blob: 03801a7df12935e795ed2eee19309216a6b86e09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(sidcontext node (sys.id sys.role net.netnode lowlevelrange))
(class node (recvfrom sendto))
(classorder (unordered node))
(macro recvfrom_invalid_nodes ((type ARG1))
(allow ARG1 invalid (node (recvfrom))))
(macro recvfromsendto_invalid_nodes ((type ARG1))
(allow ARG1 invalid (node (recvfrom sendto))))
(macro sendto_invalid_nodes ((type ARG1))
(allow ARG1 invalid (node (sendto))))
(tunableif (or invalid_associations invalid_peers)
(true
(call net.netnode.recvfromsendto_all_nodes (invalid))))
(in invalid.unconfined
(allow typeattr .invalid (node (all))))
(in mcs
(mlsconstrain (node (sendto))
(or (dom h1 h2)
(neq t1 constrained.typeattr)))
(mlsconstrain (node (recvfrom))
(or (dom l1 l2)
(neq t1 constrained.typeattr))))
(in net
(blockinherit netnode.template)
(block netnode
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(blockinherit all_macro_template)
(call .obj.type (typeattr))
(block all_macro_template
(blockabstract all_macro_template)
(macro nodebind_all_dccp_sockets ((type ARG1))
(allow ARG1 typeattr (dccp_socket (node_bind))))
(macro nodebind_all_icmp_sockets ((type ARG1))
(allow ARG1 typeattr (icmp_socket (node_bind))))
(macro nodebind_all_rawip_sockets ((type ARG1))
(allow ARG1 typeattr (rawip_socket (node_bind))))
(macro nodebind_all_sctp_sockets ((type ARG1))
(allow ARG1 typeattr (sctp_socket (node_bind))))
(macro nodebind_all_tcp_sockets ((type ARG1))
(allow ARG1 typeattr (tcp_socket (node_bind))))
(macro nodebind_all_udp_sockets ((type ARG1))
(allow ARG1 typeattr (udp_socket (node_bind))))
(macro recvfrom_all_nodes ((type ARG1))
(allow ARG1 typeattr (node (recvfrom))))
(macro recvfromsendto_all_nodes ((type ARG1))
(allow ARG1 typeattr (node (recvfrom sendto))))
(macro sendto_all_nodes ((type ARG1))
(allow ARG1 typeattr (node (sendto)))))
(block base_template
(blockabstract base_template)
(context netnode_context (.sys.id .sys.role netnode lowlevelrange))
(type netnode)
(call .net.netnode.type (netnode)))
(block macro_template
(blockabstract macro_template)
(macro nodebind_netnode_dccp_sockets ((type ARG1))
(allow ARG1 netnode (dccp_socket (node_bind))))
(macro nodebind_netnode_icmp_sockets ((type ARG1))
(allow ARG1 netnode (icmp_socket (node_bind))))
(macro nodebind_netnode_rawip_sockets ((type ARG1))
(allow ARG1 netnode (rawip_socket (node_bind))))
(macro nodebind_netnode_sctp_sockets ((type ARG1))
(allow ARG1 netnode (sctp_socket (node_bind))))
(macro nodebind_netnode_tcp_sockets ((type ARG1))
(allow ARG1 netnode (tcp_socket (node_bind))))
(macro nodebind_netnode_udp_sockets ((type ARG1))
(allow ARG1 netnode (udp_socket (node_bind))))
(macro recvfrom_nodes ((type ARG1))
(allow ARG1 netnode (node (recvfrom))))
(macro recvfromsendto_nodes ((type ARG1))
(allow ARG1 netnode (node (recvfrom sendto))))
(macro sendto_nodes ((type ARG1))
(allow ARG1 netnode (node (sendto)))))
(block template
(blockabstract template)
(blockinherit .net.netnode.base_template)
(blockinherit .net.netnode.macro_template))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr netnode.typeattr (dccp_socket (node_bind)))
(allow typeattr netnode.typeattr (icmp_socket (node_bind)))
(allow typeattr netnode.typeattr (node (all)))
(allow typeattr netnode.typeattr (rawip_socket (node_bind)))
(allow typeattr netnode.typeattr (sctp_socket (node_bind)))
(allow typeattr netnode.typeattr (tcp_socket (node_bind)))
(allow typeattr netnode.typeattr (udp_socket (node_bind))))))
(in net.unconfined
(call .net.netnode.unconfined.type (typeattr)))
|
