| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | ################################################# |
| 2 | # MLS policy constraints |
| 3 | # |
| 4 | |
| 5 | # |
| 6 | # Process constraints |
| 7 | # |
| 8 | |
| 9 | # Process transition: Require equivalence unless the subject is trusted. |
| 10 | mlsconstrain process { transition dyntransition } |
| 11 | ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| 12 | |
| 13 | # Process read operations: No read up unless trusted. |
| 14 | mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } |
| 15 | (l1 dom l2 or t1 == mlstrustedsubject); |
| 16 | |
| 17 | # Process write operations: Require equivalence unless trusted. |
| 18 | mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } |
| 19 | (l1 eq l2 or t1 == mlstrustedsubject); |
| 20 | |
| 21 | # |
| 22 | # Socket constraints |
| 23 | # |
| 24 | |
| 25 | # Create/relabel operations: Subject must be equivalent to object unless |
| 26 | # the subject is trusted. Sockets inherit the range of their creator. |
| 27 | mlsconstrain socket_class_set { create relabelfrom relabelto } |
| 28 | ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| 29 | |
| 30 | # Datagram send: Sender must be equivalent to the receiver unless one of them |
| 31 | # is trusted. |
| 32 | mlsconstrain unix_dgram_socket { sendto } |
| 33 | (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| 34 | |
| 35 | # Stream connect: Client must be equivalent to server unless one of them |
| 36 | # is trusted. |
| 37 | mlsconstrain unix_stream_socket { connectto } |
| 38 | (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| 39 | |
| 40 | # |
| 41 | # Directory/file constraints |
| 42 | # |
| 43 | |
| 44 | # Create/relabel operations: Subject must be equivalent to object unless |
| 45 | # the subject is trusted. Also, files should always be single-level. |
| 46 | # Do NOT exempt mlstrustedobject types from this constraint. |
| 47 | mlsconstrain dir_file_class_set { create relabelfrom relabelto } |
| 48 | (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); |
| 49 | |
| 50 | # |
| 51 | # Constraints for app data files only. |
| 52 | # |
| 53 | |
| 54 | # Only constrain open, not read/write. |
| 55 | # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. |
| 56 | # Subject must dominate object unless the subject is trusted. |
| 57 | mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } |
| 58 | ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject); |
| 59 | mlsconstrain { file sock_file } { open setattr unlink link rename } |
| 60 | ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); |
| 61 | # For symlinks in app_data_file, require equivalence in order to manipulate or follow (read). |
| 62 | mlsconstrain { lnk_file } { open setattr unlink link rename read } |
| 63 | ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject); |
| 64 | # For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. |
| 65 | # TODO: Migrate to equivalence when it's no longer needed. |
| 66 | mlsconstrain { lnk_file } { open setattr unlink link rename read } |
| 67 | ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); |
| 68 | |
| 69 | # |
| 70 | # Constraints for file types other than app data files. |
| 71 | # |
| 72 | |
| 73 | # Read operations: Subject must dominate object unless the subject |
| 74 | # or the object is trusted. |
| 75 | mlsconstrain dir { read getattr search } |
| 76 | (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| 77 | |
| 78 | mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } |
| 79 | (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| 80 | |
| 81 | # Write operations: Subject must be equivalent to the object unless the |
| 82 | # subject or the object is trusted. |
| 83 | mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } |
| 84 | (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| 85 | |
| 86 | mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } |
| 87 | (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| 88 | |
| 89 | # Special case for FIFOs. |
| 90 | # These can be unnamed pipes, in which case they will be labeled with the |
| 91 | # creating process' label. Thus we also have an exemption when the "object" |
| 92 | # is a domain type, so that processes can communicate via unnamed pipes |
| 93 | # passed by binder or local socket IPC. |
| 94 | mlsconstrain fifo_file { read getattr } |
| 95 | (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); |
| 96 | |
| 97 | mlsconstrain fifo_file { write setattr append unlink link rename } |
| 98 | (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); |
| 99 | |
| 100 | # |
| 101 | # Binder IPC constraints |
| 102 | # |
| 103 | # Presently commented out, as apps are expected to call one another. |
| 104 | # This would only make sense if apps were assigned categories |
| 105 | # based on allowable communications rather than per-app categories. |
| 106 | #mlsconstrain binder call |
| 107 | # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |