blob: a3e1b6fe559e7bbc1aa249f7a3b7149839e00163 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(block rbacsep
(constrain (fifo_file (append getattr read setattr write))
(or (or (or (or (eq r1 r2)
(and (eq r1 exempt.roleattr)
(neq t1 constrained.typeattr)))
(eq t1 exempt.subj.typeattr))
(eq t2 exempt.obj.typeattr))
(and (eq t1 exemptsource.typeattr)
(eq t2 exempttarget.typeattr))))
(constrain (constrainobject (append setattr write))
(or (or (or (eq r1 r2)
(and (eq r1 exempt.roleattr)
(neq t1 constrained.typeattr)))
(eq t1 exempt.subj.typeattr))
(eq t2 exempt.obj.typeattr)))
(constrain (constrainobject (getattr read))
(or (or (or (or (or (eq r1 r2)
(and (eq r1 exempt.roleattr)
(neq t1 constrained.typeattr)))
(eq t1 exempt.subj.typeattr))
(eq t2 exempt.obj.typeattr))
(and (eq r2 exempt.roleattr) (eq t2 typeattr)))
(and
(eq t1 readstatesource.typeattr)
(eq t2 readstatetarget.typeattr))))
(constrain
(process (getrlimit getsched ptrace setrlimit setsched sigchld sigkill
signal signull sigstop))
(or (or (or (eq r1 r2)
(and (eq r1 exempt.roleattr) (neq t1 constrained.typeattr)))
(eq t1 exempt.subj.typeattr))
(and (eq t1 exemptsource.typeattr) (eq t2 exempttarget.typeattr))))
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(block constrained
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block exempt
(macro role ((role ARG1))
(roleattributeset roleattr ARG1))
(roleattribute roleattr)
(block obj
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block subj
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)))
(block exemptsource
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block exempttarget
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block readstatesource
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block readstatetarget
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)))
(in obj
(call .rbacsep.type (typeattr)))
(in subj.unconfined
(call .rbacsep.exempt.subj.type (typeattr)))
(in sys
(call .rbacsep.exempt.role (role)))
|
