blob: 955c27b00ff5c9ba6f25d6f8c2df3b5fd37d16a0 [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +09001#################################################
2# MLS policy constraints
3#
4
5#
6# Process constraints
7#
8
9# Process transition: Require equivalence unless the subject is trusted.
10mlsconstrain process { transition dyntransition }
11 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
12
13# Process read operations: No read up unless trusted.
14mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
15 (l1 dom l2 or t1 == mlstrustedsubject);
16
17# Process write operations: Require equivalence unless trusted.
18mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
19 (l1 eq l2 or t1 == mlstrustedsubject);
20
21#
22# Socket constraints
23#
24
25# Create/relabel operations: Subject must be equivalent to object unless
26# the subject is trusted. Sockets inherit the range of their creator.
27mlsconstrain socket_class_set { create relabelfrom relabelto }
28 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
29
30# Datagram send: Sender must be equivalent to the receiver unless one of them
31# is trusted.
32mlsconstrain unix_dgram_socket { sendto }
33 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
34
35# Stream connect: Client must be equivalent to server unless one of them
36# is trusted.
37mlsconstrain unix_stream_socket { connectto }
38 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
39
40#
41# Directory/file constraints
42#
43
44# Create/relabel operations: Subject must be equivalent to object unless
45# the subject is trusted. Also, files should always be single-level.
46# Do NOT exempt mlstrustedobject types from this constraint.
47mlsconstrain dir_file_class_set { create relabelfrom relabelto }
48 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
49
50#
51# Userfaultfd constraints
52#
53# To enforce that anonymous inodes are self contained in the application's process.
54mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
55 (l1 eq l2);
56
57#
58# Constraints for app data files only.
59#
60
61# Only constrain open, not read/write, so already open fds can be used.
62# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
63# Subject must dominate object unless the subject is trusted.
64mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
65 (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
66mlsconstrain { file sock_file } { open setattr unlink link rename }
67 ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
68
69# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
70mlsconstrain { lnk_file } { open setattr unlink link rename read }
71 ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
72# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
73# TODO: Migrate to equivalence when it's no longer needed.
74mlsconstrain { lnk_file } { open setattr unlink link rename read }
75 ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
76
77#
78# Constraints for file types other than app data files.
79#
80
81# Read operations: Subject must dominate object unless the subject
82# or the object is trusted.
83mlsconstrain dir { read getattr search }
84 (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
85 or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
86
87mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
88 (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
89
90# Write operations: Subject must be equivalent to the object unless the
91# subject or the object is trusted.
92mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
93 (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
94
95mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
96 (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
97
98# Special case for FIFOs.
99# These can be unnamed pipes, in which case they will be labeled with the
100# creating process' label. Thus we also have an exemption when the "object"
101# is a domain type, so that processes can communicate via unnamed pipes
102# passed by binder or local socket IPC.
103mlsconstrain fifo_file { read getattr }
104 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
105
106mlsconstrain fifo_file { write setattr append unlink link rename }
107 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
108
109#
110# Binder IPC constraints
111#
112# Presently commented out, as apps are expected to call one another.
113# This would only make sense if apps were assigned categories
114# based on allowable communications rather than per-app categories.
115#mlsconstrain binder call
116# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);