src/sys/procfile.cil


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(block procfile

  (macro type ((type ARG1))
	 (typeattributeset typeattr ARG1))

  (typeattribute typeattr)

  (blockinherit .file.all_macro_template_dirs)
  (blockinherit .file.all_macro_template_files)
  (blockinherit .file.all_macro_template_lnk_files)

  (call .obj.type (typeattr))

  (block base_template

    (blockabstract base_template)

    (context procfile_context (.sys.id .sys.role procfile lowlevelrange))

    (type procfile)
    (call .procfile.type (procfile)))

  (block except

    (macro type ((type ARG1))
	   (typeattributeset typeattr ARG1))

    (blockinherit file.all_macro_template_dirs)
    (blockinherit file.all_macro_template_files)
    (blockinherit file.all_macro_template_lnk_files)

    (typeattribute typeattr)

    (typeattributeset typeattr
		      (and procfile.typeattr (not (exception.typeattr)))))

  (block exception

    (macro type ((type ARG1))
	   (typeattributeset typeattr ARG1))

    (typeattribute typeattr)

    (call procfile.type (typeattr)))

  (block macro_template_dirs

    (blockabstract macro_template_dirs)

    (macro addname_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile addname_dir))

    (macro create_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile create_dir))

    (macro delete_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile delete_dir))

    (macro deletename_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile deletename_dir))

    (macro list_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile list_dir))

    (macro listinherited_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile listinherited_dir))

    (macro manage_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile manage_dir))

    (macro mounton_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile mounton_dir))

    (macro readwrite_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile readwrite_dir))

    (macro readwriteinherited_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile readwriteinherited_dir))

    (macro rename_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile rename_dir))

    (macro search_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile search_dir))

    (macro write_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile write_dir))

    (macro writeinherited_procfile_dirs ((type ARG1))
	   (allow ARG1 procfile writeinherited_dir)))

  (block macro_template_files

    (blockabstract macro_template_files)

    (macro append_procfile_files ((type ARG1))
	   (allow ARG1 procfile append_file))

    (macro appendinherited_procfile_files ((type ARG1))
	   (allow ARG1 procfile appendinherited_file))

    (macro create_procfile_files ((type ARG1))
	   (allow ARG1 procfile create_file))

    (macro delete_procfile_files ((type ARG1))
	   (allow ARG1 procfile delete_file))

    (macro execute_procfile_files ((type ARG1))
	   (allow ARG1 procfile execute_file))

    (macro manage_procfile_files ((type ARG1))
	   (allow ARG1 procfile manage_file))

    (macro mapexecute_procfile_files ((type ARG1))
	   (allow ARG1 procfile mapexecute_file))

    (macro mounton_procfile_files ((type ARG1))
	   (allow ARG1 procfile mounton_file))

    (macro read_procfile_files ((type ARG1))
	   (allow ARG1 procfile read_file))

    (macro readinherited_procfile_files ((type ARG1))
	   (allow ARG1 procfile readinherited_file))

    (macro readwrite_procfile_files ((type ARG1))
	   (allow ARG1 procfile readwrite_file))

    (macro readwriteinherited_procfile_files ((type ARG1))
	   (allow ARG1 procfile readwriteinherited_file))

    (macro rename_procfile_files ((type ARG1))
	   (allow ARG1 procfile rename_file))

    (macro write_procfile_files ((type ARG1))
	   (allow ARG1 procfile write_file))

    (macro writeinherited_procfile_files ((type ARG1))
	   (allow ARG1 procfile writeinherited_file)))

  (block macro_template_lnk_files

    (blockabstract macro_template_lnk_files)

    (macro create_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile create_lnk_file))

    (macro delete_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile delete_lnk_file))

    (macro manage_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile manage_lnk_file))

    (macro read_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile read_lnk_file))

    (macro readwrite_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile readwrite_lnk_file))

    (macro rename_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile rename_lnk_file))

    (macro write_procfile_lnk_files ((type ARG1))
	   (allow ARG1 procfile write_lnk_file)))

  (block template

    (blockabstract template)

    (blockinherit .procfile.base_template)
    (blockinherit .procfile.macro_template_files))

  (block unconfined

    (macro type ((type ARG1))
	   (typeattributeset typeattr ARG1))

    (typeattribute typeattr)

    (allow typeattr procfile.typeattr
	   (dir (not (audit_access execmod relabelfrom relabelto))))
    (allow typeattr procfile.typeattr
	   (file (not (audit_access entrypoint execmod relabelfrom relabelto))))
    (allow typeattr procfile.typeattr
	   (lnk_file (not (audit_access execmod map mounton relabelfrom
					relabelto))))))

(in sys.unconfined

    (call .procfile.unconfined.type (typeattr)))