blob: bc58d235af36ba0c55013c765c26d930895a90f7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(block cgroupfile
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(blockinherit .file.all_macro_template_dirs)
(blockinherit .file.all_macro_template_files)
(call .obj.type (typeattr))
(call .cgroup.associate_fs (typeattr))
(block base_template
(blockabstract base_template)
(context cgroupfile_context (.sys.id .sys.role cgroupfile lowlevelrange))
(type cgroupfile)
(call .cgroupfile.type (cgroupfile)))
(block macro_template_dirs
(blockabstract macro_template_dirs)
(macro addname_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile addname_dir))
(macro create_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile create_dir))
(macro delete_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile delete_dir))
(macro deletename_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile deletename_dir))
(macro list_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile list_dir))
(macro listinherited_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile listinherited_dir))
(macro manage_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile manage_dir))
(macro mounton_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile mounton_dir))
(macro readwrite_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile readwrite_dir))
(macro readwriteinherited_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile readwriteinherited_dir))
(macro rename_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile rename_dir))
(macro search_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile search_dir))
(macro write_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile write_dir))
(macro writeinherited_cgroupfile_dirs ((type ARG1))
(allow ARG1 cgroupfile writeinherited_dir)))
(block macro_template_files
(blockabstract macro_template_files)
(macro append_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile append_file))
(macro appendinherited_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile appendinherited_file))
(macro create_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile create_file))
(macro delete_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile delete_file))
(macro execute_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile execute_file))
(macro manage_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile manage_file))
(macro mapexecute_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile mapexecute_file))
(macro mounton_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile mounton_file))
(macro read_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile read_file))
(macro readinherited_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile readinherited_file))
(macro readwrite_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile readwrite_file))
(macro readwriteinherited_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile readwriteinherited_file))
(macro rename_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile rename_file))
(macro write_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile write_file))
(macro writeinherited_cgroupfile_files ((type ARG1))
(allow ARG1 cgroupfile writeinherited_file)))
(block template
(blockabstract template)
(blockinherit .cgroupfile.base_template)
(blockinherit .cgroupfile.macro_template_files))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr cgroupfile.typeattr (dir (not (audit_access execmod))))
(allow typeattr cgroupfile.typeattr
(file (not (audit_access entrypoint execmod))))))
(in sys.unconfined
(call .cgroupfile.unconfined.type (typeattr)))
|
