普通文本  |  594行  |  8.35 KB

# FLASK

#
# Define the security object classes 
#

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related clases
class sem
class msg
class msgq
class shm
class ipc

# FLASK
# FLASK

#
# Define initial security identifiers 
#

sid kernel


# FLASK
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
}	

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
}

class file
inherits file
{
	execute_no_trans
	entrypoint
}

class lnk_file
inherits file

class chr_file
inherits file

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
}

class udp_socket
inherits socket

class rawip_socket
inherits socket

class node 
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
}

class netif
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
}

class unix_dgram_socket
inherits socket


#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server. 
#

class security
{
	compute_av
	transition_sid
	member_sid
	sid_to_context
	context_to_sid
	load_policy
	get_sids
	change_sid
	get_user_sids
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	avc_toggle
	nfsd_control
	bdflush
	syslog_read
	syslog_mod
	syslog_console
	ichsid
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
	# The capabilities are defined in include/linux/capability.h
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown           
	dac_override    
	dac_read_search 
	fowner          
	fsetid          
	kill            
	setgid           
	setuid           
	setpcap          
	linux_immutable  
	net_bind_service 
	net_broadcast    
	net_admin        
	net_raw          
	ipc_lock         
	ipc_owner        
	sys_module       
	sys_rawio        
	sys_chroot       
	sys_ptrace       
	sys_pacct        
	sys_admin        
	sys_boot         
	sys_nice         
	sys_resource     
	sys_time         
	sys_tty_config  
	mknod
	lease
}

ifdef(`enable_mls',`
sensitivity s0;

#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }


#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;

level s0:c0.c23;

mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
	( h1 dom h2 );
')

####################################
####################################
#####################################

#g_b stands for global base

type enable_optional;

#decorative type for finding this decl, every block should have one
type tag_g_b;

attribute g_b_attr_1;
attribute g_b_attr_2;
attribute g_b_attr_3;
attribute g_b_attr_4;
attribute g_b_attr_5;
attribute g_b_attr_6;

type g_b_type_1, g_b_attr_1;
type g_b_type_2, g_b_attr_2;
type g_b_type_3;

role g_b_role_1 types g_b_type_1;
role g_b_role_2 types g_b_type_2;
role g_b_role_3 types g_b_type_2;
role g_b_role_4 types g_b_type_2;

bool g_b_bool_1 false;
bool g_b_bool_2 true;

allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
allow g_b_type_1 g_b_type_2 : file *; # test *
allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~

typealias g_b_type_3 alias g_b_alias_1;

if (g_b_bool_1) {
	allow g_b_type_1 g_b_type_2: lnk_file read;
}


optional {
	require {
		type enable_optional;
		attribute g_m1_attr_2;
	}
	type tag_o1_b;

	attribute o1_b_attr_1;
	type o1_b_type_1, o1_b_attr_1;
	bool o1_b_bool_1 true;
	role o1_b_role_1 types o1_b_type_1;

	role o1_b_role_2 types o1_b_type_1;

	attribute o1_b_attr_2;

	type o1_b_type_2, g_m1_attr_2;

	if (o1_b_bool_1) {
		allow o1_b_type_1 o1_b_type_2: lnk_file write;
	}
	
}

optional {
	require {
		# this should be activated by module 1
		type g_m1_type_1;
		attribute o3_m1_attr_2;
	}	
	type tag_o2_b;	

	type o2_b_type_1, o3_m1_attr_2;
}

optional {
	require {
		#this block should not come on
		type invalid_type;
	}
	type tag_o3_b;


	attribute o3_b_attr_1;
	type o3_b_type_1;
	bool o3_b_bool_1 true;

	role o3_b_role_1 types o3_b_type_1;

	allow g_b_type_1 invalid_type : sem { create destroy };
}

optional {
	require {
		# also should be enabled by module 1
		type enable_optional;
		type g_m1_type_1;
		attribute o3_m1_attr_1;
		attribute g_m1_attr_3;
	}
	
	type tag_o4_b;

	attribute o4_b_attr_1;

	role o4_b_role_1 types g_m1_type_1;

	# test for attr declared in module optional, added to in base optional
	type o4_b_type_1, o3_m1_attr_1;

	type o4_b_type_2, g_m1_attr_3;
}

optional {
	require {
		attribute g_m1_attr_4;
		attribute o4_m1_attr_1;
	}
	type tag_o5_b;

	type o5_b_type_1, g_m1_attr_4;
	type o5_b_type_2, o4_m1_attr_1;
}

optional {
	require {
		type enable_optional;
	}
	type tag_o6_b;

	typealias g_b_type_3 alias g_b_alias_2;
}

optional {
	require {
		type g_m_alias_1;
	}
	type tag_o7_b;

	allow g_m_alias_1 enable_optional:file read;
}

gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)

####################################
#line 1 "initial_sid_contexts"

sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)


############################################
#line 1 "fs_use"
#
fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);


genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)


####################################
#line 1 "net_contexts"

#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0

#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0

#
#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0

nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)