src/net/netifnet.cil


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(sidcontext netif (sys.id sys.role net.netif sys.lowlow))

(class netif (egress ingress))
(classorder (unordered netif))

(macro egress_invalid_netifs ((type ARG1))
       (allow ARG1 invalid (netif (egress))))

(macro egressingress_invalid_netifs ((type ARG1))
       (allow ARG1 invalid (netif (egress ingress))))

(macro ingress_invalid_netifs ((type ARG1))
       (allow ARG1 invalid (netif (ingress))))

(tunableif (or invalid_associations invalid_peers)
	   (true

	    (call net.netif.egressingress_all_netifs (invalid))))

(in invalid.unconfined

    (allow typeattr .invalid (netif (all))))

(in mcs

    (mlsconstrain (netif (egress ingress))
		  (or (dom h1 h2)
		      (neq t1 constrained.typeattr))))

(in net

    (blockinherit netif.template)

    (block netif

      (macro type ((type ARG1))
	     (typeattributeset typeattr ARG1))

      (typeattribute typeattr)

      (blockinherit all_macro_template)

      (call .obj.type (typeattr))

      (block all_macro_template

	(blockabstract all_macro_template)

	(macro egress_all_netifs ((type ARG1))
	       (allow ARG1 typeattr (netif (egress))))

	(macro egressingress_all_netifs ((type ARG1))
	       (allow ARG1 typeattr (netif (egress ingress))))

	(macro ingress_all_netifs ((type ARG1))
	       (allow ARG1 typeattr (netif (ingress)))))

      (block base_template

	(blockabstract base_template)

	(context netif_context (.sys.id .sys.role netif .sys.lowlow))

	(type netif)
	(call .net.netif.type (netif)))

      (block macro_template

	(blockabstract macro_template)

	(macro egress_netifs ((type ARG1))
	       (allow ARG1 netif (netif (egress))))

	(macro egressingress_netifs ((type ARG1))
	       (allow ARG1 netif (netif (egress ingress))))

	(macro ingress_netifs ((type ARG1))
	       (allow ARG1 netif (netif (ingress)))))

      (block template

	(blockabstract template)

	(blockinherit .net.netif.base_template)
	(blockinherit .net.netif.macro_template))

      (block unconfined

	(macro type ((type ARG1))
	       (typeattributeset typeattr ARG1))

	(typeattribute typeattr)

	(allow typeattr netif.typeattr (netif (all))))))

(in net.unconfined

    (call .net.netif.unconfined.type (typeattr)))