blob: 7c95e03533817343dea6cceacc2b9c4d5ccea3f6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(block stordev
(macro mounton_all_chr_files ((type ARG1))
(allow ARG1 typeattr mounton_chr_file))
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(blockinherit .file.all_macro_template_blk_files)
(blockinherit .file.all_macro_template_chr_files)
(call .dev.exception.type (typeattr))
(block base_template
(blockabstract base_template)
(context stordev_context (.sys.id .sys.role stordev .sys.lowlow))
(type stordev)
(call .stordev.type (stordev)))
(block macro_template_blk_files
(blockabstract macro_template_blk_files)
(macro append_stordev_blk_files ((type ARG1))
(allow ARG1 stordev append_blk_file))
(macro appendinherited_stordev_blk_files ((type ARG1))
(allow ARG1 stordev appendinherited_blk_file))
(macro create_stordev_blk_files ((type ARG1))
(allow ARG1 stordev create_blk_file))
(macro delete_stordev_blk_files ((type ARG1))
(allow ARG1 stordev delete_blk_file))
(macro manage_stordev_blk_files ((type ARG1))
(allow ARG1 stordev manage_blk_file))
(macro read_stordev_blk_files ((type ARG1))
(allow ARG1 stordev read_blk_file))
(macro readinherited_stordev_blk_files ((type ARG1))
(allow ARG1 stordev readinherited_blk_file))
(macro readwrite_stordev_blk_files ((type ARG1))
(allow ARG1 stordev readwrite_blk_file))
(macro readwriteinherited_stordev_blk_files ((type ARG1))
(allow ARG1 stordev readwriteinherited_blk_file))
(macro relabel_stordev_blk_files ((type ARG1))
(allow ARG1 stordev relabel_blk_file))
(macro relabelfrom_stordev_blk_files ((type ARG1))
(allow ARG1 stordev relabelfrom_blk_file))
(macro relabelto_stordev_blk_files ((type ARG1))
(allow ARG1 stordev relabelto_blk_file))
(macro rename_stordev_blk_files ((type ARG1))
(allow ARG1 stordev rename_blk_file))
(macro write_stordev_blk_files ((type ARG1))
(allow ARG1 stordev write_blk_file))
(macro writeinherited_stordev_blk_files ((type ARG1))
(allow ARG1 stordev writeinherited_blk_file)))
(block macro_template_chr_files
(blockabstract macro_template_chr_files)
(macro append_stordev_chr_files ((type ARG1))
(allow ARG1 stordev append_chr_file))
(macro appendinherited_stordev_chr_files ((type ARG1))
(allow ARG1 stordev appendinherited_chr_file))
(macro create_stordev_chr_files ((type ARG1))
(allow ARG1 stordev create_chr_file))
(macro delete_stordev_chr_files ((type ARG1))
(allow ARG1 stordev delete_chr_file))
(macro manage_stordev_chr_files ((type ARG1))
(allow ARG1 stordev manage_chr_file))
(macro mapexecute_stordev_chr_files ((type ARG1))
(allow ARG1 stordev mapexecute_chr_file))
(macro read_stordev_chr_files ((type ARG1))
(allow ARG1 stordev read_chr_file))
(macro readinherited_stordev_chr_files ((type ARG1))
(allow ARG1 stordev readinherited_chr_file))
(macro readwrite_stordev_chr_files ((type ARG1))
(allow ARG1 stordev readwrite_chr_file))
(macro readwriteinherited_stordev_chr_files ((type ARG1))
(allow ARG1 stordev readwriteinherited_chr_file))
(macro relabel_stordev_chr_files ((type ARG1))
(allow ARG1 stordev relabel_chr_file))
(macro relabelfrom_stordev_chr_files ((type ARG1))
(allow ARG1 stordev relabelfrom_chr_file))
(macro relabelto_stordev_chr_files ((type ARG1))
(allow ARG1 stordev relabelto_chr_file))
(macro rename_stordev_chr_files ((type ARG1))
(allow ARG1 stordev rename_chr_file))
(macro write_stordev_chr_files ((type ARG1))
(allow ARG1 stordev write_chr_file))
(macro writeinherited_stordev_chr_files ((type ARG1))
(allow ARG1 stordev writeinherited_chr_file)))
(block template
(blockabstract template)
(blockinherit .stordev.base_template)
(blockinherit .stordev.macro_template_blk_files)
(blockinherit .stordev.macro_template_chr_files))
(block read
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute not_typeattr)
(typeattribute typeattr)
(typeattributeset not_typeattr (not typeattr))
(neverallow not_typeattr stordev.typeattr (blk_file (read)))
(neverallow not_typeattr stordev.typeattr (chr_file (read))))
(block readwrite
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(call read.type (typeattr))
(call write.type (typeattr)))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr stordev.typeattr
(blk_file (not (audit_access execmod map))))
(allow typeattr stordev.typeattr (chr_file (not (audit_access execmod))))
(call readwrite.type (typeattr)))
(block write
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute not_typeattr)
(typeattribute typeattr)
(typeattributeset not_typeattr (not typeattr))
(neverallow not_typeattr stordev.typeattr (blk_file (append write)))
(neverallow not_typeattr stordev.typeattr (chr_file (append write)))))
(in dev.unconfined
(call .stordev.unconfined.type (typeattr)))
|
