blob: 0cf33a5315a4168b432b2a9cb459fb71c1e1670f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(class anon_inode ())
(classorder (unordered anon_inode))
(classcommon anon_inode common_file)
(classmapping constrainobject append (anon_inode (append)))
(classmapping constrainobject create (anon_inode (create)))
(classmapping constrainobject getattr (anon_inode (getattr)))
(classmapping constrainobject read (anon_inode (read)))
(classmapping constrainobject relabelto (anon_inode (relabelto)))
(classmapping constrainobject setattr (anon_inode (setattr)))
(classmapping constrainobject write (anon_inode (write)))
(classpermission append_anon_inode)
(classpermission create_anon_inode)
(classpermission delete_anon_inode)
(classpermission manage_anon_inode)
(classpermission mapexecute_anon_inode)
(classpermission mounton_anon_inode)
(classpermission read_anon_inode)
(classpermission readwrite_anon_inode)
(classpermission relabel_anon_inode)
(classpermission relabelfrom_anon_inode)
(classpermission relabelto_anon_inode)
(classpermission rename_anon_inode)
(classpermission write_anon_inode)
(classpermissionset append_anon_inode
(anon_inode (append getattr ioctl lock open)))
(classpermissionset create_anon_inode (anon_inode (create getattr)))
(classpermissionset delete_anon_inode (anon_inode (getattr unlink)))
(classpermissionset manage_anon_inode
(anon_inode (append create getattr ioctl link lock open read
rename setattr unlink write)))
(classpermissionset mapexecute_anon_inode (anon_inode (execute map)))
(classpermissionset mounton_anon_inode (anon_inode (getattr mounton)))
(classpermissionset read_anon_inode (anon_inode (getattr ioctl lock open read)))
(classpermissionset readwrite_anon_inode
(anon_inode (append getattr ioctl lock open read write)))
(classpermissionset relabel_anon_inode
(anon_inode (getattr relabelfrom relabelto)))
(classpermissionset relabelfrom_anon_inode (anon_inode (getattr relabelfrom)))
(classpermissionset relabelto_anon_inode (anon_inode (getattr relabelto)))
(classpermissionset rename_anon_inode (anon_inode (getattr rename)))
(classpermissionset write_anon_inode
(anon_inode (append getattr ioctl lock open write)))
(defaultrole anon_inode source)
(macro append_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid append_anon_inode))
(macro create_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid create_anon_inode))
(macro delete_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid delete_anon_inode))
(macro manage_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid manage_anon_inode))
(macro mapexecute_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid mapexecute_anon_inode))
(macro mounton_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid mounton_anon_inode))
(macro read_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid read_anon_inode))
(macro readwrite_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid readwrite_anon_inode))
(macro relabel_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid relabel_anon_inode))
(macro relabelfrom_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid relabelfrom_anon_inode))
(macro relabelto_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid relabelto_anon_inode))
(macro rename_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid rename_anon_inode))
(macro write_invalid_anon_inodes ((type ARG1))
(allow ARG1 .invalid write_anon_inode))
(block anon_inode
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(blockinherit all_macro_template_anon_inodes)
(call .obj.type (typeattr))
(block all_macro_template_anon_inodes
(blockabstract all_macro_template_anon_inodes)
(macro append_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr append_anon_inode))
(macro create_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr create_anon_inode))
(macro delete_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr delete_anon_inode))
(macro manage_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr manage_anon_inode))
(macro mapexecute_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr mapexecute_anon_inode))
(macro mounton_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr mounton_anon_inode))
(macro read_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr read_anon_inode))
(macro readwrite_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr readwrite_anon_inode))
(macro relabel_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr relabel_anon_inode))
(macro relabelfrom_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr relabelfrom_anon_inode))
(macro relabelto_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr relabelto_anon_inode))
(macro rename_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr rename_anon_inode))
(macro write_all_anon_inodes ((type ARG1))
(allow ARG1 typeattr write_anon_inode)))
(block base_template
(blockabstract base_template)
(type anon_inode)
(call .anon_inode.type (anon_inode)))
(block except
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(blockinherit anon_inode.all_macro_template_anon_inodes)
(typeattribute typeattr)
(typeattributeset typeattr
(and anon_inode.typeattr (not (exception.typeattr)))))
(block exception
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(call anon_inode.type (typeattr)))
(block macro_template_anon_inodes
(blockabstract macro_template_anon_inodes)
(macro append_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode append_anon_inode))
(macro create_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode create_anon_inode))
(macro delete_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode delete_anon_inode))
(macro manage_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode manage_anon_inode))
(macro mapexecute_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode mapexecute_anon_inode))
(macro mounton_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode mounton_anon_inode))
(macro read_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode read_anon_inode))
(macro readwrite_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode readwrite_anon_inode))
(macro relabel_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode relabel_anon_inode))
(macro relabelfrom_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode relabelfrom_anon_inode))
(macro relabelto_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode relabelto_anon_inode))
(macro rename_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode rename_anon_inode))
(macro self_type_transition ((type ARG1)(type ARG2)(name ARG3))
(typetransition ARG1 ARG1 anon_inode ARG3 ARG2))
(macro write_anon_inode_anon_inodes ((type ARG1))
(allow ARG1 anon_inode write_anon_inode)))
(block template
(blockabstract template)
(blockinherit .anon_inode.base_template)
(blockinherit .anon_inode.macro_template_anon_inodes))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr anon_inode.typeattr
(anon_inode (not (audit_access execmod mounton))))))
(in invalid.unconfined
(allow typeattr .invalid
(anon_inode (not (audit_access create execmod mounton)))))
(in subj.unconfined
(allow typeattr self (anon_inode (create)))
(allow typeattr subj.typeattr
(anon_inode (not (audit_access create execmod mounton)))))
(in unconfined
(call .anon_inode.unconfined.type (typeattr)))
|
