src/misc/av/bpfav.cil @@ -0,0 +1,30 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class bpf (map_create map_read map_write prog_load prog_run)) +(classorder (unordered bpf)) + +(in invalid.unconfined + + (allow typeattr .invalid (bpf (map_read map_write prog_run)))) + +(in mcs + + (mlsconstrain (bpf (map_read map_write prog_run)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (bpf (map_read map_write prog_run)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr self (bpf (not (map_read map_write prog_run)))) + (allow typeattr subj.typeattr (bpf (map_read map_write prog_run)))) diff --git a/src/misc/av/capabilityav.cil b/src/misc/av/capabilityav.cil new file mode 100644 index 0000000..dbfdfe0 --- /dev/null +++ b/src/misc/av/capabilityav.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class cap_userns ()) +(classorder (unordered cap_userns)) + +(class cap2_userns ()) +(classorder (unordered cap2_userns)) + +(class capability ()) +(classorder (unordered capability)) + +(class capability2 ()) +(classorder (unordered capability2)) + +(classcommon cap_userns common_capability) +(classcommon cap2_userns common_capability2) +(classcommon capability common_capability) +(classcommon capability2 common_capability2) + +(common common_capability + (audit_control audit_write chown dac_read_search dac_override fowner + fsetid ipc_lock ipc_owner kill linux_immutable lease + mknod net_admin net_bind_service net_broadcast net_raw + setfcap setgid setpcap setuid sys_admin sys_boot + sys_chroot sys_module sys_nice sys_pacct sys_ptrace + sys_rawio sys_resource sys_time sys_tty_config)) + +(common common_capability2 + (audit_read block_suspend bpf checkpoint_restore mac_admin mac_override + perfmon syslog wake_alarm)) + +(in subj.unconfined + + (allow typeattr self (cap_userns (all))) + (allow typeattr self (cap2_userns (not (mac_admin mac_override)))) + (allow typeattr self (capability (all))) + (allow typeattr self (capability2 (not (mac_admin mac_override))))) diff --git a/src/misc/av/fdav.cil b/src/misc/av/fdav.cil new file mode 100644 index 0000000..9c43343 --- /dev/null +++ b/src/misc/av/fdav.cil @@ -0,0 +1,92 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class fd (use)) +(classorder (unordered fd)) + +(macro use_invalid_fds ((type ARG1)) + (allow ARG1 invalid (fd (use)))) + +(in invalid.unconfined + + (allow typeattr .invalid (fd (all)))) + +(in mcs + + (mlsconstrain (fd (use)) + (or (or (dom h1 h2) + (neq t1 constrained.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) + + (block usefdsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block usefdtarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in rbacsep + + (constrain (fd (use)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 usefdsource.typeattr) + (eq t2 usefdtarget.typeattr)))) + + (block usefdsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block usefdtarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj + + (block interactivefd + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call .mcs.usefdtarget.type (typeattr))) + + (block useinteractivefd + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr interactivefd.typeattr (fd (use))))) + +(in subj.all_macro_template + + (macro use_all_fds ((type ARG1)) + (allow ARG1 typeattr (fd (use))))) + +(in subj.macro_template + + (macro use_subj_fds ((type ARG1)) + (allow ARG1 subj (fd (use))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (fd (all)))) diff --git a/src/misc/av/iouringav.cil b/src/misc/av/iouringav.cil new file mode 100644 index 0000000..22a8821 --- /dev/null +++ b/src/misc/av/iouringav.cil @@ -0,0 +1,98 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class io_uring (cmd override_creds sqpoll)) +(classorder (unordered io_uring)) + +(in booleanfile.unconfined + + (allow typeattr booleanfile.typeattr (io_uring (cmd)))) + +(in bpffile.unconfined + + (allow typeattr bpffile.typeattr (io_uring (cmd)))) + +(in cgroupfile.unconfined + + (allow typeattr cgroupfile.typeattr (io_uring (cmd)))) + +(in debugfile.unconfined + + (allow typeattr debugfile.typeattr (io_uring (cmd)))) + +(in dev.unconfined + + (allow typeattr dev.typeattr (io_uring (cmd)))) + +(in file.unconfined + + (allow typeattr file.typeattr (io_uring (cmd)))) + +(in fs.unconfined + + (allow typeattr fs.typeattr (io_uring (cmd)))) + +(in invalid.unconfined + + (allow typeattr .invalid (io_uring (cmd override_creds)))) + +(in mcs + + (mlsconstrain (io_uring (override_creds)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in nodedev.unconfined + + (allow typeattr nodedev.typeattr (io_uring (cmd)))) + +(in procfile.unconfined + + (allow typeattr procfile.typeattr (io_uring (cmd)))) + +(in pstorefile.unconfined + + (allow typeattr pstorefile.typeattr (io_uring (cmd)))) + +(in rbacsep + + (constrain (io_uring (override_creds)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in securityfile.unconfined + + (allow typeattr securityfile.typeattr (io_uring (cmd)))) + +(in stordev.unconfined + + (allow typeattr stordev.typeattr (io_uring (cmd)))) + +(in subj.unconfined + + (allow typeattr self (io_uring (sqpoll))) + (allow typeattr subj.typeattr (io_uring (override_creds)))) + +(in sysctlfile.unconfined + + (allow typeattr sysctlfile.typeattr (io_uring (cmd)))) + +(in sysfile.unconfined + + (allow typeattr sysfile.typeattr (io_uring (cmd)))) + +(in termdev.unconfined + + (allow typeattr termdev.typeattr (io_uring (cmd)))) + +(in tracefile.unconfined + + (allow typeattr tracefile.typeattr (io_uring (cmd)))) + +(in unlabeled.unconfined + + (allow typeattr .unlabeled (io_uring (cmd)))) diff --git a/src/misc/av/ipcav.cil b/src/misc/av/ipcav.cil new file mode 100644 index 0000000..0ae848c --- /dev/null +++ b/src/misc/av/ipcav.cil @@ -0,0 +1,140 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class ipc ()) +(classorder (unordered ipc)) + +(class msgq (enqueue)) +(classorder (unordered msgq)) + +(class sem ()) +(classorder (unordered sem)) + +(class shm (lock)) +(classorder (unordered shm)) + +(classcommon ipc common_ipc) +(classcommon msgq common_ipc) +(classcommon sem common_ipc) +(classcommon shm common_ipc) + +(common common_ipc + (associate create destroy getattr read setattr unix_read unix_write + write)) + +(classpermission create_ipc) +(classpermission create_msgq) +(classpermission create_sem) +(classpermission create_shm) + +(classpermission read_ipc) +(classpermission read_msgq) +(classpermission read_sem) +(classpermission read_shm) + +(classpermission readwrite_ipc) +(classpermission readwrite_msgq) +(classpermission readwrite_sem) +(classpermission readwrite_shm) + +(classpermissionset create_ipc + (ipc (associate create destroy getattr read setattr + unix_read unix_write write))) +(classpermissionset create_msgq + (msgq (associate create destroy enqueue getattr read setattr + unix_read unix_write write))) +(classpermissionset create_sem + (sem (associate create destroy getattr read setattr + unix_read unix_write write))) +(classpermissionset create_shm + (shm (associate create destroy getattr read setattr + unix_read unix_write write))) + +(classpermissionset read_ipc (ipc (associate getattr read unix_read))) +(classpermissionset read_msgq (msgq (associate getattr read unix_read))) +(classpermissionset read_sem (sem (associate getattr read unix_read))) +(classpermissionset read_shm (shm (associate getattr read unix_read))) + +(classpermissionset readwrite_ipc + (ipc (associate getattr read unix_read unix_write write))) +(classpermissionset readwrite_msgq + (msgq (associate enqueue getattr read unix_read unix_write + write))) +(classpermissionset readwrite_sem + (sem (associate getattr read unix_read unix_write write))) +(classpermissionset readwrite_shm + (shm (associate getattr read unix_read unix_write write))) + +(classmap constrainipcsubject (create getattr read setattr write)) + +(classmapping constrainipcsubject create (ipc (create))) +(classmapping constrainipcsubject create (msgq (create))) +(classmapping constrainipcsubject create (sem (create))) +(classmapping constrainipcsubject create (shm (create))) + +(classmapping constrainipcsubject getattr (ipc (getattr))) +(classmapping constrainipcsubject getattr (msgq (getattr))) +(classmapping constrainipcsubject getattr (sem (getattr))) +(classmapping constrainipcsubject getattr (shm (getattr))) + +(classmapping constrainipcsubject read (ipc (read))) +(classmapping constrainipcsubject read (msgq (read))) +(classmapping constrainipcsubject read (sem (read))) +(classmapping constrainipcsubject read (shm (read))) + +(classmapping constrainipcsubject setattr (ipc (setattr))) +(classmapping constrainipcsubject setattr (msgq (setattr))) +(classmapping constrainipcsubject setattr (sem (setattr))) +(classmapping constrainipcsubject setattr (shm (setattr))) + +(classmapping constrainipcsubject write (ipc (write))) +(classmapping constrainipcsubject write (msgq (write))) +(classmapping constrainipcsubject write (sem (write))) +(classmapping constrainipcsubject write (shm (write))) + +(in ibac + + (constrain (constrainipcsubject (create)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (ipc (all))) + (allow typeattr .invalid (msgq (all))) + (allow typeattr .invalid (sem (all))) + (allow typeattr .invalid (shm (all)))) + +(in mcs + + (mlsconstrain (constrainipcsubject (create getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (constrainipcsubject (create)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (constrainipcsubject (getattr read setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (ipc (all))) + (allow typeattr subj.typeattr (msgq (all))) + (allow typeattr subj.typeattr (sem (all))) + (allow typeattr subj.typeattr (shm (all)))) diff --git a/src/misc/av/kernelserviceav.cil b/src/misc/av/kernelserviceav.cil new file mode 100644 index 0000000..ece6b3e --- /dev/null +++ b/src/misc/av/kernelserviceav.cil @@ -0,0 +1,48 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class kernel_service (create_files_as use_as_override)) +(classorder (unordered kernel_service)) + +(macro createfilesas_invalid_kernel_services ((type ARG1)) + (allow ARG1 invalid (kernel_service (create_files_as)))) + +(macro createfilesas_unlabeled_kernel_services ((type ARG1)) + (allow ARG1 unlabeled (kernel_service (create_files_as)))) + +(macro useasoverride_invalid_kernel_services ((type ARG1)) + (allow ARG1 invalid (kernel_service (use_as_override)))) + +(in file + + (blockinherit all_macro_template_kernel_services) + + (block all_macro_template_kernel_services + + (blockabstract all_macro_template_kernel_services) + + (macro createfileas_all_kernel_services ((type ARG1)) + (allow ARG1 typeattr (kernel_service (create_files_as))))) + + (block macro_template_kernel_services + + (blockabstract macro_template_kernel_services) + + (macro createfileas_file_kernel_services ((type ARG1)) + (allow ARG1 file (kernel_service (create_files_as)))))) + +(in file.unconfined + + (allow typeattr file.typeattr (kernel_service (create_files_as)))) + +(in invalid.unconfined + + (allow typeattr .invalid (kernel_service (all)))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (kernel_service (use_as_override)))) + +(in unlabeled.unconfined + + (allow typeattr .unlabeled (kernel_service (create_files_as)))) diff --git a/src/misc/av/keyav.cil b/src/misc/av/keyav.cil new file mode 100644 index 0000000..2d8bf4c --- /dev/null +++ b/src/misc/av/keyav.cil @@ -0,0 +1,46 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class key (create link read search setattr view write)) +(classorder (unordered key)) + +(in ibac + + (constrain (key (create)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (key (all)))) + +(in mcs + + (mlsconstrain (key (create read setattr view write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (key (create)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (key (read setattr view write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (key (all)))) diff --git a/src/misc/av/memprotectav.cil b/src/misc/av/memprotectav.cil new file mode 100644 index 0000000..a0ab2b8 --- /dev/null +++ b/src/misc/av/memprotectav.cil @@ -0,0 +1,25 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class memprotect (mmap_zero)) +(classorder (unordered memprotect)) + +(in subj + + (block mmapzero + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (memprotect (mmap_zero))))) + +(in subj.unconfined + + (allow typeattr self (memprotect (all))) + + (call mmapzero.type (typeattr))) diff --git a/src/misc/av/msgav.cil b/src/misc/av/msgav.cil new file mode 100644 index 0000000..f16260d --- /dev/null +++ b/src/misc/av/msgav.cil @@ -0,0 +1,31 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class msg (receive send)) +(classorder (unordered msg)) + +(defaultrole msg source) + +(in invalid.unconfined + + (allow typeattr .invalid (msg (all)))) + +(in mcs + + (mlsconstrain (msg (send)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (msg (send)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr subj.typeattr (msg (all)))) diff --git a/src/misc/av/perfeventav.cil b/src/misc/av/perfeventav.cil new file mode 100644 index 0000000..1946d80 --- /dev/null +++ b/src/misc/av/perfeventav.cil @@ -0,0 +1,30 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class perf_event (cpu kernel open read tracepoint write)) +(classorder (unordered perf_event)) + +(in invalid.unconfined + + (allow typeattr .invalid (perf_event (read write)))) + +(in mcs + + (mlsconstrain (perf_event (read write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbacsep + + (constrain (perf_event (read write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.unconfined + + (allow typeattr self (perf_event (not (read write)))) + (allow typeattr subj.typeattr (perf_event (read write)))) diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil new file mode 100644 index 0000000..047f970 --- /dev/null +++ b/src/misc/av/socketav.cil @@ -0,0 +1,1601 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class alg_socket ()) +(classorder (unordered alg_socket)) + +(class appletalk_socket ()) +(classorder (unordered appletalk_socket)) + +(class atmpvc_socket ()) +(classorder (unordered atmpvc_socket)) + +(class atmsvc_socket ()) +(classorder (unordered atmsvc_socket)) + +(class ax25_socket ()) +(classorder (unordered ax25_socket)) + +(class bluetooth_socket ()) +(classorder (unordered bluetooth_socket)) + +(class caif_socket ()) +(classorder (unordered caif_socket)) + +(class can_socket ()) +(classorder (unordered can_socket)) + +(class dccp_socket (name_connect node_bind)) +(classorder (unordered dccp_socket)) + +(class decnet_socket ()) +(classorder (unordered decnet_socket)) + +(class icmp_socket (node_bind)) +(classorder (unordered icmp_socket)) + +(class ieee802154_socket ()) +(classorder (unordered ieee802154_socket)) + +(class ipx_socket ()) +(classorder (unordered ipx_socket)) + +(class irda_socket ()) +(classorder (unordered irda_socket)) + +(class isdn_socket ()) +(classorder (unordered isdn_socket)) + +(class iucv_socket ()) +(classorder (unordered iucv_socket)) + +(class kcm_socket ()) +(classorder (unordered kcm_socket)) + +(class key_socket ()) +(classorder (unordered key_socket)) + +(class llc_socket ()) +(classorder (unordered llc_socket)) + +(class mctp_socket ()) +(classorder (unordered mctp_socket)) + +(class netlink_audit_socket + (nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write)) +(classorder (unordered netlink_audit_socket)) + +(class netlink_connector_socket ()) +(classorder (unordered netlink_connector_socket)) + +(class netlink_crypto_socket ()) +(classorder (unordered netlink_crypto_socket)) + +(class netlink_dnrt_socket ()) +(classorder (unordered netlink_dnrt_socket)) + +(class netlink_fib_lookup_socket ()) +(classorder (unordered netlink_fib_lookup_socket)) + +(class netlink_generic_socket ()) +(classorder (unordered netlink_generic_socket)) + +(class netlink_iscsi_socket ()) +(classorder (unordered netlink_iscsi_socket)) + +(class netlink_kobject_uevent_socket ()) +(classorder (unordered netlink_kobject_uevent_socket)) + +(class netlink_netfilter_socket ()) +(classorder (unordered netlink_netfilter_socket)) + +(class netlink_nflog_socket ()) +(classorder (unordered netlink_nflog_socket)) + +(class netlink_rdma_socket ()) +(classorder (unordered netlink_rdma_socket)) + +(class netlink_route_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_route_socket)) + +(class netlink_scsitransport_socket ()) +(classorder (unordered netlink_scsitransport_socket)) + +(class netlink_selinux_socket ()) +(classorder (unordered netlink_selinux_socket)) + +(class netlink_socket ()) +(classorder (unordered netlink_socket)) + +(class netlink_tcpdiag_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_tcpdiag_socket)) + +(class netlink_xfrm_socket (nlmsg_read nlmsg_write)) +(classorder (unordered netlink_xfrm_socket)) + +(class netrom_socket ()) +(classorder (unordered netrom_socket)) + +(class nfc_socket ()) +(classorder (unordered nfc_socket)) + +(class packet_socket ()) +(classorder (unordered packet_socket)) + +(class phonet_socket ()) +(classorder (unordered phonet_socket)) + +(class pppox_socket ()) +(classorder (unordered pppox_socket)) + +(class qipcrtr_socket ()) +(classorder (unordered qipcrtr_socket)) + +(class rawip_socket (node_bind)) +(classorder (unordered rawip_socket)) + +(class rds_socket ()) +(classorder (unordered rds_socket)) + +(class rose_socket ()) +(classorder (unordered rose_socket)) + +(class rxrpc_socket ()) +(classorder (unordered rxrpc_socket)) + +(class sctp_socket (association name_connect node_bind)) +(classorder (unordered sctp_socket)) + +(class smc_socket ()) +(classorder (unordered smc_socket)) + +(class socket ()) +(classorder (unordered socket)) + +(class tcp_socket (name_connect node_bind)) +(classorder (unordered tcp_socket)) + +(class tipc_socket ()) +(classorder (unordered tipc_socket)) + +(class tun_socket (attach_queue)) +(classorder (unordered tun_socket)) + +(class udp_socket (node_bind)) +(classorder (unordered udp_socket)) + +(class unix_dgram_socket ()) +(classorder (unordered unix_dgram_socket)) + +(class unix_stream_socket (connectto)) +(classorder (unordered unix_stream_socket)) + +(class vsock_socket ()) +(classorder (unordered vsock_socket)) + +(class x25_socket ()) +(classorder (unordered x25_socket)) + +(class xdp_socket ()) +(classorder (unordered xdp_socket)) + +(classcommon alg_socket common_socket) +(classcommon appletalk_socket common_socket) +(classcommon atmpvc_socket common_socket) +(classcommon atmsvc_socket common_socket) +(classcommon ax25_socket common_socket) +(classcommon bluetooth_socket common_socket) +(classcommon caif_socket common_socket) +(classcommon can_socket common_socket) +(classcommon dccp_socket common_socket) +(classcommon decnet_socket common_socket) +(classcommon icmp_socket common_socket) +(classcommon ieee802154_socket common_socket) +(classcommon ipx_socket common_socket) +(classcommon irda_socket common_socket) +(classcommon isdn_socket common_socket) +(classcommon iucv_socket common_socket) +(classcommon kcm_socket common_socket) +(classcommon key_socket common_socket) +(classcommon llc_socket common_socket) +(classcommon mctp_socket common_socket) +(classcommon netlink_audit_socket common_socket) +(classcommon netlink_connector_socket common_socket) +(classcommon netlink_crypto_socket common_socket) +(classcommon netlink_dnrt_socket common_socket) +(classcommon netlink_fib_lookup_socket common_socket) +(classcommon netlink_generic_socket common_socket) +(classcommon netlink_iscsi_socket common_socket) +(classcommon netlink_kobject_uevent_socket common_socket) +(classcommon netlink_netfilter_socket common_socket) +(classcommon netlink_nflog_socket common_socket) +(classcommon netlink_rdma_socket common_socket) +(classcommon netlink_route_socket common_socket) +(classcommon netlink_scsitransport_socket common_socket) +(classcommon netlink_selinux_socket common_socket) +(classcommon netlink_socket common_socket) +(classcommon netlink_tcpdiag_socket common_socket) +(classcommon netlink_xfrm_socket common_socket) +(classcommon netrom_socket common_socket) +(classcommon nfc_socket common_socket) +(classcommon packet_socket common_socket) +(classcommon phonet_socket common_socket) +(classcommon pppox_socket common_socket) +(classcommon qipcrtr_socket common_socket) +(classcommon rawip_socket common_socket) +(classcommon rds_socket common_socket) +(classcommon rose_socket common_socket) +(classcommon rxrpc_socket common_socket) +(classcommon sctp_socket common_socket) +(classcommon smc_socket common_socket) +(classcommon socket common_socket) +(classcommon tcp_socket common_socket) +(classcommon tipc_socket common_socket) +(classcommon tun_socket common_socket) +(classcommon udp_socket common_socket) +(classcommon unix_dgram_socket common_socket) +(classcommon unix_stream_socket common_socket) +(classcommon vsock_socket common_socket) +(classcommon x25_socket common_socket) +(classcommon xdp_socket common_socket) + +(common common_socket + (accept append bind connect create getattr getopt ioctl listen lock map + name_bind read recvfrom relabelfrom relabelto sendto setattr + setopt shutdown write)) + +(classpermission create_alg_socket) +(classpermission create_alg_stream_socket) +(classpermission create_appletalk_socket) +(classpermission create_atmpvc_socket) +(classpermission create_atmsvc_socket) +(classpermission create_ax25_socket) +(classpermission create_bluetooth_socket) +(classpermission create_bluetooth_stream_socket) +(classpermission create_caif_socket) +(classpermission create_can_socket) +(classpermission create_dccp_socket) +(classpermission create_dccp_stream_socket) +(classpermission create_decnet_socket) +(classpermission create_icmp_socket) +(classpermission create_ieee802154_socket) +(classpermission create_ipx_socket) +(classpermission create_irda_socket) +(classpermission create_isdn_socket) +(classpermission create_iucv_socket) +(classpermission create_kcm_socket) +(classpermission create_key_socket) +(classpermission create_llc_socket) +(classpermission create_mctp_socket) +(classpermission create_netrom_socket) +(classpermission create_nfc_socket) +(classpermission create_netlink_audit_socket) +(classpermission create_netlink_connector_socket) +(classpermission create_netlink_crypto_socket) +(classpermission create_netlink_dnrt_socket) +(classpermission create_netlink_fib_lookup_socket) +(classpermission create_netlink_generic_socket) +(classpermission create_netlink_iscsi_socket) +(classpermission create_netlink_kobject_uevent_socket) +(classpermission create_netlink_netfilter_socket) +(classpermission create_netlink_nflog_socket) +(classpermission create_netlink_rdma_socket) +(classpermission create_netlink_route_socket) +(classpermission create_netlink_scsitransport_socket) +(classpermission create_netlink_selinux_socket) +(classpermission create_netlink_socket) +(classpermission create_netlink_tcpdiag_socket) +(classpermission create_netlink_xfrm_socket) +(classpermission create_packet_socket) +(classpermission create_phonet_socket) +(classpermission create_pppox_socket) +(classpermission create_qipcrtr_socket) +(classpermission create_rawip_socket) +(classpermission create_rds_socket) +(classpermission create_rose_socket) +(classpermission create_rxrpc_socket) +(classpermission create_sctp_socket) +(classpermission create_sctp_stream_socket) +(classpermission create_smc_socket) +(classpermission create_socket) +(classpermission create_tcp_socket) +(classpermission create_tcp_stream_socket) +(classpermission create_tipc_socket) +(classpermission create_tun_socket) +(classpermission create_udp_socket) +(classpermission create_unix_dgram_socket) +(classpermission create_unix_stream_socket) +(classpermission create_unix_stream_stream_socket) +(classpermission create_vsock_socket) +(classpermission create_vsock_stream_socket) +(classpermission create_x25_socket) +(classpermission create_xdp_socket) + +(classpermission readwrite_alg_socket) +(classpermission readwrite_bluetooth_socket) +(classpermission readwrite_dccp_socket) +(classpermission readwrite_netlink_audit_socket) +(classpermission readwrite_sctp_socket) +(classpermission readwrite_tcp_socket) +(classpermission readwrite_tun_socket) +(classpermission readwrite_unix_dgram_socket) +(classpermission readwrite_unix_stream_socket) +(classpermission readwrite_vsock_socket) + +(classpermission write_alg_socket) +(classpermission write_bluetooth_socket) +(classpermission write_dccp_socket) +(classpermission write_sctp_socket) +(classpermission write_tcp_socket) +(classpermission write_tun_socket) +(classpermission write_unix_dgram_socket) +(classpermission write_unix_stream_socket) +(classpermission write_vsock_socket) + +(classpermissionset create_alg_socket + (alg_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_alg_stream_socket + (alg_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_appletalk_socket + (appletalk_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_atmpvc_socket + (atmpvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_atmsvc_socket + (atmsvc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_ax25_socket + (ax25_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_bluetooth_socket + (bluetooth_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_bluetooth_stream_socket + (bluetooth_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) +(classpermissionset create_caif_socket + (caif_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_can_socket + (can_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_dccp_socket + (dccp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_dccp_stream_socket + (dccp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_decnet_socket + (decnet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_icmp_socket + (icmp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_ieee802154_socket + (ieee802154_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_ipx_socket + (ipx_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_irda_socket + (irda_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_isdn_socket + (isdn_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_iucv_socket + (iucv_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_kcm_socket + (kcm_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_key_socket + (key_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_llc_socket + (llc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_mctp_socket + (mctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_netlink_audit_socket + (netlink_audit_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_connector_socket + (netlink_connector_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) +(classpermissionset create_netlink_crypto_socket + (netlink_crypto_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_dnrt_socket + (netlink_dnrt_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_fib_lookup_socket + (netlink_fib_lookup_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_generic_socket + (netlink_generic_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_iscsi_socket + (netlink_iscsi_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_kobject_uevent_socket + (netlink_kobject_uevent_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_netfilter_socket + (netlink_netfilter_socket (append bind connect create + getattr getopt ioctl read + setattr setopt shutdown + write))) +(classpermissionset create_netlink_nflog_socket + (netlink_nflog_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_rdma_socket + (netlink_rdma_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_route_socket + (netlink_route_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_scsitransport_socket + (netlink_scsitransport_socket (append bind connect create + getattr getopt ioctl + read setattr setopt + shutdown write))) +(classpermissionset create_netlink_selinux_socket + (netlink_selinux_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_socket + (netlink_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_netlink_tcpdiag_socket + (netlink_tcpdiag_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netlink_xfrm_socket + (netlink_xfrm_socket (append bind connect create getattr + getopt ioctl read setattr + setopt shutdown write))) +(classpermissionset create_netrom_socket + (netrom_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_nfc_socket + (nfc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_packet_socket + (packet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_phonet_socket + (phonet_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_pppox_socket + (pppox_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_qipcrtr_socket + (qipcrtr_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rawip_socket + (rawip_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rds_socket + (rds_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_rose_socket + (rose_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_rxrpc_socket + (rxrpc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_sctp_socket + (sctp_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_sctp_stream_socket + (sctp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_smc_socket + (smc_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_socket + (socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_tcp_socket + (tcp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_tcp_stream_socket + (tcp_socket (accept append bind connect create getattr + getopt ioctl listen read setattr setopt + shutdown write))) +(classpermissionset create_tipc_socket + (tipc_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_tun_socket + (tun_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_udp_socket + (udp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_unix_dgram_socket + (unix_dgram_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_unix_stream_socket + (unix_stream_socket (append bind connect create getattr + getopt ioctl read setattr setopt + shutdown write))) +(classpermissionset create_unix_stream_stream_socket + (unix_stream_socket (accept append bind connect create + getattr getopt ioctl listen read + setattr setopt shutdown write))) +(classpermissionset create_vsock_socket + (vsock_socket (append bind connect create getattr getopt + ioctl read setattr setopt shutdown + write))) +(classpermissionset create_vsock_stream_socket + (vsock_socket (accept append bind connect create getattr + getopt ioctl listen read setattr + setopt shutdown write))) +(classpermissionset create_x25_socket + (x25_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) +(classpermissionset create_xdp_socket + (xdp_socket (append bind connect create getattr getopt ioctl + read setattr setopt shutdown write))) + +(classpermissionset readwrite_alg_socket + (alg_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_bluetooth_socket + (bluetooth_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) +(classpermissionset readwrite_dccp_socket + (dccp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_netlink_audit_socket + (netlink_audit_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) +(classpermissionset readwrite_sctp_socket + (sctp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_tcp_socket + (tcp_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_tun_socket + (tun_socket (append bind connect getattr getopt ioctl read + setopt shutdown write))) +(classpermissionset readwrite_unix_dgram_socket + (unix_dgram_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) +(classpermissionset readwrite_unix_stream_socket + (unix_stream_socket (append bind connect getattr getopt + ioctl read setopt shutdown + write))) +(classpermissionset readwrite_vsock_socket + (vsock_socket (append bind connect getattr getopt ioctl + read setopt shutdown write))) + +(classpermissionset write_alg_socket + (alg_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_bluetooth_socket + (bluetooth_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_dccp_socket + (dccp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_sctp_socket + (sctp_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_tcp_socket + (tcp_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_tun_socket + (tun_socket (append bind connect getattr getopt ioctl setopt + shutdown write))) +(classpermissionset write_unix_dgram_socket + (unix_dgram_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) +(classpermissionset write_unix_stream_socket + (unix_stream_socket (append bind connect getattr getopt + ioctl setopt shutdown write))) +(classpermissionset write_vsock_socket + (vsock_socket (append bind connect getattr getopt ioctl + setopt shutdown write))) + +(classmap constrainsocketobject (nameconnect nodebind)) +(classmap constrainsocketsubject + (append association attachqueue connectto create getattr read + relabelto sendto setattr write)) + +(classmap sockets (common getattr)) + +(classmapping constrainsocketobject nameconnect (dccp_socket (name_connect))) +(classmapping constrainsocketobject nameconnect (sctp_socket (name_connect))) +(classmapping constrainsocketobject nameconnect (tcp_socket (name_connect))) + +(classmapping constrainsocketobject nodebind (dccp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (icmp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (rawip_socket (node_bind))) +(classmapping constrainsocketobject nodebind (sctp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (tcp_socket (node_bind))) +(classmapping constrainsocketobject nodebind (udp_socket (node_bind))) + +(classmapping constrainsocketsubject append (alg_socket (append))) +(classmapping constrainsocketsubject append (appletalk_socket (append))) +(classmapping constrainsocketsubject append (atmpvc_socket (append))) +(classmapping constrainsocketsubject append (atmsvc_socket (append))) +(classmapping constrainsocketsubject append (ax25_socket (append))) +(classmapping constrainsocketsubject append (bluetooth_socket (append))) +(classmapping constrainsocketsubject append (caif_socket (append))) +(classmapping constrainsocketsubject append (can_socket (append))) +(classmapping constrainsocketsubject append (dccp_socket (append))) +(classmapping constrainsocketsubject append (decnet_socket (append))) +(classmapping constrainsocketsubject append (icmp_socket (append))) +(classmapping constrainsocketsubject append (ieee802154_socket (append))) +(classmapping constrainsocketsubject append (ipx_socket (append))) +(classmapping constrainsocketsubject append (irda_socket (append))) +(classmapping constrainsocketsubject append (isdn_socket (append))) +(classmapping constrainsocketsubject append (iucv_socket (append))) +(classmapping constrainsocketsubject append (kcm_socket (append))) +(classmapping constrainsocketsubject append (key_socket (append))) +(classmapping constrainsocketsubject append (llc_socket (append))) +(classmapping constrainsocketsubject append (mctp_socket (append))) +(classmapping constrainsocketsubject append (netlink_audit_socket (append))) +(classmapping constrainsocketsubject append (netlink_connector_socket (append))) +(classmapping constrainsocketsubject append (netlink_crypto_socket (append))) +(classmapping constrainsocketsubject append (netlink_dnrt_socket (append))) +(classmapping constrainsocketsubject append + (netlink_fib_lookup_socket (append))) +(classmapping constrainsocketsubject append (netlink_generic_socket (append))) +(classmapping constrainsocketsubject append (netlink_iscsi_socket (append))) +(classmapping constrainsocketsubject append + (netlink_kobject_uevent_socket (append))) +(classmapping constrainsocketsubject append (netlink_netfilter_socket (append))) +(classmapping constrainsocketsubject append (netlink_nflog_socket (append))) +(classmapping constrainsocketsubject append (netlink_rdma_socket (append))) +(classmapping constrainsocketsubject append (netlink_route_socket (append))) +(classmapping constrainsocketsubject append + (netlink_scsitransport_socket (append))) +(classmapping constrainsocketsubject append (netlink_selinux_socket (append))) +(classmapping constrainsocketsubject append (netlink_socket (append))) +(classmapping constrainsocketsubject append (netlink_tcpdiag_socket (append))) +(classmapping constrainsocketsubject append (netlink_xfrm_socket (append))) +(classmapping constrainsocketsubject append (netrom_socket (append))) +(classmapping constrainsocketsubject append (nfc_socket (append))) +(classmapping constrainsocketsubject append (packet_socket (append))) +(classmapping constrainsocketsubject append (phonet_socket (append))) +(classmapping constrainsocketsubject append (pppox_socket (append))) +(classmapping constrainsocketsubject append (qipcrtr_socket (append))) +(classmapping constrainsocketsubject append (rawip_socket (append))) +(classmapping constrainsocketsubject append (rds_socket (append))) +(classmapping constrainsocketsubject append (rose_socket (append))) +(classmapping constrainsocketsubject append (rxrpc_socket (append))) +(classmapping constrainsocketsubject append (sctp_socket (append))) +(classmapping constrainsocketsubject append (smc_socket (append))) +(classmapping constrainsocketsubject append (socket (append))) +(classmapping constrainsocketsubject append (tcp_socket (append))) +(classmapping constrainsocketsubject append (tipc_socket (append))) +(classmapping constrainsocketsubject append (tun_socket (append))) +(classmapping constrainsocketsubject append (udp_socket (append))) +(classmapping constrainsocketsubject append (unix_dgram_socket (append))) +(classmapping constrainsocketsubject append (unix_stream_socket (append))) +(classmapping constrainsocketsubject append (vsock_socket (append))) +(classmapping constrainsocketsubject append (x25_socket (append))) +(classmapping constrainsocketsubject append (xdp_socket (append))) + +(classmapping constrainsocketsubject + association (sctp_socket (association))) + +(classmapping constrainsocketsubject + attachqueue (tun_socket (attach_queue))) + +(classmapping constrainsocketsubject + connectto (unix_stream_socket (connectto))) + +(classmapping constrainsocketsubject create (alg_socket (create))) +(classmapping constrainsocketsubject create (appletalk_socket (create))) +(classmapping constrainsocketsubject create (atmpvc_socket (create))) +(classmapping constrainsocketsubject create (atmsvc_socket (create))) +(classmapping constrainsocketsubject create (ax25_socket (create))) +(classmapping constrainsocketsubject create (bluetooth_socket (create))) +(classmapping constrainsocketsubject create (caif_socket (create))) +(classmapping constrainsocketsubject create (can_socket (create))) +(classmapping constrainsocketsubject create (dccp_socket (create))) +(classmapping constrainsocketsubject create (decnet_socket (create))) +(classmapping constrainsocketsubject create (icmp_socket (create))) +(classmapping constrainsocketsubject create (ieee802154_socket (create))) +(classmapping constrainsocketsubject create (ipx_socket (create))) +(classmapping constrainsocketsubject create (irda_socket (create))) +(classmapping constrainsocketsubject create (isdn_socket (create))) +(classmapping constrainsocketsubject create (iucv_socket (create))) +(classmapping constrainsocketsubject create (kcm_socket (create))) +(classmapping constrainsocketsubject create (key_socket (create))) +(classmapping constrainsocketsubject create (llc_socket (create))) +(classmapping constrainsocketsubject create (mctp_socket (create))) +(classmapping constrainsocketsubject create (netlink_audit_socket (create))) +(classmapping constrainsocketsubject create (netlink_connector_socket (create))) +(classmapping constrainsocketsubject create (netlink_crypto_socket (create))) +(classmapping constrainsocketsubject create (netlink_dnrt_socket (create))) +(classmapping constrainsocketsubject create + (netlink_fib_lookup_socket (create))) +(classmapping constrainsocketsubject create (netlink_generic_socket (create))) +(classmapping constrainsocketsubject create (netlink_iscsi_socket (create))) +(classmapping constrainsocketsubject create + (netlink_kobject_uevent_socket (create))) +(classmapping constrainsocketsubject create (netlink_netfilter_socket (create))) +(classmapping constrainsocketsubject create (netlink_nflog_socket (create))) +(classmapping constrainsocketsubject create (netlink_rdma_socket (create))) +(classmapping constrainsocketsubject create (netlink_route_socket (create))) +(classmapping constrainsocketsubject create + (netlink_scsitransport_socket (create))) +(classmapping constrainsocketsubject create (netlink_selinux_socket (create))) +(classmapping constrainsocketsubject create (netlink_socket (create))) +(classmapping constrainsocketsubject create (netlink_tcpdiag_socket (create))) +(classmapping constrainsocketsubject create (netlink_xfrm_socket (create))) +(classmapping constrainsocketsubject create (netrom_socket (create))) +(classmapping constrainsocketsubject create (nfc_socket (create))) +(classmapping constrainsocketsubject create (packet_socket (create))) +(classmapping constrainsocketsubject create (phonet_socket (create))) +(classmapping constrainsocketsubject create (pppox_socket (create))) +(classmapping constrainsocketsubject create (qipcrtr_socket (create))) +(classmapping constrainsocketsubject create (rawip_socket (create))) +(classmapping constrainsocketsubject create (rds_socket (create))) +(classmapping constrainsocketsubject create (rose_socket (create))) +(classmapping constrainsocketsubject create (rxrpc_socket (create))) +(classmapping constrainsocketsubject create (sctp_socket (create))) +(classmapping constrainsocketsubject create (smc_socket (create))) +(classmapping constrainsocketsubject create (socket (create))) +(classmapping constrainsocketsubject create (tcp_socket (create))) +(classmapping constrainsocketsubject create (tipc_socket (create))) +(classmapping constrainsocketsubject create (tun_socket (create))) +(classmapping constrainsocketsubject create (udp_socket (create))) +(classmapping constrainsocketsubject create (unix_dgram_socket (create))) +(classmapping constrainsocketsubject create (unix_stream_socket (create))) +(classmapping constrainsocketsubject create (vsock_socket (create))) +(classmapping constrainsocketsubject create (x25_socket (create))) +(classmapping constrainsocketsubject create (xdp_socket (create))) + +(classmapping constrainsocketsubject getattr (alg_socket (getattr))) +(classmapping constrainsocketsubject getattr (appletalk_socket (getattr))) +(classmapping constrainsocketsubject getattr (atmpvc_socket (getattr))) +(classmapping constrainsocketsubject getattr (atmsvc_socket (getattr))) +(classmapping constrainsocketsubject getattr (ax25_socket (getattr))) +(classmapping constrainsocketsubject getattr (bluetooth_socket (getattr))) +(classmapping constrainsocketsubject getattr (caif_socket (getattr))) +(classmapping constrainsocketsubject getattr (can_socket (getattr))) +(classmapping constrainsocketsubject getattr (dccp_socket (getattr))) +(classmapping constrainsocketsubject getattr (decnet_socket (getattr))) +(classmapping constrainsocketsubject getattr (icmp_socket (getattr))) +(classmapping constrainsocketsubject getattr (ieee802154_socket (getattr))) +(classmapping constrainsocketsubject getattr (ipx_socket (getattr))) +(classmapping constrainsocketsubject getattr (irda_socket (getattr))) +(classmapping constrainsocketsubject getattr (isdn_socket (getattr))) +(classmapping constrainsocketsubject getattr (iucv_socket (getattr))) +(classmapping constrainsocketsubject getattr (kcm_socket (getattr))) +(classmapping constrainsocketsubject getattr (key_socket (getattr))) +(classmapping constrainsocketsubject getattr (llc_socket (getattr))) +(classmapping constrainsocketsubject getattr (mctp_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_audit_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_connector_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_crypto_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_dnrt_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_fib_lookup_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_generic_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_iscsi_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_kobject_uevent_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_netfilter_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_nflog_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_rdma_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_route_socket (getattr))) +(classmapping constrainsocketsubject getattr + (netlink_scsitransport_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_selinux_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_tcpdiag_socket (getattr))) +(classmapping constrainsocketsubject getattr (netlink_xfrm_socket (getattr))) +(classmapping constrainsocketsubject getattr (netrom_socket (getattr))) +(classmapping constrainsocketsubject getattr (nfc_socket (getattr))) +(classmapping constrainsocketsubject getattr (packet_socket (getattr))) +(classmapping constrainsocketsubject getattr (phonet_socket (getattr))) +(classmapping constrainsocketsubject getattr (pppox_socket (getattr))) +(classmapping constrainsocketsubject getattr (process (getattr))) +(classmapping constrainsocketsubject getattr (qipcrtr_socket (getattr))) +(classmapping constrainsocketsubject getattr (rawip_socket (getattr))) +(classmapping constrainsocketsubject getattr (rds_socket (getattr))) +(classmapping constrainsocketsubject getattr (rose_socket (getattr))) +(classmapping constrainsocketsubject getattr (rxrpc_socket (getattr))) +(classmapping constrainsocketsubject getattr (sctp_socket (getattr))) +(classmapping constrainsocketsubject getattr (smc_socket (getattr))) +(classmapping constrainsocketsubject getattr (socket (getattr))) +(classmapping constrainsocketsubject getattr (tcp_socket (getattr))) +(classmapping constrainsocketsubject getattr (tipc_socket (getattr))) +(classmapping constrainsocketsubject getattr (tun_socket (getattr))) +(classmapping constrainsocketsubject getattr (udp_socket (getattr))) +(classmapping constrainsocketsubject getattr (unix_dgram_socket (getattr))) +(classmapping constrainsocketsubject getattr (unix_stream_socket (getattr))) +(classmapping constrainsocketsubject getattr (vsock_socket (getattr))) +(classmapping constrainsocketsubject getattr (x25_socket (getattr))) +(classmapping constrainsocketsubject getattr (xdp_socket (getattr))) + +(classmapping constrainsocketsubject read (alg_socket (read))) +(classmapping constrainsocketsubject read (appletalk_socket (read))) +(classmapping constrainsocketsubject read (atmpvc_socket (read))) +(classmapping constrainsocketsubject read (atmsvc_socket (read))) +(classmapping constrainsocketsubject read (ax25_socket (read))) +(classmapping constrainsocketsubject read (bluetooth_socket (read))) +(classmapping constrainsocketsubject read (caif_socket (read))) +(classmapping constrainsocketsubject read (can_socket (read))) +(classmapping constrainsocketsubject read (dccp_socket (read))) +(classmapping constrainsocketsubject read (decnet_socket (read))) +(classmapping constrainsocketsubject read (icmp_socket (read))) +(classmapping constrainsocketsubject read (ieee802154_socket (read))) +(classmapping constrainsocketsubject read (ipx_socket (read))) +(classmapping constrainsocketsubject read (irda_socket (read))) +(classmapping constrainsocketsubject read (isdn_socket (read))) +(classmapping constrainsocketsubject read (iucv_socket (read))) +(classmapping constrainsocketsubject read (kcm_socket (read))) +(classmapping constrainsocketsubject read (key_socket (read))) +(classmapping constrainsocketsubject read (llc_socket (read))) +(classmapping constrainsocketsubject read (mctp_socket (read))) +(classmapping constrainsocketsubject read (netlink_audit_socket (read))) +(classmapping constrainsocketsubject read (netlink_connector_socket (read))) +(classmapping constrainsocketsubject read (netlink_crypto_socket (read))) +(classmapping constrainsocketsubject read (netlink_dnrt_socket (read))) +(classmapping constrainsocketsubject read (netlink_fib_lookup_socket (read))) +(classmapping constrainsocketsubject read (netlink_generic_socket (read))) +(classmapping constrainsocketsubject read (netlink_iscsi_socket (read))) +(classmapping constrainsocketsubject read + (netlink_kobject_uevent_socket (read))) +(classmapping constrainsocketsubject read (netlink_netfilter_socket (read))) +(classmapping constrainsocketsubject read (netlink_nflog_socket (read))) +(classmapping constrainsocketsubject read (netlink_rdma_socket (read))) +(classmapping constrainsocketsubject read (netlink_route_socket (read))) +(classmapping constrainsocketsubject read (netlink_scsitransport_socket (read))) +(classmapping constrainsocketsubject read (netlink_selinux_socket (read))) +(classmapping constrainsocketsubject read (netlink_socket (read))) +(classmapping constrainsocketsubject read (netlink_tcpdiag_socket (read))) +(classmapping constrainsocketsubject read (netlink_xfrm_socket (read))) +(classmapping constrainsocketsubject read (netrom_socket (read))) +(classmapping constrainsocketsubject read (nfc_socket (read))) +(classmapping constrainsocketsubject read (packet_socket (read))) +(classmapping constrainsocketsubject read (phonet_socket (read))) +(classmapping constrainsocketsubject read (pppox_socket (read))) +(classmapping constrainsocketsubject read (qipcrtr_socket (read))) +(classmapping constrainsocketsubject read (rawip_socket (read))) +(classmapping constrainsocketsubject read (rds_socket (read))) +(classmapping constrainsocketsubject read (rose_socket (read))) +(classmapping constrainsocketsubject read (rxrpc_socket (read))) +(classmapping constrainsocketsubject read (sctp_socket (read))) +(classmapping constrainsocketsubject read (smc_socket (read))) +(classmapping constrainsocketsubject read (socket (read))) +(classmapping constrainsocketsubject read (tcp_socket (read))) +(classmapping constrainsocketsubject read (tipc_socket (read))) +(classmapping constrainsocketsubject read (tun_socket (read))) +(classmapping constrainsocketsubject read (udp_socket (read))) +(classmapping constrainsocketsubject read (unix_dgram_socket (read))) +(classmapping constrainsocketsubject read (unix_stream_socket (read))) +(classmapping constrainsocketsubject read (vsock_socket (read))) +(classmapping constrainsocketsubject read (x25_socket (read))) +(classmapping constrainsocketsubject read (xdp_socket (read))) + +(classmapping constrainsocketsubject relabelto (alg_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (appletalk_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (atmpvc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (atmsvc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ax25_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (bluetooth_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (caif_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (can_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (dccp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (decnet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (icmp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ieee802154_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (ipx_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (irda_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (isdn_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (iucv_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (kcm_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (key_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (llc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (mctp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_audit_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_connector_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_crypto_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_dnrt_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_fib_lookup_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_generic_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_iscsi_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_kobject_uevent_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_netfilter_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_nflog_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_rdma_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_route_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_scsitransport_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_selinux_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (netlink_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_tcpdiag_socket (relabelto))) +(classmapping constrainsocketsubject relabelto + (netlink_xfrm_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (netrom_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (nfc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (packet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (phonet_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (pppox_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (qipcrtr_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rawip_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rds_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rose_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (rxrpc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (sctp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (smc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tcp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tipc_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (tun_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (udp_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (unix_dgram_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (unix_stream_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (vsock_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (x25_socket (relabelto))) +(classmapping constrainsocketsubject relabelto (xdp_socket (relabelto))) + +(classmapping constrainsocketsubject sendto (unix_dgram_socket (sendto))) + +(classmapping constrainsocketsubject setattr (alg_socket (setattr))) +(classmapping constrainsocketsubject setattr (appletalk_socket (setattr))) +(classmapping constrainsocketsubject setattr (atmpvc_socket (setattr))) +(classmapping constrainsocketsubject setattr (atmsvc_socket (setattr))) +(classmapping constrainsocketsubject setattr (ax25_socket (setattr))) +(classmapping constrainsocketsubject setattr (bluetooth_socket (setattr))) +(classmapping constrainsocketsubject setattr (caif_socket (setattr))) +(classmapping constrainsocketsubject setattr (can_socket (setattr))) +(classmapping constrainsocketsubject setattr (dccp_socket (setattr))) +(classmapping constrainsocketsubject setattr (decnet_socket (setattr))) +(classmapping constrainsocketsubject setattr (icmp_socket (setattr))) +(classmapping constrainsocketsubject setattr (ieee802154_socket (setattr))) +(classmapping constrainsocketsubject setattr (ipx_socket (setattr))) +(classmapping constrainsocketsubject setattr (irda_socket (setattr))) +(classmapping constrainsocketsubject setattr (isdn_socket (setattr))) +(classmapping constrainsocketsubject setattr (iucv_socket (setattr))) +(classmapping constrainsocketsubject setattr (kcm_socket (setattr))) +(classmapping constrainsocketsubject setattr (key_socket (setattr))) +(classmapping constrainsocketsubject setattr (llc_socket (setattr))) +(classmapping constrainsocketsubject setattr (mctp_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_audit_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_connector_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_crypto_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_dnrt_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_fib_lookup_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_generic_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_iscsi_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_kobject_uevent_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_netfilter_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_nflog_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_rdma_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_route_socket (setattr))) +(classmapping constrainsocketsubject setattr + (netlink_scsitransport_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_selinux_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_tcpdiag_socket (setattr))) +(classmapping constrainsocketsubject setattr (netlink_xfrm_socket (setattr))) +(classmapping constrainsocketsubject setattr (netrom_socket (setattr))) +(classmapping constrainsocketsubject setattr (nfc_socket (setattr))) +(classmapping constrainsocketsubject setattr (packet_socket (setattr))) +(classmapping constrainsocketsubject setattr (phonet_socket (setattr))) +(classmapping constrainsocketsubject setattr (pppox_socket (setattr))) +(classmapping constrainsocketsubject setattr (qipcrtr_socket (setattr))) +(classmapping constrainsocketsubject setattr (rawip_socket (setattr))) +(classmapping constrainsocketsubject setattr (rds_socket (setattr))) +(classmapping constrainsocketsubject setattr (rose_socket (setattr))) +(classmapping constrainsocketsubject setattr (rxrpc_socket (setattr))) +(classmapping constrainsocketsubject setattr (sctp_socket (setattr))) +(classmapping constrainsocketsubject setattr (smc_socket (setattr))) +(classmapping constrainsocketsubject setattr (socket (setattr))) +(classmapping constrainsocketsubject setattr (tcp_socket (setattr))) +(classmapping constrainsocketsubject setattr (tipc_socket (setattr))) +(classmapping constrainsocketsubject setattr (tun_socket (setattr))) +(classmapping constrainsocketsubject setattr (udp_socket (setattr))) +(classmapping constrainsocketsubject setattr (unix_dgram_socket (setattr))) +(classmapping constrainsocketsubject setattr (unix_stream_socket (setattr))) +(classmapping constrainsocketsubject setattr (vsock_socket (setattr))) +(classmapping constrainsocketsubject setattr (x25_socket (setattr))) +(classmapping constrainsocketsubject setattr (xdp_socket (setattr))) + +(classmapping constrainsocketsubject write (alg_socket (write))) +(classmapping constrainsocketsubject write (appletalk_socket (write))) +(classmapping constrainsocketsubject write (atmpvc_socket (write))) +(classmapping constrainsocketsubject write (atmsvc_socket (write))) +(classmapping constrainsocketsubject write (ax25_socket (write))) +(classmapping constrainsocketsubject write (bluetooth_socket (write))) +(classmapping constrainsocketsubject write (caif_socket (write))) +(classmapping constrainsocketsubject write (can_socket (write))) +(classmapping constrainsocketsubject write (dccp_socket (write))) +(classmapping constrainsocketsubject write (decnet_socket (write))) +(classmapping constrainsocketsubject write (icmp_socket (write))) +(classmapping constrainsocketsubject write (ieee802154_socket (write))) +(classmapping constrainsocketsubject write (ipx_socket (write))) +(classmapping constrainsocketsubject write (irda_socket (write))) +(classmapping constrainsocketsubject write (isdn_socket (write))) +(classmapping constrainsocketsubject write (iucv_socket (write))) +(classmapping constrainsocketsubject write (kcm_socket (write))) +(classmapping constrainsocketsubject write (key_socket (write))) +(classmapping constrainsocketsubject write (llc_socket (write))) +(classmapping constrainsocketsubject write (mctp_socket (write))) +(classmapping constrainsocketsubject write (netlink_audit_socket (write))) +(classmapping constrainsocketsubject write (netlink_connector_socket (write))) +(classmapping constrainsocketsubject write (netlink_crypto_socket (write))) +(classmapping constrainsocketsubject write (netlink_dnrt_socket (write))) +(classmapping constrainsocketsubject write (netlink_fib_lookup_socket (write))) +(classmapping constrainsocketsubject write (netlink_generic_socket (write))) +(classmapping constrainsocketsubject write (netlink_iscsi_socket (write))) +(classmapping constrainsocketsubject write + (netlink_kobject_uevent_socket (write))) +(classmapping constrainsocketsubject write (netlink_netfilter_socket (write))) +(classmapping constrainsocketsubject write (netlink_nflog_socket (write))) +(classmapping constrainsocketsubject write (netlink_rdma_socket (write))) +(classmapping constrainsocketsubject write (netlink_route_socket (write))) +(classmapping constrainsocketsubject write + (netlink_scsitransport_socket (write))) +(classmapping constrainsocketsubject write (netlink_selinux_socket (write))) +(classmapping constrainsocketsubject write (netlink_socket (write))) +(classmapping constrainsocketsubject write (netlink_tcpdiag_socket (write))) +(classmapping constrainsocketsubject write (netlink_xfrm_socket (write))) +(classmapping constrainsocketsubject write (netrom_socket (write))) +(classmapping constrainsocketsubject write (nfc_socket (write))) +(classmapping constrainsocketsubject write (packet_socket (write))) +(classmapping constrainsocketsubject write (phonet_socket (write))) +(classmapping constrainsocketsubject write (pppox_socket (write))) +(classmapping constrainsocketsubject write (qipcrtr_socket (write))) +(classmapping constrainsocketsubject write (rawip_socket (write))) +(classmapping constrainsocketsubject write (rds_socket (write))) +(classmapping constrainsocketsubject write (rose_socket (write))) +(classmapping constrainsocketsubject write (rxrpc_socket (write))) +(classmapping constrainsocketsubject write (sctp_socket (write))) +(classmapping constrainsocketsubject write (smc_socket (write))) +(classmapping constrainsocketsubject write (socket (write))) +(classmapping constrainsocketsubject write (tcp_socket (write))) +(classmapping constrainsocketsubject write (tipc_socket (write))) +(classmapping constrainsocketsubject write (tun_socket (write))) +(classmapping constrainsocketsubject write (udp_socket (write))) +(classmapping constrainsocketsubject write (unix_dgram_socket (write))) +(classmapping constrainsocketsubject write (unix_stream_socket (write))) +(classmapping constrainsocketsubject write (vsock_socket (write))) +(classmapping constrainsocketsubject write (x25_socket (write))) +(classmapping constrainsocketsubject write (xdp_socket (write))) + +(classmapping sockets common + (alg_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (appletalk_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (atmpvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (atmsvc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (ax25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (bluetooth_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (caif_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (can_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (dccp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (decnet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (icmp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (ieee802154_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (ipx_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (irda_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (isdn_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (iucv_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (kcm_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (key_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (llc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (mctp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_audit_socket (not (accept listen map name_bind nlmsg_read + nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (netlink_connector_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_crypto_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_dnrt_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_fib_lookup_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_generic_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_iscsi_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_kobject_uevent_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_netfilter_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_nflog_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_rdma_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_route_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_scsitransport_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_selinux_socket (not (accept listen map name_bind + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netlink_tcpdiag_socket (not (accept listen map name_bind + nlmsg_read nlmsg_write + relabelfrom relabelto + recvfrom sendto)))) +(classmapping sockets common + (netlink_xfrm_socket (not (accept listen map name_bind nlmsg_read + nlmsg_write relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (netrom_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (nfc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (packet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (phonet_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (pppox_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (qipcrtr_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rawip_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (rds_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rose_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (rxrpc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (sctp_socket (not (accept association listen map name_connect + name_bind node_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (smc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (tcp_socket (not (accept listen map name_connect name_bind + node_bind relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (tipc_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (tun_socket (not (accept attach_queue listen map name_bind + relabelfrom relabelto recvfrom sendto)))) +(classmapping sockets common + (udp_socket (not (accept listen map name_bind node_bind + relabelfrom relabelto recvfrom sendto)))) +(classmapping sockets common + (unix_dgram_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (unix_stream_socket (not (accept connectto listen map name_bind + relabelfrom relabelto recvfrom + sendto)))) +(classmapping sockets common + (vsock_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (x25_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) +(classmapping sockets common + (xdp_socket (not (accept listen map name_bind relabelfrom + relabelto recvfrom sendto)))) + +(classmapping sockets getattr (ax25_socket (getattr))) +(classmapping sockets getattr (alg_socket (getattr))) +(classmapping sockets getattr (appletalk_socket (getattr))) +(classmapping sockets getattr (atmpvc_socket (getattr))) +(classmapping sockets getattr (atmsvc_socket (getattr))) +(classmapping sockets getattr (bluetooth_socket (getattr))) +(classmapping sockets getattr (caif_socket (getattr))) +(classmapping sockets getattr (can_socket (getattr))) +(classmapping sockets getattr (dccp_socket (getattr))) +(classmapping sockets getattr (decnet_socket (getattr))) +(classmapping sockets getattr (icmp_socket (getattr))) +(classmapping sockets getattr (ieee802154_socket (getattr))) +(classmapping sockets getattr (ipx_socket (getattr))) +(classmapping sockets getattr (irda_socket (getattr))) +(classmapping sockets getattr (isdn_socket (getattr))) +(classmapping sockets getattr (iucv_socket (getattr))) +(classmapping sockets getattr (kcm_socket (getattr))) +(classmapping sockets getattr (key_socket (getattr))) +(classmapping sockets getattr (llc_socket (getattr))) +(classmapping sockets getattr (mctp_socket (getattr))) +(classmapping sockets getattr (netlink_audit_socket (getattr))) +(classmapping sockets getattr (netlink_connector_socket (getattr))) +(classmapping sockets getattr (netlink_crypto_socket (getattr))) +(classmapping sockets getattr (netlink_dnrt_socket (getattr))) +(classmapping sockets getattr (netlink_fib_lookup_socket (getattr))) +(classmapping sockets getattr (netlink_generic_socket (getattr))) +(classmapping sockets getattr (netlink_iscsi_socket (getattr))) +(classmapping sockets getattr (netlink_kobject_uevent_socket (getattr))) +(classmapping sockets getattr (netlink_netfilter_socket (getattr))) +(classmapping sockets getattr (netlink_nflog_socket (getattr))) +(classmapping sockets getattr (netlink_rdma_socket (getattr))) +(classmapping sockets getattr (netlink_route_socket (getattr))) +(classmapping sockets getattr (netlink_scsitransport_socket (getattr))) +(classmapping sockets getattr (netlink_selinux_socket (getattr))) +(classmapping sockets getattr (netlink_socket (getattr))) +(classmapping sockets getattr (netlink_tcpdiag_socket (getattr))) +(classmapping sockets getattr (netlink_xfrm_socket (getattr))) +(classmapping sockets getattr (netrom_socket (getattr))) +(classmapping sockets getattr (nfc_socket (getattr))) +(classmapping sockets getattr (packet_socket (getattr))) +(classmapping sockets getattr (phonet_socket (getattr))) +(classmapping sockets getattr (pppox_socket (getattr))) +(classmapping sockets getattr (qipcrtr_socket (getattr))) +(classmapping sockets getattr (rawip_socket (getattr))) +(classmapping sockets getattr (rds_socket (getattr))) +(classmapping sockets getattr (rose_socket (getattr))) +(classmapping sockets getattr (rxrpc_socket (getattr))) +(classmapping sockets getattr (sctp_socket (getattr))) +(classmapping sockets getattr (smc_socket (getattr))) +(classmapping sockets getattr (socket (getattr))) +(classmapping sockets getattr (tcp_socket (getattr))) +(classmapping sockets getattr (tipc_socket (getattr))) +(classmapping sockets getattr (tun_socket (getattr))) +(classmapping sockets getattr (udp_socket (getattr))) +(classmapping sockets getattr (unix_dgram_socket (getattr))) +(classmapping sockets getattr (unix_stream_socket (getattr))) +(classmapping sockets getattr (vsock_socket (getattr))) +(classmapping sockets getattr (x25_socket (getattr))) +(classmapping sockets getattr (xdp_socket (getattr))) + +(macro association_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (association)))) + +(macro connectto_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid (unix_stream_socket (connectto)))) + +(macro getattr_invalid_sockets ((type ARG1)) + (allow ARG1 invalid (sockets (getattr)))) + +(macro namebind_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (name_bind)))) + +(macro namebind_invalid_icmp_sockets ((type ARG1)) + (allow ARG1 invalid (icmp_socket (name_bind)))) + +(macro namebind_invalid_rawip_sockets ((type ARG1)) + (allow ARG1 invalid (rawip_socket (name_bind)))) + +(macro namebind_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (name_bind)))) + +(macro namebind_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (name_bind)))) + +(macro namebind_invalid_udp_sockets ((type ARG1)) + (allow ARG1 invalid (udp_socket (name_bind)))) + +(macro nameconnect_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (name_connect)))) + +(macro nameconnect_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (name_connect)))) + +(macro nameconnect_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (name_connect)))) + +(macro nodebind_invalid_dccp_sockets ((type ARG1)) + (allow ARG1 invalid (dccp_socket (node_bind)))) + +(macro nodebind_invalid_icmp_sockets ((type ARG1)) + (allow ARG1 invalid (icmp_socket (node_bind)))) + +(macro nodebind_invalid_rawip_sockets ((type ARG1)) + (allow ARG1 invalid (rawip_socket (node_bind)))) + +(macro nodebind_invalid_sctp_sockets ((type ARG1)) + (allow ARG1 invalid (sctp_socket (node_bind)))) + +(macro nodebind_invalid_tcp_sockets ((type ARG1)) + (allow ARG1 invalid (tcp_socket (node_bind)))) + +(macro nodebind_invalid_udp_sockets ((type ARG1)) + (allow ARG1 invalid (udp_socket (node_bind)))) + +(macro readwrite_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid readwrite_unix_dgram_socket)) + +(macro readwrite_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid readwrite_unix_stream_socket)) + +(macro sendto_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid (unix_dgram_socket (sendto)))) + +(macro write_invalid_unix_dgram_sockets ((type ARG1)) + (allow ARG1 invalid write_unix_dgram_socket)) + +(macro write_invalid_unix_stream_sockets ((type ARG1)) + (allow ARG1 invalid write_unix_stream_socket)) + +(in ibac + + (constrain (constrainsocketsubject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in invalid.unconfined + + (allow typeattr .invalid (sockets (common))) + (allow typeattr .invalid (alg_socket (accept listen))) + (allow typeattr .invalid (bluetooth_socket (accept listen))) + (allow typeattr .invalid + (dccp_socket (accept listen name_bind name_connect node_bind))) + (allow typeattr .invalid (icmp_socket (name_bind node_bind))) + (allow typeattr .invalid (rawip_socket (name_bind node_bind))) + (allow typeattr .invalid + (sctp_socket (association accept listen name_bind name_connect + node_bind))) + (allow typeattr .invalid (udp_socket (name_bind node_bind))) + (allow typeattr .invalid + (tcp_socket (accept listen name_bind name_connect node_bind))) + (allow typeattr .invalid (tun_socket (attach_queue))) + (allow typeattr .invalid (unix_dgram_socket (sendto))) + (allow typeattr .invalid (unix_stream_socket (accept connectto listen))) + (allow typeattr .invalid (vsock_socket (accept listen)))) + +(in mcs + + (mlsconstrain (constrainsocketobject (nameconnect nodebind)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain + (constrainsocketsubject (append association attachqueue connectto create + getattr read relabelto sendto setattr + write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr)))) + +(in rbac + + (constrain (constrainsocketsubject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 subjchange.typeattr)) + (eq t1 exempt.typeattr)))) + +(in rbacsep + + (constrain (constrainsocketsubject (append getattr read setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr))))) + +(in subj.all_macro_template + + (macro association_all_sctp_sockets ((type ARG1)) + (allow ARG1 typeattr (sctp_socket (association)))) + + (macro connectto_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr (unix_stream_socket (connectto)))) + + (macro getattr_all_sockets ((type ARG1)) + (allow ARG1 typeattr (sockets (getattr)))) + + (macro readwrite_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr readwrite_unix_dgram_socket)) + + (macro readwrite_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr readwrite_unix_stream_socket)) + + (macro sendto_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr (unix_dgram_socket (sendto)))) + + (macro write_all_unix_dgram_sockets ((type ARG1)) + (allow ARG1 typeattr write_unix_dgram_socket)) + + (macro write_all_unix_stream_sockets ((type ARG1)) + (allow ARG1 typeattr write_unix_stream_socket))) + +(in subj.macro_template + + (macro association_subj_sctp_sockets ((type ARG1)) + (allow ARG1 subj (sctp_socket (association)))) + + (macro connectto_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj (unix_stream_socket (connectto)))) + + (macro getattr_subj_sockets ((type ARG1)) + (allow ARG1 subj (sockets (getattr)))) + + (macro readwrite_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj readwrite_unix_dgram_socket)) + + (macro readwrite_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj readwrite_unix_stream_socket)) + + (macro sendto_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj (unix_dgram_socket (sendto)))) + + (macro write_subj_unix_dgram_sockets ((type ARG1)) + (allow ARG1 subj write_unix_dgram_socket)) + + (macro write_subj_unix_stream_sockets ((type ARG1)) + (allow ARG1 subj write_unix_stream_socket))) + +(in subj.unconfined + + (allow typeattr self + (netlink_audit_socket (nlmsg_read nlmsg_readpriv nlmsg_relay + nlmsg_tty_audit nlmsg_write))) + (allow typeattr self (netlink_route_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (netlink_tcpdiag_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (netlink_xfrm_socket (nlmsg_read nlmsg_write))) + (allow typeattr self (packet_socket (map))) + (allow typeattr self (tun_socket (relabelto))) + + (allow typeattr subj.typeattr (alg_socket (accept listen))) + (allow typeattr subj.typeattr (bluetooth_socket (accept listen))) + (allow typeattr subj.typeattr (dccp_socket (accept listen))) + (allow typeattr subj.typeattr (sctp_socket (association accept listen))) + (allow typeattr subj.typeattr (sockets (common))) + (allow typeattr subj.typeattr (tcp_socket (accept listen))) + (allow typeattr subj.typeattr (tun_socket (attach_queue relabelfrom))) + (allow typeattr subj.typeattr (unix_dgram_socket (sendto))) + (allow typeattr subj.typeattr + (unix_stream_socket (accept connectto listen))) + (allow typeattr subj.typeattr (vsock_socket (accept listen)))) diff --git a/src/misc/av/systemav.cil b/src/misc/av/systemav.cil new file mode 100644 index 0000000..ef9de4c --- /dev/null +++ b/src/misc/av/systemav.cil @@ -0,0 +1,60 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class system + (halt ipc_info module_load module_request reboot reload start status + stop syslog_console syslog_mod syslog_read)) +(classorder (unordered system)) + +(in sys + + (macro ipcinfo_system ((type ARG1)) + (allow ARG1 subj (system (ipc_info)))) + + (macro modulerequest_system ((type ARG1)) + (allow ARG1 subj (system (module_request)))) + + (macro syslogconsole_system ((type ARG1)) + (allow ARG1 subj (system (syslog_console)))) + + (macro syslogmod_system ((type ARG1)) + (allow ARG1 subj (system (syslog_mod)))) + + (macro syslogread_system ((type ARG1)) + (allow ARG1 subj (system (syslog_read)))) + + (block moduleload + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute not_typeattr) + (typeattribute typeattr) + + (typeattributeset not_typeattr (not typeattr)) + + (neverallow not_typeattr self (system (module_load)))) + + (block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (allow typeattr self (system (module_load))) + (allow typeattr subj + (system (ipc_info module_request syslog_console syslog_mod + syslog_read))) + + ;; potentially happens in autorelabel.target on policy model change + (allow typeattr .invalid (system (module_load))) + + ;; potentially happens in autorelabel.target on fresh install + (allow typeattr .unlabeled (system (module_load))) + + (call moduleload.type (typeattr)))) + +(in unconfined + + (call .sys.unconfined.type (typeattr))) diff --git a/src/misc/av/usernamespaceav.cil b/src/misc/av/usernamespaceav.cil new file mode 100644 index 0000000..c390313 --- /dev/null +++ b/src/misc/av/usernamespaceav.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(class user_namespace (create)) +(classorder (unordered user_namespace)) + +(in subj.unconfined + + (allow typeattr self (user_namespace (create)))) diff --git a/src/misc/conf.cil b/src/misc/conf.cil new file mode 100644 index 0000000..f7c70d4 --- /dev/null +++ b/src/misc/conf.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(handleunknown allow) +(mls true) + +(policycap "always_check_network") +(policycap "cgroup_seclabel") +(policycap "extended_socket_class") +(policycap "genfs_seclabel_symlinks") +(policycap "network_peer_controls") +(policycap "nnp_nosuid_transition") +(policycap "open_perms") + +;; SELinux 3.4/Linux 5.18 +;; (policycap "ioctl_skip_cloexec") diff --git a/src/misc/constrain/ibac.cil b/src/misc/constrain/ibac.cil new file mode 100644 index 0000000..ae2d4b8 --- /dev/null +++ b/src/misc/constrain/ibac.cil @@ -0,0 +1,84 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(block ibac + + (constrain (constrainobject (create relabelto)) + (or (or (or (eq u1 u2) + (and (eq t1 objchangesys.typeattr) + (eq u2 .sys.id))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) + + (constrain (process (dyntransition transition)) + (or (or (or (eq u1 u2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id))) + (eq t1 exempt.typeattr))) + + (block change + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) + + (block changesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) + + (block exempt + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj.unconfined + + (call .ibac.exempt.type (typeattr))) diff --git a/src/misc/constrain/mcs.cil b/src/misc/constrain/mcs.cil new file mode 100644 index 0000000..849d525 --- /dev/null +++ b/src/misc/constrain/mcs.cil @@ -0,0 +1,38 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(defaultrange blk_file source low) +(defaultrange chr_file source low) +(defaultrange dir source low) +(defaultrange fifo_file source low) +(defaultrange file source low) +(defaultrange lnk_file source low) +(defaultrange sock_file source low) + +(block mcs + + (mlsconstrain (constrainobject (create relabelto)) + (or (neq t1 constrained.typeattr) + (and (dom h1 h2) (eq l2 h2)))) + + (mlsconstrain (constrainobject (append getattr read setattr write)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain + (process (dyntransition getrlimit getsched ptrace setrlimit setsched + sigchld sigkill signal signull sigstop + transition)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (mlsconstrain (fifo_file (append getattr read write setattr)) + (or (dom h1 h2) + (neq t1 constrained.typeattr))) + + (block constrained + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) diff --git a/src/misc/constrain/rbac.cil b/src/misc/constrain/rbac.cil new file mode 100644 index 0000000..790d554 --- /dev/null +++ b/src/misc/constrain/rbac.cil @@ -0,0 +1,84 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(block rbac + + (constrain (constrainobject (create relabelto)) + (or (or (or (eq r1 r2) + (and (eq t1 objchangesys.typeattr) + (eq r2 .sys.role))) + (eq t1 objchange.typeattr)) + (eq t1 exempt.typeattr))) + + (constrain (process (dyntransition transition)) + (or (or (or (eq r1 r2) + (and (eq t1 subjchange.typeattr) + (eq t2 subjchangetarget.typeattr))) + (and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role))) + (eq t1 exempt.typeattr))) + + (block change + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchange.type (typeattr)) + (call subjchange.type (typeattr))) + + (block changesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (call objchangesys.type (typeattr)) + (call subjchangesys.type (typeattr))) + + (block exempt + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block objchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchange + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangesys + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subjchangetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in subj.unconfined + + (call .rbac.exempt.type (typeattr))) diff --git a/src/misc/constrain/rbacsep.cil b/src/misc/constrain/rbacsep.cil new file mode 100644 index 0000000..a3e1b6f --- /dev/null +++ b/src/misc/constrain/rbacsep.cil @@ -0,0 +1,112 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(block rbacsep + + (constrain (fifo_file (append getattr read setattr write)) + (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq t1 exemptsource.typeattr) + (eq t2 exempttarget.typeattr)))) + + (constrain (constrainobject (append setattr write)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr))) + + (constrain (constrainobject (getattr read)) + (or (or (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) + (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (eq t2 exempt.obj.typeattr)) + (and (eq r2 exempt.roleattr) (eq t2 typeattr))) + (and + (eq t1 readstatesource.typeattr) + (eq t2 readstatetarget.typeattr)))) + + (constrain + (process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill + signal signull sigstop)) + (or (or (or (eq r1 r2) + (and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr))) + (eq t1 exempt.subj.typeattr)) + (and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr)))) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr) + + (block constrained + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block exempt + + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) + + (roleattribute roleattr) + + (block obj + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block subj + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + + (block exemptsource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block exempttarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatesource + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) + + (block readstatetarget + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr))) + +(in obj + + (call .rbacsep.type (typeattr))) + +(in subj.unconfined + + (call .rbacsep.exempt.subj.type (typeattr))) + +(in sys + + (call .rbacsep.exempt.role (role))) diff --git a/src/misc/default.cil b/src/misc/default.cil new file mode 100644 index 0000000..da5851a --- /dev/null +++ b/src/misc/default.cil @@ -0,0 +1,10 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(defaultrole blk_file source) +(defaultrole chr_file source) +(defaultrole dir source) +(defaultrole fifo_file source) +(defaultrole file source) +(defaultrole lnk_file source) +(defaultrole sock_file source) diff --git a/src/misc/isid.cil b/src/misc/isid.cil new file mode 100644 index 0000000..e369a87 --- /dev/null +++ b/src/misc/isid.cil @@ -0,0 +1,37 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(sid devnull) +(sid file) +(sid kernel) +(sid netif) +(sid netmsg) +(sid node) +(sid port) +(sid security) +(sid unlabeled) + +(sid any_socket) +(sid file_labels) +(sid fs) +(sid icmp_socket) +(sid igmp_packet) +(sid init) +(sid kmod) +(sid policy) +(sid scmp_packet) +(sid sysctl) +(sid sysctl_dev) +(sid sysctl_fs) +(sid sysctl_kernel) +(sid sysctl_modprobe) +(sid sysctl_net) +(sid sysctl_net_unix) +(sid sysctl_vm) +(sid tcp_socket) + +(sidorder + (kernel security unlabeled fs file file_labels init any_socket port netif + netmsg node igmp_packet icmp_socket tcp_socket sysctl_modprobe sysctl + sysctl_fs sysctl_kernel sysctl_net sysctl_net_unix sysctl_vm sysctl_dev + kmod policy scmp_packet devnull)) diff --git a/src/misc/map.cil b/src/misc/map.cil new file mode 100644 index 0000000..591084c --- /dev/null +++ b/src/misc/map.cil @@ -0,0 +1,161 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(classmap constrainobject (append create getattr read relabelto setattr write)) + +(classmap files + (create delete manage read readwrite relabel relabelfrom relabelto + rename watch write)) + +(classmapping constrainobject append (blk_file (append))) +(classmapping constrainobject append (chr_file (append))) +(classmapping constrainobject append (dir (append))) +(classmapping constrainobject append (file (append))) +(classmapping constrainobject append (lnk_file (append))) +(classmapping constrainobject append (sock_file (append))) + +(classmapping constrainobject create (blk_file (create))) +(classmapping constrainobject create (chr_file (create))) +(classmapping constrainobject create (dir (create))) +(classmapping constrainobject create (fifo_file (create))) +(classmapping constrainobject create (file (create))) +(classmapping constrainobject create (lnk_file (create))) +(classmapping constrainobject create (sock_file (create))) + +(classmapping constrainobject getattr (blk_file (getattr))) +(classmapping constrainobject getattr (chr_file (getattr))) +(classmapping constrainobject getattr (dir (getattr))) +(classmapping constrainobject getattr (file (getattr))) +(classmapping constrainobject getattr (lnk_file (getattr))) +(classmapping constrainobject getattr (sock_file (getattr))) + +(classmapping constrainobject read (blk_file (read))) +(classmapping constrainobject read (chr_file (read))) +(classmapping constrainobject read (dir (read))) +(classmapping constrainobject read (file (read))) +(classmapping constrainobject read (lnk_file (read))) +(classmapping constrainobject read (sock_file (read))) + +(classmapping constrainobject relabelto (blk_file (relabelto))) +(classmapping constrainobject relabelto (chr_file (relabelto))) +(classmapping constrainobject relabelto (dir (relabelto))) +(classmapping constrainobject relabelto (fifo_file (relabelto))) +(classmapping constrainobject relabelto (file (relabelto))) +(classmapping constrainobject relabelto (lnk_file (relabelto))) +(classmapping constrainobject relabelto (sock_file (relabelto))) + +(classmapping constrainobject setattr (blk_file (setattr))) +(classmapping constrainobject setattr (chr_file (setattr))) +(classmapping constrainobject setattr (dir (setattr))) +(classmapping constrainobject setattr (file (setattr))) +(classmapping constrainobject setattr (lnk_file (setattr))) +(classmapping constrainobject setattr (sock_file (setattr))) + +(classmapping constrainobject write (blk_file (write))) +(classmapping constrainobject write (chr_file (write))) +(classmapping constrainobject write (dir (write))) +(classmapping constrainobject write (file (write))) +(classmapping constrainobject write (lnk_file (write))) +(classmapping constrainobject write (sock_file (write))) + +(classmapping files create addname_dir) +(classmapping files create create_blk_file) +(classmapping files create create_chr_file) +(classmapping files create create_dir) +(classmapping files create create_fifo_file) +(classmapping files create create_file) +(classmapping files create create_lnk_file) +(classmapping files create create_sock_file) +(classmapping files create read_lnk_file) + +(classmapping files delete delete_blk_file) +(classmapping files delete delete_chr_file) +(classmapping files delete delete_dir) +(classmapping files delete delete_fifo_file) +(classmapping files delete delete_file) +(classmapping files delete delete_lnk_file) +(classmapping files delete delete_sock_file) +(classmapping files delete deletename_dir) +(classmapping files delete read_lnk_file) + +(classmapping files manage manage_blk_file) +(classmapping files manage manage_chr_file) +(classmapping files manage manage_dir) +(classmapping files manage manage_fifo_file) +(classmapping files manage manage_file) +(classmapping files manage manage_lnk_file) +(classmapping files manage manage_sock_file) +(classmapping files manage read_lnk_file) + +(classmapping files read list_dir) +(classmapping files read read_blk_file) +(classmapping files read read_chr_file) +(classmapping files read read_fifo_file) +(classmapping files read read_file) +(classmapping files read read_lnk_file) +(classmapping files read read_sock_file) + +(classmapping files readwrite readwrite_blk_file) +(classmapping files readwrite readwrite_chr_file) +(classmapping files readwrite readwrite_dir) +(classmapping files readwrite readwrite_fifo_file) +(classmapping files readwrite readwrite_file) +(classmapping files readwrite readwrite_lnk_file) +(classmapping files readwrite readwrite_sock_file) + +(classmapping files relabel read_lnk_file) +(classmapping files relabel relabel_blk_file) +(classmapping files relabel relabel_chr_file) +(classmapping files relabel relabel_dir) +(classmapping files relabel relabel_fifo_file) +(classmapping files relabel relabel_file) +(classmapping files relabel relabel_lnk_file) +(classmapping files relabel relabel_sock_file) +(classmapping files relabel search_dir) + +(classmapping files relabelfrom read_lnk_file) +(classmapping files relabelfrom relabelfrom_blk_file) +(classmapping files relabelfrom relabelfrom_chr_file) +(classmapping files relabelfrom relabelfrom_dir) +(classmapping files relabelfrom relabelfrom_fifo_file) +(classmapping files relabelfrom relabelfrom_file) +(classmapping files relabelfrom relabelfrom_lnk_file) +(classmapping files relabelfrom relabelfrom_sock_file) +(classmapping files relabelfrom search_dir) + +(classmapping files relabelto read_lnk_file) +(classmapping files relabelto relabelto_blk_file) +(classmapping files relabelto relabelto_chr_file) +(classmapping files relabelto relabelto_dir) +(classmapping files relabelto relabelto_fifo_file) +(classmapping files relabelto relabelto_file) +(classmapping files relabelto relabelto_lnk_file) +(classmapping files relabelto relabelto_sock_file) +(classmapping files relabelto search_dir) + +(classmapping files rename read_lnk_file) +(classmapping files rename readwrite_dir) +(classmapping files rename rename_blk_file) +(classmapping files rename rename_chr_file) +(classmapping files rename rename_dir) +(classmapping files rename rename_fifo_file) +(classmapping files rename rename_file) +(classmapping files rename rename_lnk_file) +(classmapping files rename rename_sock_file) + +(classmapping files watch (blk_file (watch))) +(classmapping files watch (chr_file (watch))) +(classmapping files watch (dir (watch))) +(classmapping files watch (fifo_file (watch))) +(classmapping files watch (file (watch))) +(classmapping files watch (lnk_file (watch))) +(classmapping files watch (sock_file (watch))) + +(classmapping files write read_lnk_file) +(classmapping files write write_blk_file) +(classmapping files write write_chr_file) +(classmapping files write write_dir) +(classmapping files write write_fifo_file) +(classmapping files write write_file) +(classmapping files write write_lnk_file) +(classmapping files write write_sock_file) diff --git a/src/misc/mls.cil b/src/misc/mls.cil new file mode 100644 index 0000000..c18f9a5 --- /dev/null +++ b/src/misc/mls.cil @@ -0,0 +1,1110 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(category c0) +(category c1) +(category c2) +(category c3) +(category c4) +(category c5) +(category c6) +(category c7) +(category c8) +(category c9) +(category c10) +(category c11) +(category c12) +(category c13) +(category c14) +(category c15) +(category c16) +(category c17) +(category c18) +(category c19) +(category c20) +(category c21) +(category c22) +(category c23) +(category c24) +(category c25) +(category c26) +(category c27) +(category c28) +(category c29) +(category c30) +(category c31) +(category c32) +(category c33) +(category c34) +(category c35) +(category c36) +(category c37) +(category c38) +(category c39) +(category c40) +(category c41) +(category c42) +(category c43) +(category c44) +(category c45) +(category c46) +(category c47) +(category c48) +(category c49) +(category c50) +(category c51) +(category c52) +(category c53) +(category c54) +(category c55) +(category c56) +(category c57) +(category c58) +(category c59) +(category c60) +(category c61) +(category c62) +(category c63) +(category c64) +(category c65) +(category c66) +(category c67) +(category c68) +(category c69) +(category c70) +(category c71) +(category c72) +(category c73) +(category c74) +(category c75) +(category c76) +(category c77) +(category c78) +(category c79) +(category c80) +(category c81) +(category c82) +(category c83) +(category c84) +(category c85) +(category c86) +(category c87) +(category c88) +(category c89) +(category c90) +(category c91) +(category c92) +(category c93) +(category c94) +(category c95) +(category c96) +(category c97) +(category c98) +(category c99) +(category c100) +(category c101) +(category c102) +(category c103) +(category c104) +(category c105) +(category c106) +(category c107) +(category c108) +(category c109) +(category c110) +(category c111) +(category c112) +(category c113) +(category c114) +(category c115) +(category c116) +(category c117) +(category c118) +(category c119) +(category c120) +(category c121) +(category c122) +(category c123) +(category c124) +(category c125) +(category c126) +(category c127) +(category c128) +(category c129) +(category c130) +(category c131) +(category c132) +(category c133) +(category c134) +(category c135) +(category c136) +(category c137) +(category c138) +(category c139) +(category c140) +(category c141) +(category c142) +(category c143) +(category c144) +(category c145) +(category c146) +(category c147) +(category c148) +(category c149) +(category c150) +(category c151) +(category c152) +(category c153) +(category c154) +(category c155) +(category c156) +(category c157) +(category c158) +(category c159) +(category c160) +(category c161) +(category c162) +(category c163) +(category c164) +(category c165) +(category c166) +(category c167) +(category c168) +(category c169) +(category c170) +(category c171) +(category c172) +(category c173) +(category c174) +(category c175) +(category c176) +(category c177) +(category c178) +(category c179) +(category c180) +(category c181) +(category c182) +(category c183) +(category c184) +(category c185) +(category c186) +(category c187) +(category c188) +(category c189) +(category c190) +(category c191) +(category c192) +(category c193) +(category c194) +(category c195) +(category c196) +(category c197) +(category c198) +(category c199) +(category c200) +(category c201) +(category c202) +(category c203) +(category c204) +(category c205) +(category c206) +(category c207) +(category c208) +(category c209) +(category c210) +(category c211) +(category c212) +(category c213) +(category c214) +(category c215) +(category c216) +(category c217) +(category c218) +(category c219) +(category c220) +(category c221) +(category c222) +(category c223) +(category c224) +(category c225) +(category c226) +(category c227) +(category c228) +(category c229) +(category c230) +(category c231) +(category c232) +(category c233) +(category c234) +(category c235) +(category c236) +(category c237) +(category c238) +(category c239) +(category c240) +(category c241) +(category c242) +(category c243) +(category c244) +(category c245) +(category c246) +(category c247) +(category c248) +(category c249) +(category c250) +(category c251) +(category c252) +(category c253) +(category c254) +(category c255) +(category c256) +(category c257) +(category c258) +(category c259) +(category c260) +(category c261) +(category c262) +(category c263) +(category c264) +(category c265) +(category c266) +(category c267) +(category c268) +(category c269) +(category c270) +(category c271) +(category c272) +(category c273) +(category c274) +(category c275) +(category c276) +(category c277) +(category c278) +(category c279) +(category c280) +(category c281) +(category c282) +(category c283) +(category c284) +(category c285) +(category c286) +(category c287) +(category c288) +(category c289) +(category c290) +(category c291) +(category c292) +(category c293) +(category c294) +(category c295) +(category c296) +(category c297) +(category c298) +(category c299) +(category c300) +(category c301) +(category c302) +(category c303) +(category c304) +(category c305) +(category c306) +(category c307) +(category c308) +(category c309) +(category c310) +(category c311) +(category c312) +(category c313) +(category c314) +(category c315) +(category c316) +(category c317) +(category c318) +(category c319) +(category c320) +(category c321) +(category c322) +(category c323) +(category c324) +(category c325) +(category c326) +(category c327) +(category c328) +(category c329) +(category c330) +(category c331) +(category c332) +(category c333) +(category c334) +(category c335) +(category c336) +(category c337) +(category c338) +(category c339) +(category c340) +(category c341) +(category c342) +(category c343) +(category c344) +(category c345) +(category c346) +(category c347) +(category c348) +(category c349) +(category c350) +(category c351) +(category c352) +(category c353) +(category c354) +(category c355) +(category c356) +(category c357) +(category c358) +(category c359) +(category c360) +(category c361) +(category c362) +(category c363) +(category c364) +(category c365) +(category c366) +(category c367) +(category c368) +(category c369) +(category c370) +(category c371) +(category c372) +(category c373) +(category c374) +(category c375) +(category c376) +(category c377) +(category c378) +(category c379) +(category c380) +(category c381) +(category c382) +(category c383) +(category c384) +(category c385) +(category c386) +(category c387) +(category c388) +(category c389) +(category c390) +(category c391) +(category c392) +(category c393) +(category c394) +(category c395) +(category c396) +(category c397) +(category c398) +(category c399) +(category c400) +(category c401) +(category c402) +(category c403) +(category c404) +(category c405) +(category c406) +(category c407) +(category c408) +(category c409) +(category c410) +(category c411) +(category c412) +(category c413) +(category c414) +(category c415) +(category c416) +(category c417) +(category c418) +(category c419) +(category c420) +(category c421) +(category c422) +(category c423) +(category c424) +(category c425) +(category c426) +(category c427) +(category c428) +(category c429) +(category c430) +(category c431) +(category c432) +(category c433) +(category c434) +(category c435) +(category c436) +(category c437) +(category c438) +(category c439) +(category c440) +(category c441) +(category c442) +(category c443) +(category c444) +(category c445) +(category c446) +(category c447) +(category c448) +(category c449) +(category c450) +(category c451) +(category c452) +(category c453) +(category c454) +(category c455) +(category c456) +(category c457) +(category c458) +(category c459) +(category c460) +(category c461) +(category c462) +(category c463) +(category c464) +(category c465) +(category c466) +(category c467) +(category c468) +(category c469) +(category c470) +(category c471) +(category c472) +(category c473) +(category c474) +(category c475) +(category c476) +(category c477) +(category c478) +(category c479) +(category c480) +(category c481) +(category c482) +(category c483) +(category c484) +(category c485) +(category c486) +(category c487) +(category c488) +(category c489) +(category c490) +(category c491) +(category c492) +(category c493) +(category c494) +(category c495) +(category c496) +(category c497) +(category c498) +(category c499) +(category c500) +(category c501) +(category c502) +(category c503) +(category c504) +(category c505) +(category c506) +(category c507) +(category c508) +(category c509) +(category c510) +(category c511) +(category c512) +(category c513) +(category c514) +(category c515) +(category c516) +(category c517) +(category c518) +(category c519) +(category c520) +(category c521) +(category c522) +(category c523) +(category c524) +(category c525) +(category c526) +(category c527) +(category c528) +(category c529) +(category c530) +(category c531) +(category c532) +(category c533) +(category c534) +(category c535) +(category c536) +(category c537) +(category c538) +(category c539) +(category c540) +(category c541) +(category c542) +(category c543) +(category c544) +(category c545) +(category c546) +(category c547) +(category c548) +(category c549) +(category c550) +(category c551) +(category c552) +(category c553) +(category c554) +(category c555) +(category c556) +(category c557) +(category c558) +(category c559) +(category c560) +(category c561) +(category c562) +(category c563) +(category c564) +(category c565) +(category c566) +(category c567) +(category c568) +(category c569) +(category c570) +(category c571) +(category c572) +(category c573) +(category c574) +(category c575) +(category c576) +(category c577) +(category c578) +(category c579) +(category c580) +(category c581) +(category c582) +(category c583) +(category c584) +(category c585) +(category c586) +(category c587) +(category c588) +(category c589) +(category c590) +(category c591) +(category c592) +(category c593) +(category c594) +(category c595) +(category c596) +(category c597) +(category c598) +(category c599) +(category c600) +(category c601) +(category c602) +(category c603) +(category c604) +(category c605) +(category c606) +(category c607) +(category c608) +(category c609) +(category c610) +(category c611) +(category c612) +(category c613) +(category c614) +(category c615) +(category c616) +(category c617) +(category c618) +(category c619) +(category c620) +(category c621) +(category c622) +(category c623) +(category c624) +(category c625) +(category c626) +(category c627) +(category c628) +(category c629) +(category c630) +(category c631) +(category c632) +(category c633) +(category c634) +(category c635) +(category c636) +(category c637) +(category c638) +(category c639) +(category c640) +(category c641) +(category c642) +(category c643) +(category c644) +(category c645) +(category c646) +(category c647) +(category c648) +(category c649) +(category c650) +(category c651) +(category c652) +(category c653) +(category c654) +(category c655) +(category c656) +(category c657) +(category c658) +(category c659) +(category c660) +(category c661) +(category c662) +(category c663) +(category c664) +(category c665) +(category c666) +(category c667) +(category c668) +(category c669) +(category c670) +(category c671) +(category c672) +(category c673) +(category c674) +(category c675) +(category c676) +(category c677) +(category c678) +(category c679) +(category c680) +(category c681) +(category c682) +(category c683) +(category c684) +(category c685) +(category c686) +(category c687) +(category c688) +(category c689) +(category c690) +(category c691) +(category c692) +(category c693) +(category c694) +(category c695) +(category c696) +(category c697) +(category c698) +(category c699) +(category c700) +(category c701) +(category c702) +(category c703) +(category c704) +(category c705) +(category c706) +(category c707) +(category c708) +(category c709) +(category c710) +(category c711) +(category c712) +(category c713) +(category c714) +(category c715) +(category c716) +(category c717) +(category c718) +(category c719) +(category c720) +(category c721) +(category c722) +(category c723) +(category c724) +(category c725) +(category c726) +(category c727) +(category c728) +(category c729) +(category c730) +(category c731) +(category c732) +(category c733) +(category c734) +(category c735) +(category c736) +(category c737) +(category c738) +(category c739) +(category c740) +(category c741) +(category c742) +(category c743) +(category c744) +(category c745) +(category c746) +(category c747) +(category c748) +(category c749) +(category c750) +(category c751) +(category c752) +(category c753) +(category c754) +(category c755) +(category c756) +(category c757) +(category c758) +(category c759) +(category c760) +(category c761) +(category c762) +(category c763) +(category c764) +(category c765) +(category c766) +(category c767) +(category c768) +(category c769) +(category c770) +(category c771) +(category c772) +(category c773) +(category c774) +(category c775) +(category c776) +(category c777) +(category c778) +(category c779) +(category c780) +(category c781) +(category c782) +(category c783) +(category c784) +(category c785) +(category c786) +(category c787) +(category c788) +(category c789) +(category c790) +(category c791) +(category c792) +(category c793) +(category c794) +(category c795) +(category c796) +(category c797) +(category c798) +(category c799) +(category c800) +(category c801) +(category c802) +(category c803) +(category c804) +(category c805) +(category c806) +(category c807) +(category c808) +(category c809) +(category c810) +(category c811) +(category c812) +(category c813) +(category c814) +(category c815) +(category c816) +(category c817) +(category c818) +(category c819) +(category c820) +(category c821) +(category c822) +(category c823) +(category c824) +(category c825) +(category c826) +(category c827) +(category c828) +(category c829) +(category c830) +(category c831) +(category c832) +(category c833) +(category c834) +(category c835) +(category c836) +(category c837) +(category c838) +(category c839) +(category c840) +(category c841) +(category c842) +(category c843) +(category c844) +(category c845) +(category c846) +(category c847) +(category c848) +(category c849) +(category c850) +(category c851) +(category c852) +(category c853) +(category c854) +(category c855) +(category c856) +(category c857) +(category c858) +(category c859) +(category c860) +(category c861) +(category c862) +(category c863) +(category c864) +(category c865) +(category c866) +(category c867) +(category c868) +(category c869) +(category c870) +(category c871) +(category c872) +(category c873) +(category c874) +(category c875) +(category c876) +(category c877) +(category c878) +(category c879) +(category c880) +(category c881) +(category c882) +(category c883) +(category c884) +(category c885) +(category c886) +(category c887) +(category c888) +(category c889) +(category c890) +(category c891) +(category c892) +(category c893) +(category c894) +(category c895) +(category c896) +(category c897) +(category c898) +(category c899) +(category c900) +(category c901) +(category c902) +(category c903) +(category c904) +(category c905) +(category c906) +(category c907) +(category c908) +(category c909) +(category c910) +(category c911) +(category c912) +(category c913) +(category c914) +(category c915) +(category c916) +(category c917) +(category c918) +(category c919) +(category c920) +(category c921) +(category c922) +(category c923) +(category c924) +(category c925) +(category c926) +(category c927) +(category c928) +(category c929) +(category c930) +(category c931) +(category c932) +(category c933) +(category c934) +(category c935) +(category c936) +(category c937) +(category c938) +(category c939) +(category c940) +(category c941) +(category c942) +(category c943) +(category c944) +(category c945) +(category c946) +(category c947) +(category c948) +(category c949) +(category c950) +(category c951) +(category c952) +(category c953) +(category c954) +(category c955) +(category c956) +(category c957) +(category c958) +(category c959) +(category c960) +(category c961) +(category c962) +(category c963) +(category c964) +(category c965) +(category c966) +(category c967) +(category c968) +(category c969) +(category c970) +(category c971) +(category c972) +(category c973) +(category c974) +(category c975) +(category c976) +(category c977) +(category c978) +(category c979) +(category c980) +(category c981) +(category c982) +(category c983) +(category c984) +(category c985) +(category c986) +(category c987) +(category c988) +(category c989) +(category c990) +(category c991) +(category c992) +(category c993) +(category c994) +(category c995) +(category c996) +(category c997) +(category c998) +(category c999) +(category c1000) +(category c1001) +(category c1002) +(category c1003) +(category c1004) +(category c1005) +(category c1006) +(category c1007) +(category c1008) +(category c1009) +(category c1010) +(category c1011) +(category c1012) +(category c1013) +(category c1014) +(category c1015) +(category c1016) +(category c1017) +(category c1018) +(category c1019) +(category c1020) +(category c1021) +(category c1022) +(category c1023) + +(categoryorder + (c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 + c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 c35 c36 c37 c38 c39 c40 + c41 c42 c43 c44 c45 c46 c47 c48 c49 c50 c51 c52 c53 c54 c55 c56 c57 c58 c59 + c60 c61 c62 c63 c64 c65 c66 c67 c68 c69 c70 c71 c72 c73 c74 c75 c76 c77 c78 + c79 c80 c81 c82 c83 c84 c85 c86 c87 c88 c89 c90 c91 c92 c93 c94 c95 c96 c97 + c98 c99 c100 c101 c102 c103 c104 c105 c106 c107 c108 c109 c110 c111 c112 + c113 c114 c115 c116 c117 c118 c119 c120 c121 c122 c123 c124 c125 c126 c127 + c128 c129 c130 c131 c132 c133 c134 c135 c136 c137 c138 c139 c140 c141 c142 + c143 c144 c145 c146 c147 c148 c149 c150 c151 c152 c153 c154 c155 c156 c157 + c158 c159 c160 c161 c162 c163 c164 c165 c166 c167 c168 c169 c170 c171 c172 + c173 c174 c175 c176 c177 c178 c179 c180 c181 c182 c183 c184 c185 c186 c187 + c188 c189 c190 c191 c192 c193 c194 c195 c196 c197 c198 c199 c200 c201 c202 + c203 c204 c205 c206 c207 c208 c209 c210 c211 c212 c213 c214 c215 c216 c217 + c218 c219 c220 c221 c222 c223 c224 c225 c226 c227 c228 c229 c230 c231 c232 + c233 c234 c235 c236 c237 c238 c239 c240 c241 c242 c243 c244 c245 c246 c247 + c248 c249 c250 c251 c252 c253 c254 c255 c256 c257 c258 c259 c260 c261 c262 + c263 c264 c265 c266 c267 c268 c269 c270 c271 c272 c273 c274 c275 c276 c277 + c278 c279 c280 c281 c282 c283 c284 c285 c286 c287 c288 c289 c290 c291 c292 + c293 c294 c295 c296 c297 c298 c299 c300 c301 c302 c303 c304 c305 c306 c307 + c308 c309 c310 c311 c312 c313 c314 c315 c316 c317 c318 c319 c320 c321 c322 + c323 c324 c325 c326 c327 c328 c329 c330 c331 c332 c333 c334 c335 c336 c337 + c338 c339 c340 c341 c342 c343 c344 c345 c346 c347 c348 c349 c350 c351 c352 + c353 c354 c355 c356 c357 c358 c359 c360 c361 c362 c363 c364 c365 c366 c367 + c368 c369 c370 c371 c372 c373 c374 c375 c376 c377 c378 c379 c380 c381 c382 + c383 c384 c385 c386 c387 c388 c389 c390 c391 c392 c393 c394 c395 c396 c397 + c398 c399 c400 c401 c402 c403 c404 c405 c406 c407 c408 c409 c410 c411 c412 + c413 c414 c415 c416 c417 c418 c419 c420 c421 c422 c423 c424 c425 c426 c427 + c428 c429 c430 c431 c432 c433 c434 c435 c436 c437 c438 c439 c440 c441 c442 + c443 c444 c445 c446 c447 c448 c449 c450 c451 c452 c453 c454 c455 c456 c457 + c458 c459 c460 c461 c462 c463 c464 c465 c466 c467 c468 c469 c470 c471 c472 + c473 c474 c475 c476 c477 c478 c479 c480 c481 c482 c483 c484 c485 c486 c487 + c488 c489 c490 c491 c492 c493 c494 c495 c496 c497 c498 c499 c500 c501 c502 + c503 c504 c505 c506 c507 c508 c509 c510 c511 c512 c513 c514 c515 c516 c517 + c518 c519 c520 c521 c522 c523 c524 c525 c526 c527 c528 c529 c530 c531 c532 + c533 c534 c535 c536 c537 c538 c539 c540 c541 c542 c543 c544 c545 c546 c547 + c548 c549 c550 c551 c552 c553 c554 c555 c556 c557 c558 c559 c560 c561 c562 + c563 c564 c565 c566 c567 c568 c569 c570 c571 c572 c573 c574 c575 c576 c577 + c578 c579 c580 c581 c582 c583 c584 c585 c586 c587 c588 c589 c590 c591 c592 + c593 c594 c595 c596 c597 c598 c599 c600 c601 c602 c603 c604 c605 c606 c607 + c608 c609 c610 c611 c612 c613 c614 c615 c616 c617 c618 c619 c620 c621 c622 + c623 c624 c625 c626 c627 c628 c629 c630 c631 c632 c633 c634 c635 c636 c637 + c638 c639 c640 c641 c642 c643 c644 c645 c646 c647 c648 c649 c650 c651 c652 + c653 c654 c655 c656 c657 c658 c659 c660 c661 c662 c663 c664 c665 c666 c667 + c668 c669 c670 c671 c672 c673 c674 c675 c676 c677 c678 c679 c680 c681 c682 + c683 c684 c685 c686 c687 c688 c689 c690 c691 c692 c693 c694 c695 c696 c697 + c698 c699 c700 c701 c702 c703 c704 c705 c706 c707 c708 c709 c710 c711 c712 + c713 c714 c715 c716 c717 c718 c719 c720 c721 c722 c723 c724 c725 c726 c727 + c728 c729 c730 c731 c732 c733 c734 c735 c736 c737 c738 c739 c740 c741 c742 + c743 c744 c745 c746 c747 c748 c749 c750 c751 c752 c753 c754 c755 c756 c757 + c758 c759 c760 c761 c762 c763 c764 c765 c766 c767 c768 c769 c770 c771 c772 + c773 c774 c775 c776 c777 c778 c779 c780 c781 c782 c783 c784 c785 c786 c787 + c788 c789 c790 c791 c792 c793 c794 c795 c796 c797 c798 c799 c800 c801 c802 + c803 c804 c805 c806 c807 c808 c809 c810 c811 c812 c813 c814 c815 c816 c817 + c818 c819 c820 c821 c822 c823 c824 c825 c826 c827 c828 c829 c830 c831 c832 + c833 c834 c835 c836 c837 c838 c839 c840 c841 c842 c843 c844 c845 c846 c847 + c848 c849 c850 c851 c852 c853 c854 c855 c856 c857 c858 c859 c860 c861 c862 + c863 c864 c865 c866 c867 c868 c869 c870 c871 c872 c873 c874 c875 c876 c877 + c878 c879 c880 c881 c882 c883 c884 c885 c886 c887 c888 c889 c890 c891 c892 + c893 c894 c895 c896 c897 c898 c899 c900 c901 c902 c903 c904 c905 c906 c907 + c908 c909 c910 c911 c912 c913 c914 c915 c916 c917 c918 c919 c920 c921 c922 + c923 c924 c925 c926 c927 c928 c929 c930 c931 c932 c933 c934 c935 c936 c937 + c938 c939 c940 c941 c942 c943 c944 c945 c946 c947 c948 c949 c950 c951 c952 + c953 c954 c955 c956 c957 c958 c959 c960 c961 c962 c963 c964 c965 c966 c967 + c968 c969 c970 c971 c972 c973 c974 c975 c976 c977 c978 c979 c980 c981 c982 + c983 c984 c985 c986 c987 c988 c989 c990 c991 c992 c993 c994 c995 c996 c997 + c998 c999 c1000 c1001 c1002 c1003 c1004 c1005 c1006 c1007 c1008 c1009 c1010 + c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 + c1023)) + +(categoryset allcatset (range c0 c1023)) + +(sensitivity s0) +(sensitivityorder (s0)) + +(sensitivitycategory s0 allcatset) + +(level systemlow (s0)) +(level systemhigh (s0 allcatset)) + +(levelrange lowlevelrange (systemlow systemlow)) +(levelrange lowhighlevelrange (systemlow systemhigh)) diff --git a/src/misc/modular.cil b/src/misc/modular.cil new file mode 100644 index 0000000..97e603d --- /dev/null +++ b/src/misc/modular.cil @@ -0,0 +1,5 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(selinuxuserdefault sys.id lowlevelrange) +(userprefix sys.id sys.role) diff --git a/src/misc/obj.cil b/src/misc/obj.cil new file mode 100644 index 0000000..1611462 --- /dev/null +++ b/src/misc/obj.cil @@ -0,0 +1,16 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(block obj + + (macro role ((role ARG1)) + (roleattributeset roleattr ARG1)) + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (roleattribute roleattr) + + (typeattribute typeattr) + + (roletype roleattr typeattr)) diff --git a/src/misc/perm.cil b/src/misc/perm.cil new file mode 100644 index 0000000..0728143 --- /dev/null +++ b/src/misc/perm.cil @@ -0,0 +1,314 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(classpermission addname_dir) +(classpermission append_blk_file) +(classpermission append_chr_file) +(classpermission append_fifo_file) +(classpermission append_file) + +(classpermission appendinherited_blk_file) +(classpermission appendinherited_chr_file) +(classpermission appendinherited_fifo_file) +(classpermission appendinherited_file) + +(classpermission create_blk_file) +(classpermission create_chr_file) +(classpermission create_dir) +(classpermission create_fifo_file) +(classpermission create_file) +(classpermission create_lnk_file) +(classpermission create_sock_file) + +(classpermission delete_blk_file) +(classpermission delete_chr_file) +(classpermission delete_dir) +(classpermission delete_fifo_file) +(classpermission delete_file) +(classpermission delete_lnk_file) +(classpermission delete_sock_file) + +(classpermission deletename_dir) + +(classpermission execute_file) + +(classpermission list_dir) + +(classpermission listinherited_dir) + +(classpermission manage_blk_file) +(classpermission manage_chr_file) +(classpermission manage_dir) +(classpermission manage_fifo_file) +(classpermission manage_file) +(classpermission manage_lnk_file) +(classpermission manage_sock_file) + +(classpermission mapexecute_chr_file) +(classpermission mapexecute_file) + +(classpermission mounton_chr_file) +(classpermission mounton_dir) +(classpermission mounton_file) + +(classpermission read_blk_file) +(classpermission read_chr_file) +(classpermission read_fifo_file) +(classpermission read_file) +(classpermission read_lnk_file) +(classpermission read_sock_file) + +(classpermission readinherited_blk_file) +(classpermission readinherited_chr_file) +(classpermission readinherited_fifo_file) +(classpermission readinherited_file) +(classpermission readinherited_sock_file) + +(classpermission readwrite_blk_file) +(classpermission readwrite_chr_file) +(classpermission readwrite_dir) +(classpermission readwrite_fifo_file) +(classpermission readwrite_file) +(classpermission readwrite_lnk_file) +(classpermission readwrite_sock_file) + +(classpermission readwriteinherited_blk_file) +(classpermission readwriteinherited_chr_file) +(classpermission readwriteinherited_dir) +(classpermission readwriteinherited_fifo_file) +(classpermission readwriteinherited_file) +(classpermission readwriteinherited_sock_file) + +(classpermission relabel_blk_file) +(classpermission relabel_chr_file) +(classpermission relabel_dir) +(classpermission relabel_fifo_file) +(classpermission relabel_file) +(classpermission relabel_lnk_file) +(classpermission relabel_sock_file) + +(classpermission relabelfrom_blk_file) +(classpermission relabelfrom_chr_file) +(classpermission relabelfrom_dir) +(classpermission relabelfrom_fifo_file) +(classpermission relabelfrom_file) +(classpermission relabelfrom_lnk_file) +(classpermission relabelfrom_sock_file) + +(classpermission relabelto_blk_file) +(classpermission relabelto_chr_file) +(classpermission relabelto_dir) +(classpermission relabelto_fifo_file) +(classpermission relabelto_file) +(classpermission relabelto_lnk_file) +(classpermission relabelto_sock_file) + +(classpermission rename_blk_file) +(classpermission rename_chr_file) +(classpermission rename_dir) +(classpermission rename_fifo_file) +(classpermission rename_file) +(classpermission rename_lnk_file) +(classpermission rename_sock_file) + +(classpermission search_dir) + +(classpermission write_blk_file) +(classpermission write_chr_file) +(classpermission write_dir) +(classpermission write_fifo_file) +(classpermission write_file) +(classpermission write_lnk_file) +(classpermission write_sock_file) + +(classpermission writeinherited_blk_file) +(classpermission writeinherited_chr_file) +(classpermission writeinherited_dir) +(classpermission writeinherited_fifo_file) +(classpermission writeinherited_file) +(classpermission writeinherited_sock_file) + +(classpermissionset addname_dir + (dir (add_name getattr ioctl lock open read search write))) + +(classpermissionset append_blk_file (blk_file (append getattr ioctl lock open))) +(classpermissionset append_chr_file (chr_file (append getattr ioctl lock open))) +(classpermissionset append_fifo_file + (fifo_file (append getattr ioctl lock open))) +(classpermissionset append_file (file (append getattr ioctl lock open))) + +(classpermissionset appendinherited_blk_file + (blk_file (append getattr ioctl lock))) +(classpermissionset appendinherited_chr_file + (chr_file (append getattr ioctl lock))) +(classpermissionset appendinherited_fifo_file + (fifo_file (append getattr ioctl lock))) +(classpermissionset appendinherited_file (file (append getattr ioctl lock))) + +(classpermissionset create_blk_file (blk_file (create getattr))) +(classpermissionset create_chr_file (chr_file (create getattr))) +(classpermissionset create_dir (dir (create getattr))) +(classpermissionset create_fifo_file (fifo_file (create getattr))) +(classpermissionset create_file (file (create getattr))) +(classpermissionset create_lnk_file (lnk_file (create getattr))) +(classpermissionset create_sock_file (sock_file (create getattr))) + +(classpermissionset delete_blk_file (blk_file (getattr unlink))) +(classpermissionset delete_chr_file (chr_file (getattr unlink))) +(classpermissionset delete_dir (dir (getattr rmdir))) +(classpermissionset delete_fifo_file (fifo_file (getattr unlink))) +(classpermissionset delete_file (file (getattr unlink))) +(classpermissionset delete_lnk_file (lnk_file (getattr unlink))) +(classpermissionset delete_sock_file (sock_file (getattr unlink))) + +(classpermissionset deletename_dir + (dir (getattr ioctl lock open read remove_name search + write))) + +(classpermissionset execute_file + (file (execute execute_no_trans getattr ioctl map open + read))) + +(classpermissionset list_dir (dir (getattr ioctl lock open read search))) + +(classpermissionset listinherited_dir (dir (getattr ioctl lock read search))) + +(classpermissionset manage_blk_file + (blk_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_chr_file + (chr_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_dir + (dir (add_name create getattr ioctl link lock open read + setattr remove_name rename reparent rmdir + search write))) +(classpermissionset manage_fifo_file + (fifo_file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_file + (file (append create getattr ioctl link lock open read + rename setattr unlink write))) +(classpermissionset manage_lnk_file + (lnk_file (append create getattr link lock read rename + setattr unlink write))) +(classpermissionset manage_sock_file + (sock_file (append create getattr ioctl link lock open read + rename setattr unlink write))) + +(classpermissionset mapexecute_chr_file (chr_file (execute map))) +(classpermissionset mapexecute_file (file (execute map))) + +(classpermissionset mounton_chr_file (chr_file (getattr mounton))) +(classpermissionset mounton_dir (dir (getattr mounton))) +(classpermissionset mounton_file (file (getattr mounton))) + +(classpermissionset read_blk_file (blk_file (getattr ioctl lock open read))) +(classpermissionset read_chr_file (chr_file (getattr ioctl lock open read))) +(classpermissionset read_fifo_file (fifo_file (getattr ioctl lock open read))) +(classpermissionset read_file (file (getattr ioctl lock open read))) +(classpermissionset read_lnk_file (lnk_file (getattr lock read))) +(classpermissionset read_sock_file (sock_file (getattr ioctl lock open read))) + +(classpermissionset readinherited_blk_file (blk_file (getattr ioctl lock read))) +(classpermissionset readinherited_chr_file (chr_file (getattr ioctl lock read))) +(classpermissionset readinherited_fifo_file + (fifo_file (getattr ioctl lock read))) +(classpermissionset readinherited_file (file (getattr ioctl lock read))) +(classpermissionset readinherited_sock_file + (sock_file (getattr ioctl lock read))) + +(classpermissionset readwrite_blk_file + (blk_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_chr_file + (chr_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_dir + (dir (add_name getattr ioctl lock open read remove_name + search write))) +(classpermissionset readwrite_fifo_file + (fifo_file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_file + (file (append getattr ioctl lock open read write))) +(classpermissionset readwrite_lnk_file + (lnk_file (append getattr lock read write))) +(classpermissionset readwrite_sock_file + (sock_file (append getattr ioctl lock open read write))) + +(classpermissionset readwriteinherited_blk_file + (blk_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_chr_file + (chr_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_dir + (dir (add_name getattr ioctl lock read remove_name search + write))) +(classpermissionset readwriteinherited_fifo_file + (fifo_file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_file + (file (append getattr ioctl lock read write))) +(classpermissionset readwriteinherited_sock_file + (sock_file (append getattr ioctl lock read write))) + +(classpermissionset relabel_blk_file (blk_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_chr_file (chr_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_dir (dir (getattr relabelfrom relabelto))) +(classpermissionset relabel_fifo_file + (fifo_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_file (file (getattr relabelfrom relabelto))) +(classpermissionset relabel_lnk_file (lnk_file (getattr relabelfrom relabelto))) +(classpermissionset relabel_sock_file + (sock_file (getattr relabelfrom relabelto))) + +(classpermissionset relabelfrom_blk_file (blk_file (getattr relabelfrom))) +(classpermissionset relabelfrom_chr_file (chr_file (getattr relabelfrom))) +(classpermissionset relabelfrom_dir (dir (getattr relabelfrom))) +(classpermissionset relabelfrom_fifo_file (fifo_file (getattr relabelfrom))) +(classpermissionset relabelfrom_file (file (getattr relabelfrom))) +(classpermissionset relabelfrom_lnk_file (lnk_file (getattr relabelfrom))) +(classpermissionset relabelfrom_sock_file (sock_file (getattr relabelfrom))) + +(classpermissionset relabelto_blk_file (blk_file (getattr relabelto))) +(classpermissionset relabelto_chr_file (chr_file (getattr relabelto))) +(classpermissionset relabelto_dir (dir (getattr relabelto))) +(classpermissionset relabelto_fifo_file (fifo_file (getattr relabelto))) +(classpermissionset relabelto_file (file (getattr relabelto))) +(classpermissionset relabelto_lnk_file (lnk_file (getattr relabelto))) +(classpermissionset relabelto_sock_file (sock_file (getattr relabelto))) + +(classpermissionset rename_blk_file (blk_file (getattr rename))) +(classpermissionset rename_chr_file (chr_file (getattr rename))) +(classpermissionset rename_dir (dir (getattr rename))) +(classpermissionset rename_fifo_file (fifo_file (getattr rename))) +(classpermissionset rename_file (file (getattr rename))) +(classpermissionset rename_lnk_file (lnk_file (getattr rename))) +(classpermissionset rename_sock_file (sock_file (getattr rename))) + +(classpermissionset search_dir (dir (getattr search))) + +(classpermissionset write_blk_file + (blk_file (append getattr ioctl lock open write))) +(classpermissionset write_chr_file + (chr_file (append getattr ioctl lock open write))) +(classpermissionset write_dir + (dir (add_name getattr ioctl lock open remove_name search + write))) +(classpermissionset write_fifo_file + (fifo_file (append getattr ioctl lock open write))) +(classpermissionset write_file + (file (append getattr ioctl lock open write))) +(classpermissionset write_lnk_file (lnk_file (append getattr lock write))) +(classpermissionset write_sock_file + (sock_file (append getattr ioctl lock open write))) + +(classpermissionset writeinherited_blk_file + (blk_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_chr_file + (chr_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_dir + (dir (add_name getattr ioctl lock remove_name search + write))) +(classpermissionset writeinherited_fifo_file + (fifo_file (append getattr ioctl lock write))) +(classpermissionset writeinherited_file + (file (append getattr ioctl lock write))) +(classpermissionset writeinherited_sock_file + (sock_file (append getattr ioctl lock write))) diff --git a/src/misc/unconfined.cil b/src/misc/unconfined.cil new file mode 100644 index 0000000..09e045a --- /dev/null +++ b/src/misc/unconfined.cil @@ -0,0 +1,9 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(block unconfined + + (macro type ((type ARG1)) + (typeattributeset typeattr ARG1)) + + (typeattribute typeattr)) diff --git a/src/misc/xperm.cil b/src/misc/xperm.cil new file mode 100644 index 0000000..4aca460 --- /dev/null +++ b/src/misc/xperm.cil @@ -0,0 +1,8 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(permissionx FIOCLEX_FIONCLEX_CHRFILE + (ioctl chr_file (0x6601 0x5451 0x6602 0x5450))) + +(permissionx FIOCLEX (ioctl chr_file (0x6601 0x5451))) +(permissionx FIONCLEX (ioctl chr_file (0x6602 0x5450))) diff --git a/src/misc/xperm/consolexperm.cil b/src/misc/xperm/consolexperm.cil new file mode 100644 index 0000000..9e52407 --- /dev/null +++ b/src/misc/xperm/consolexperm.cil @@ -0,0 +1,145 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLCONSOLE + (ioctl chr_file (0x4b72 0x4b31 0x4b32 0x4b64 0x4b65 0x4b33 0x4b34 + 0x4b35 0x4b36 0x4b37 0x4b3a 0x4b3b 0x4b30 + 0x4b2f 0x4b70 0x4b71 0x4b60 0x4b6b 0x4b61 + 0x4b6c 0x4b6d 0x4b40 0x4b69 0x4b41 0x4b6a + 0x4b66 0x4b67 0x4b68 0x4b44 0x4b45 0x4b62 + 0x4b63 0x4b46 0x4b47 0x4b48 0x4b49 0x4b4a + 0x4b4c 0x4b4d 0x4b4e 0x541c 0x4bfa + 0x4bfb))) + +;; Font handling +(permissionx KDFONTOP (ioctl chr_file (0x4b72))) + +;; Get state of LEDs +(permissionx KDGETLED (ioctl chr_file (0x4b31))) + +;; Set the LEDs +(permissionx KDSETLED (ioctl chr_file (0x4b32))) + +;; Get keyboard flags CapsLock, NumLock, ScrollLock (not lights) +(permissionx KDGKBLED (ioctl chr_file (0x4b64))) + +;; Set keyboard flags CapsLock, NumLock, ScrollLock (not lights) +(permissionx KDSKBLED (ioctl chr_file (0x4b65))) + +;; Get keyboard type +(permissionx KDGKBTYPE (ioctl chr_file (0x4b33))) + +;; Add I/O port as valid +(permissionx KDADDIO (ioctl chr_file (0x4b34))) + +;; Delete I/O port as valid +(permissionx KDDELIO (ioctl chr_file (0x4b35))) + +;; Enable I/O to video board +(permissionx KDENABIO (ioctl chr_file (0x4b36))) + +;; Disable I/O to video board +(permissionx KDDISABIO (ioctl chr_file (0x4b37))) + +;; Set text/graphics mode +(permissionx KDSETMODE (ioctl chr_file (0x4b3a))) + +;; Get text/graphics mode +(permissionx KDGETMODE (ioctl chr_file (0x4b3b))) + +;; Generate tone of specified length +(permissionx KDMKTONE (ioctl chr_file (0x4b30))) + +;; Start or stop sound generation +(permissionx KIOCSOUND (ioctl chr_file (0x4b2f))) + +;; Get the current default color map from kernel +(permissionx GIO_CMAP (ioctl chr_file (0x4b70))) + +;; Change the default text-mode color map +(permissionx PIO_CMAP (ioctl chr_file (0x4b71))) + +;; Gets 256-character screen font in expanded form +(permissionx GIO_FONT (ioctl chr_file (0x4b60))) + +;; Gets screen font and associated information +(permissionx GIO_FONTX (ioctl chr_file (0x4b6b))) + +;; Sets 256-character screen font +(permissionx PIO_FONT (ioctl chr_file (0x4b61))) + +;; Sets screen font and associated rendering information +(permissionx PIO_FONTX (ioctl chr_file (0x4b6c))) + +;; Resets the screen font, size, and Unicode mapping to the bootup defaults +(permissionx PIO_FONTRESET (ioctl chr_file (0x4b6d))) + +;; Get screen mapping from kernel +(permissionx GIO_SCRNMAP (ioctl chr_file (0x4b40))) + +;; Get full Unicode screen mapping from kernel +(permissionx GIO_UNISCRNMAP (ioctl chr_file (0x4b69))) + +;; Loads the "user definable" (fourth) table in the kernel which maps bytes +;; into console screen symbols +(permissionx PIO_SCRNMAP (ioctl chr_file (0x4b41))) + +;; Loads the "user definable" (fourth) table in the kernel which maps bytes +;; into Unicodes, which are then translated into screen symbols according to +;; the currently loaded Unicode-to-font map +(permissionx PIO_UNISCRNMAP (ioctl chr_file (0x4b6a))) + +;; Get Unicode-to-font mapping from kernel +(permissionx GIO_UNIMAP (ioctl chr_file (0x4b66))) + +;; Put unicode-to-font mapping in kernel +(permissionx PIO_UNIMAP (ioctl chr_file (0x4b67))) + +;; Clear table, possibly advise hash algorithm +(permissionx PIO_UNIMAPCLR (ioctl chr_file (0x4b68))) + +;; Gets current keyboard mode +(permissionx KDGKBMODE (ioctl chr_file (0x4b44))) + +;; Sets current keyboard mode +(permissionx KDSKBMODE (ioctl chr_file (0x4b45))) + +;; Gets meta key handling mode +(permissionx KDGKBMETA (ioctl chr_file (0x4b62))) + +;; Sets meta key handling mode +(permissionx KDSKBMETA (ioctl chr_file (0x4b63))) + +;; Gets one entry in key translation table +(permissionx KDGKBENT (ioctl chr_file (0x4b46))) + +;; Sets one entry in translation table +(permissionx KDSKBENT (ioctl chr_file (0x4b47))) + +;; Gets one function key string +(permissionx KDGKBSENT (ioctl chr_file (0x4b48))) + +;; Sets one function key string entry +(permissionx KDSKBSENT (ioctl chr_file (0x4b49))) + +;; Read kernel accent table +(permissionx KDGKBDIACR (ioctl chr_file (0x4b4a))) + +;; Read kernel keycode table entry +(permissionx KDGETKEYCODE (ioctl chr_file (0x4b4c))) + +;; Read kernel accent table (Universal Character Set) +(permissionx KDGKBDIACRUC (ioctl chr_file (0x4bfa))) + +;; Write kernel accent table (Universal Character Set) +(permissionx KDSKBDIACRUC (ioctl chr_file (0x4bfb))) + +;; Write kernel keycode table entry +(permissionx KDSETKEYCODE (ioctl chr_file (0x4b4d))) + +;; The calling process indicates its willingness to accept the signal argp when +;; it is generated by pressing an appropriate key combination +(permissionx KDSIGACCEPT (ioctl chr_file (0x4b4e))) + +;; Dump the screen. Disappeared in Linux 1.1.92 +(permissionx TIOCLINUX (ioctl chr_file (0x541c))) diff --git a/src/misc/xperm/ttyxperm.cil b/src/misc/xperm/ttyxperm.cil new file mode 100644 index 0000000..7e50ab5 --- /dev/null +++ b/src/misc/xperm/ttyxperm.cil @@ -0,0 +1,139 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLTTY_NOT_TIOCSTI + (ioctl chr_file (0x5405 0x542a 0x540d 0x5401 0x5406 0x542b 0x5402 + 0x5403 0x542c 0x5407 0x5404 0x542d 0x5408 + 0x5456 0x5457 0x7468 0x5413 0x7467 0x5414 + 0x5409 0x5425 0x5427 0x5428 0x540a 0x467f + 0x541b 0x7472 0x5411 0x540b 0x541d 0x5480 + 0x540e 0x5422 0x540f 0x5410 0x5429 0x540c + 0x5440 0x540c 0x5424 0x5423 0x5420 0x5438 + 0x5431 0x5439 0x5415 0x5418 0x5417 0x5416 + 0x545c 0x545d 0x5419 0x541a 0x541e))) + +;; Get the current serial port settings +(permissionx TCGETS (ioctl chr_file (0x5405 0x542a 0x540d 0x5401))) + +;; Set the current serial port settings +(permissionx TCSETS (ioctl chr_file (0x5406 0x542b 0x5402))) + +;; Allow the output buffer to drain, and set the current serial port settings +(permissionx TCSETSW (ioctl chr_file (0x5403 0x542c 0x5407))) + +;; Allow the output buffer to drain, discard pending input, and set the current +;; serial port settings +(permissionx TCSETSF (ioctl chr_file (0x5404 0x542d 0x5408))) + +;; Gets the locking status of the termios structure of the terminal +(permissionx TIOCGLCKTRMIOS (ioctl chr_file (0x5456))) + +;; Sets the locking status of the termios structure of the terminal. Only a +;; process with the CAP_SYS_ADMIN capability can do this +(permissionx TIOCSLCKTRMIOS (ioctl chr_file (0x5457))) + +;; Get window size +(permissionx TIOCGWINSZ (ioctl chr_file (0x7468 0x5413))) + +;; Set window size +(permissionx TIOCSWINSZ (ioctl chr_file (0x7467 0x5414))) + +;; Send break +(permissionx TCSBRK (ioctl chr_file (0x5409 0x5425))) + +;; Turn break on +(permissionx TIOCSBRK (ioctl chr_file (0x5427))) + +;; Turn break off +(permissionx TIOCCBRK (ioctl chr_file (0x5428))) + +;; Software flow control +(permissionx TCXONC (ioctl chr_file (0x540a))) + +;; Get the number of bytes in the input buffer +(permissionx FIONREAD (ioctl chr_file (0x467f 0x541b))) + +;; Get the number of bytes in the output buffer +(permissionx TIOCOUTQ (ioctl chr_file (0x7472 0x5411))) + +;; Discard data written +(permissionx TCFLSH (ioctl chr_file (0x540b))) + +;; Fake input +(permissionx TIOCSTI (ioctl chr_file (0x5412))) + +;; Redirect console output +(permissionx TIOCCONS (ioctl chr_file (0x541d))) + +;; Make controlling terminal +(permissionx TIOCSCTTY (ioctl chr_file (0x5480 0x540e))) + +;; Give up controlling terminal +(permissionx TIOCNOTTY (ioctl chr_file (0x5422))) + +;; Get the process group ID of the foreground process group on this terminal +(permissionx TIOCGPGRP (ioctl chr_file (0x540f))) + +;; Set the foreground process group ID of this terminal +(permissionx TIOCSPGRP (ioctl chr_file (0x5410))) + +;; Get the session ID of the given terminal +(permissionx TIOCGSID (ioctl chr_file (0x5429))) + +;; Enable exclusive mode +(permissionx TIOCEXCL (ioctl chr_file (0x540c))) + +;; If the terminal is currently in exclusive mode, place a nonzero value +(permissionx TIOCGEXCL (ioctl chr_file (0x5440))) + +;; Disable exclusive mode +(permissionx TIOCNXCL (ioctl chr_file (0x540d))) + +;; Get the line discipline of the terminal +(permissionx TIOCGETD (ioctl chr_file (0x5424))) + +;; Set the line discipline of the terminal +(permissionx TIOCSETD (ioctl chr_file (0x5423))) + +;; Enable or disable packet mode. Can be applied to the master side of a +;; pseudoterminal only +(permissionx TIOCPKT (ioctl chr_file (0x5420))) + +;; Return the current packet mode setting +(permissionx TIOCGPKT (ioctl chr_file (0x5438))) + +;; Set or remove the lock on the pseudoterminal slave device +(permissionx TIOCSPTLCK (ioctl chr_file (0x5431))) + +;; Place the current lock state of the pseudoterminal slave device +(permissionx TIOCGPTLCK (ioctl chr_file (0x5439))) + +;; Safely open the slave +;; (permissionx TIOCGPTPEER (ioctl chr_file ())) + +;; Get the status of modem bits +(permissionx TIOCMGET (ioctl chr_file (0x5415))) + +;; Set the status of modem bits +(permissionx TIOCMSET (ioctl chr_file (0x5418))) + +;; Clear the indicated modem bits +(permissionx TIOCMBIC (ioctl chr_file (0x5417))) + +;; Set the indicated modem bits +(permissionx TIOCMBIS (ioctl chr_file (0x5416))) + +;; Wait for any of the modem bits to change +(permissionx TIOCMIWAIT (ioctl chr_file (0x545c))) + +;; Get counts of input serial line interrupts +(permissionx TIOCGICOUNT (ioctl chr_file (0x545d))) + +;; Get the serial line information +(permissionx TIOCGSERIAL (ioctl chr_file (0x541e))) + +;; Get software carrier flag +(permissionx TIOCGSOFTCAR (ioctl chr_file (0x5419))) + +;; Set software carrier flag +(permissionx TIOCSSOFTCAR (ioctl chr_file (0x541a))) diff --git a/src/misc/xperm/vtxperm.cil b/src/misc/xperm/vtxperm.cil new file mode 100644 index 0000000..cc18806 --- /dev/null +++ b/src/misc/xperm/vtxperm.cil @@ -0,0 +1,68 @@ +;; SPDX-FileCopyrightText: © 2023 Dominick Grift +;; SPDX-License-Identifier: Unlicense + +(permissionx IOCTLVT + (ioctl chr_file (0x0001 0x0002 0x0004 0x0008 0x5600 0x5601 0x5602 + 0x5603 0x5604 0x5605 0x5606 0x5607 0x5708 + 0x5609 0x560A 0x560B 0x560C 0x560D 0x560E + 0x560F))) + +;; Console switch +(permissionx VT_EVENT_SWITCH (ioctl chr_file (0x0001))) + +;; Screen blank +(permissionx VT_EVENT_BLANK (ioctl chr_file (0x0002))) + +;; Screen unblank +(permissionx VT_EVENT_UNBLANK (ioctl chr_file (0x0004))) + +;; Resize display +(permissionx VT_EVENT_RESIZE (ioctl chr_file (0x0008))) + +;; Find available VT +(permissionx VT_OPENQRY (ioctl chr_file (0x5600))) + +;; Get mode of active VT +(permissionx VT_GETMODE (ioctl chr_file (0x5601))) + +;; Set mode of active VT +(permissionx VT_SETMODE (ioctl chr_file (0x5602))) + +;; Get global VT state info +(permissionx VT_GETSTATE (ioctl chr_file (0x5603))) + +;; Signal to send to bitmask VT +(permissionx VT_SENDSIG (ioctl chr_file (0x5604))) + +;; Release display +(permissionx VT_RELDISP (ioctl chr_file (0x5605))) + +;; Make VT active +(permissionx VT_ACTIVATE (ioctl chr_file (0x5606))) + +;; Wait for VT active +(permissionx VT_WAITACTIVE (ioctl chr_file (0x5607))) + +;; Free memory associated with VT +(permissionx VT_DISALLOCATE (ioctl chr_file (0x5608))) + +;; Set kernel idea of screensize +(permissionx VT_RESIZE (ioctl chr_file (0x5609))) + +;; Set kernel idea of screensize + more +(permissionx VT_RESIZEX (ioctl chr_file (0x560A))) + +;; Disallow VT switching +(permissionx VT_LOCKSWITCH (ioctl chr_file (0x560B))) + +;; Allow VT switching +(permissionx VT_UNLOCKSWITCH (ioctl chr_file (0x560C))) + +;; Return hi font mask +(permissionx VT_GETHIFONTMASK (ioctl chr_file (0x560D))) + +;; Wait for an event +(permissionx VT_WAITEVENT (ioctl chr_file (0x560E))) + +;; Activate and set the mode of VT +(permissionx VT_SETACTIVATE (ioctl chr_file (0x560F))) -- cgit v1.2.3