blob: 668afb12e5575580b4328fb223fb556d1f796526 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(class association (polmatch recvfrom sendto setcontext))
(classorder (unordered association))
(macro polmatch_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (polmatch))))
(macro polmatchsetcontext_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (polmatch setcontext))))
(macro recvfrom_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (recvfrom))))
(macro recvfromsendto_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (recvfrom sendto))))
(macro sendto_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (sendto))))
(macro setcontext_invalid_associations ((type ARG1))
(allow ARG1 invalid (association (setcontext))))
(tunableif invalid_associations
(true
(call association_invalid_sctp_sockets
(invalidassociations.except.typeattr))
(call recvfromsendto_invalid_associations
(invalidassociations.except.typeattr))))
(in invalid.unconfined
(allow typeattr .invalid (association (not (setcontext)))))
(in mcs
(mlsconstrain (association (sendto recvfrom))
(or (dom h1 h2)
(and
(neq t1 constrained.typeattr)
(neq t2 constrained.typeattr)))))
(in net
(blockinherit spd.template)
(block spd
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(blockinherit all_macro_template)
(call .obj.type (typeattr))
(block all_macro_template
(blockabstract all_macro_template)
(macro polmatch_all_associations ((type ARG1))
(allow ARG1 typeattr (association (polmatch))))
(macro polmatchsetcontext_all_associations ((type ARG1))
(allow ARG1 typeattr (association (polmatch setcontext))))
(macro setcontext_all_associations ((type ARG1))
(allow ARG1 typeattr (association (setcontext)))))
(block base_template
(blockabstract base_template)
(context spd_context (.sys.id .sys.role spd .sys.lowlow))
(type spd)
(call .net.spd.type (spd)))
(block macro_template
(blockabstract macro_template)
(macro polmatch_spd_associations ((type ARG1))
(allow ARG1 spd (association (polmatch))))
(macro polmatchsetcontext_spd_associations ((type ARG1))
(allow ARG1 spd (association (polmatch setcontext))))
(macro setcontext_spd_associations ((type ARG1))
(allow ARG1 spd (association (setcontext)))))
(block template
(blockabstract template)
(blockinherit .net.spd.base_template)
(blockinherit .net.spd.macro_template))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr spd.typeattr (association (polmatch setcontext))))))
(in net.unconfined
(call .net.spd.unconfined.type (typeattr)))
(in subj
(macro recvfrom_all_associations ((type ARG1))
(allow ARG1 typeattr (association (recvfrom))))
(macro recvfromsendto_all_associations ((type ARG1))
(allow ARG1 typeattr (association (recvfrom sendto))))
(macro sendto_all_associations ((type ARG1))
(allow ARG1 typeattr (association (sendto)))))
(in subj.macro_template
(macro recvfrom_subj_associations ((type ARG1))
(allow ARG1 subj (association (recvfrom))))
(macro recvfromsendto_subj_associations ((type ARG1))
(allow ARG1 subj (association (recvfrom sendto))))
(macro sendto_subj_associations ((type ARG1))
(allow ARG1 subj (association (sendto)))))
(in subj.unconfined
(allow typeattr .subj.typeattr (association (recvfrom sendto))))
|
