src/sys/sysfile.cil


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(block sysfile

  (macro type ((type ARG1))
	 (typeattributeset typeattr ARG1))

  (typeattribute typeattr)

  (blockinherit .file.all_macro_template_dirs)
  (blockinherit .file.all_macro_template_files)
  (blockinherit .file.all_macro_template_lnk_files)

  (call .obj.type (typeattr))

  (call .sys.associate_fs (typeattr))

  (block base_template

    (blockabstract base_template)

    (context sysfile_context (.sys.id .sys.role sysfile lowlevelrange))

    (type sysfile)
    (call .sysfile.type (sysfile)))

  (block macro_template_dirs

    (blockabstract macro_template_dirs)

    (macro addname_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile addname_dir))

    (macro create_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile create_dir))

    (macro delete_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile delete_dir))

    (macro deletename_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile deletename_dir))

    (macro list_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile list_dir))

    (macro listinherited_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile listinherited_dir))

    (macro manage_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile manage_dir))

    (macro mounton_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile mounton_dir))

    (macro readwrite_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile readwrite_dir))

    (macro readwriteinherited_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile readwriteinherited_dir))

    (macro rename_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile rename_dir))

    (macro search_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile search_dir))

    (macro write_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile write_dir))

    (macro writeinherited_sysfile_dirs ((type ARG1))
	   (allow ARG1 sysfile writeinherited_dir)))

  (block macro_template_files

    (blockabstract macro_template_files)

    (macro append_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile append_file))

    (macro appendinherited_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile appendinherited_file))

    (macro create_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile create_file))

    (macro delete_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile delete_file))

    (macro execute_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile execute_file))

    (macro manage_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile manage_file))

    (macro mapexecute_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile mapexecute_file))

    (macro mounton_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile mounton_file))

    (macro read_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile read_file))

    (macro readinherited_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile readinherited_file))

    (macro readwrite_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile readwrite_file))

    (macro readwriteinherited_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile readwriteinherited_file))

    (macro rename_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile rename_file))

    (macro write_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile write_file))

    (macro writeinherited_sysfile_files ((type ARG1))
	   (allow ARG1 sysfile writeinherited_file)))

  (block macro_template_lnk_files

    (blockabstract macro_template_lnk_files)

    (macro create_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile create_lnk_file))

    (macro delete_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile delete_lnk_file))

    (macro manage_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile manage_lnk_file))

    (macro read_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile read_lnk_file))

    (macro readwrite_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile readwrite_lnk_file))

    (macro rename_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile rename_lnk_file))

    (macro write_sysfile_lnk_files ((type ARG1))
	   (allow ARG1 sysfile write_lnk_file)))

  (block template

    (blockabstract template)

    (blockinherit .sysfile.base_template)
    (blockinherit .sysfile.macro_template_dirs)
    (blockinherit .sysfile.macro_template_files)
    (blockinherit .sysfile.macro_template_lnk_files))

  (block unconfined

    (macro type ((type ARG1))
	   (typeattributeset typeattr ARG1))

    (typeattribute typeattr)

    (allow typeattr sysfile.typeattr (dir (not (audit_access execmod))))
    (allow typeattr sysfile.typeattr
	   (file (not (audit_access entrypoint execmod))))
    (allow typeattr sysfile.typeattr
	   (lnk_file (not (audit_access execmod map mounton))))))

(in sys.unconfined

    (call .sysfile.unconfined.type (typeattr)))