Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / fdaa7869a5541b55413f59845dc5f7c56bab0614 / . / mls
blob: a4c214b1ca2374ddea9c2f838f1159926218272b [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#########################################
2# MLS declarations
3#
4
5# Generate the desired number of sensitivities and categories.
6gen_sens(mls_num_sens)
7gen_cats(mls_num_cats)
8
9# Generate level definitions for each sensitivity and category.
10gen_levels(mls_num_sens,mls_num_cats)
11
12
13#################################################
14# MLS policy constraints
15#
16
17#
18# Process constraints
19#
20
21# Process transition: Require equivalence unless the subject is trusted.
22mlsconstrain process { transition dyntransition }
23 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
24
25# Process read operations: No read up unless trusted.
26mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
27 (l1 dom l2 or t1 == mlstrustedsubject);
28
29# Process write operations: No write down unless trusted.
30mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
31 (l1 domby l2 or t1 == mlstrustedsubject);
32
33#
34# Socket constraints
35#
36
37# These permissions are between the process and its local socket,
38# not between a process/socket and its peer.
39# Equivalence is the normal situation; anything else requires trust.
40mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
41 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
42
43# Datagram send: Sender must be dominated by receiver unless one of them is
44# trusted.
45mlsconstrain unix_dgram_socket { sendto }
46 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
47
48# Stream connect: Client must be equivalent to server unless one of them
49# is trusted.
50mlsconstrain unix_stream_socket { connectto }
51 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
52
53#
54# Directory/file constraints
55#
56
57# Create/relabel operations: Subject must be equivalent to object unless
58# the subject is trusted. Also, files should always be single-level.
59# Do NOT exempt mlstrustedobject types from this constraint.
60mlsconstrain dir_file_class_set { create relabelfrom relabelto }
61 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
62
Stephen Smalley0e85c172012-03-19 10:32:24 -0400[diff] [blame]63#
64# Constraints for app data files only.
65#
66
67# Only constrain open, not read/write.
68# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
69# Subject must be equivalent to object unless the subject is trusted.
70mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
71 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
72mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
73 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
74
75#
76# Constraints for file types other than app data files.
77#
78
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]79# Read operations: Subject must dominate object unless the subject
80# or the object is trusted.
81mlsconstrain dir { read getattr search }
Stephen Smalley0e85c172012-03-19 10:32:24 -0400[diff] [blame]82 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]83
84mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
Stephen Smalley0e85c172012-03-19 10:32:24 -0400[diff] [blame]85 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]86
87# Write operations: Subject must be dominated by the object unless the
88# subject or the object is trusted.
89mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
Stephen Smalley0e85c172012-03-19 10:32:24 -0400[diff] [blame]90 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]91
92mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
Stephen Smalley0e85c172012-03-19 10:32:24 -0400[diff] [blame]93 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]94
95# Special case for FIFOs.
96# These can be unnamed pipes, in which case they will be labeled with the
97# creating process' label. Thus we also have an exemption when the "object"
98# is a MLS trusted subject and can receive data at any level.
99mlsconstrain fifo_file { read getattr }
100 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
101
102mlsconstrain fifo_file { write setattr append unlink link rename }
103 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
104
105#
106# IPC constraints
107#
108
109# Create/destroy: equivalence or trusted.
110mlsconstrain ipc_class_set { create destroy }
111 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
112
113# Read ops: No read up unless trusted.
114mlsconstrain ipc_class_set r_ipc_perms
115 (l1 dom l2 or t1 == mlstrustedsubject);
116
117# Write ops: No write down unless trusted.
118mlsconstrain ipc_class_set w_ipc_perms
119 (l1 domby l2 or t1 == mlstrustedsubject);
120
121#
122# Binder IPC constraints
123#
124# Presently commented out, as apps are expected to call one another.
125# This would only make sense if apps were assigned categories
126# based on allowable communications rather than per-app categories.
127#mlsconstrain binder call
128# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);