src/misc/av/keyav.cil


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(class key (create link read search setattr view write))
(classorder (unordered key))

(in ibac

    (constrain (key (create))
	       (or (or (or (eq u1 u2)
			   (and (eq t1 subjchangesys.typeattr) (eq u2 .sys.id)))
		       (eq t1 subjchange.typeattr))
		   (eq t1 exempt.typeattr))))

(in invalid.unconfined

    (allow typeattr .invalid (key (all))))

(in mcs

    (mlsconstrain (key (create read setattr view write))
		  (or (dom h1 h2)
		      (neq t1 constrained.typeattr))))

(in rbac

    (constrain (key (create))
	       (or (or (or (eq r1 r2)
			   (and (eq t1 subjchangesys.typeattr)
				(eq r2 .sys.role)))
		       (eq t1 subjchange.typeattr))
		   (eq t1 exempt.typeattr))))

(in rbacsep

    (constrain (key (read setattr view write))
	       (or (or (or (eq r1 r2)
			   (and (eq r1 exempt.roleattr)
				(neq t1 constrained.typeattr)))
		       (eq t1 exempt.subj.typeattr))
		   (and (eq t1 exemptsource.typeattr)
			(eq t2 exempttarget.typeattr)))))

(in subj.unconfined

    (allow typeattr subj.typeattr (key (all))))