src/sys/securityfile.cil


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(block securityfile

    (macro type ((type ARG1))
	(typeattributeset typeattr ARG1))

    (typeattribute typeattr)

    (blockinherit .file.all_macro_template_dirs)
    (blockinherit .file.all_macro_template_files)
    (blockinherit .file.all_macro_template_lnk_files)

    (call .obj.type (typeattr))

    (call .security.associate_fs (typeattr))

    (block base_template

	(blockabstract base_template)

	(context securityfile_context
	    (.sys.id .sys.role securityfile .sys.lowlow))

	(type securityfile)
	(call .securityfile.type (securityfile)))

    (block macro_template_dirs

	(blockabstract macro_template_dirs)

	(macro addname_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile addname_dir))

	(macro create_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile create_dir))

	(macro delete_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile delete_dir))

	(macro deletename_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile deletename_dir))

	(macro list_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile list_dir))

	(macro listinherited_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile listinherited_dir))

	(macro manage_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile manage_dir))

	(macro mounton_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile mounton_dir))

	(macro readwrite_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile readwrite_dir))

	(macro readwriteinherited_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile readwriteinherited_dir))

	(macro rename_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile rename_dir))

	(macro search_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile search_dir))

	(macro write_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile write_dir))

	(macro writeinherited_securityfile_dirs ((type ARG1))
	    (allow ARG1 securityfile writeinherited_dir)))

    (block macro_template_files

	(blockabstract macro_template_files)

	(macro append_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile append_file))

	(macro appendinherited_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile appendinherited_file))

	(macro create_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile create_file))

	(macro delete_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile delete_file))

	(macro execute_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile execute_file))

	(macro manage_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile manage_file))

	(macro mapexecute_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile mapexecute_file))

	(macro mounton_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile mounton_file))

	(macro read_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile read_file))

	(macro readinherited_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile readinherited_file))

	(macro readwrite_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile readwrite_file))

	(macro readwriteinherited_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile readwriteinherited_file))

	(macro rename_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile rename_file))

	(macro write_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile write_file))

	(macro writeinherited_securityfile_files ((type ARG1))
	    (allow ARG1 securityfile writeinherited_file)))

    (block macro_template_lnk_files

	(blockabstract macro_template_lnk_files)

	(macro create_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile create_lnk_file))

	(macro delete_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile delete_lnk_file))

	(macro manage_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile manage_lnk_file))

	(macro read_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile read_lnk_file))

	(macro readwrite_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile readwrite_lnk_file))

	(macro relabel_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile relabel_lnk_file))

	(macro relabelfrom_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile relabelfrom_lnk_file))

	(macro relabelto_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile relabelto_lnk_file))

	(macro rename_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile rename_lnk_file))

	(macro write_securityfile_lnk_files ((type ARG1))
	    (allow ARG1 securityfile write_lnk_file)))

    (block template

	(blockabstract template)

	(blockinherit .securityfile.base_template)
	(blockinherit .securityfile.macro_template_files))

    (block unconfined

	(macro type ((type ARG1))
	    (typeattributeset typeattr ARG1))

	(typeattribute typeattr)

	(allow typeattr securityfile.typeattr
	    (dir (not (audit_access execmod relabelfrom relabelto))))
	(allow typeattr securityfile.typeattr
	    (file (not (audit_access entrypoint execmod relabelfrom relabelto))))
	(allow typeattr securityfile.typeattr
	    (lnk_file (not (audit_access execmod map mounton relabelfrom
			relabelto))))))

(in sys.unconfined

    (call .securityfile.unconfined.type (typeattr)))