• Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #################################################
2 # MLS policy constraints
3 #
4 
5 #
6 # Process constraints
7 #
8 
9 # Process transition:  Require equivalence unless the subject is trusted.
10 mlsconstrain process { transition dyntransition }
11 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
12 
13 # Process read operations: No read up unless trusted.
14 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
15 	     (l1 dom l2 or t1 == mlstrustedsubject);
16 
17 # Process write operations:  Require equivalence unless trusted.
18 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
19 	     (l1 eq l2 or t1 == mlstrustedsubject);
20 
21 #
22 # Socket constraints
23 #
24 
25 # Create/relabel operations:  Subject must be equivalent to object unless
26 # the subject is trusted.  Sockets inherit the range of their creator.
27 mlsconstrain socket_class_set { create relabelfrom relabelto }
28 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
29 
30 # Datagram send: Sender must be equivalent to the receiver unless one of them
31 # is trusted.
32 mlsconstrain unix_dgram_socket { sendto }
33 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
34 
35 # Stream connect:  Client must be equivalent to server unless one of them
36 # is trusted.
37 mlsconstrain unix_stream_socket { connectto }
38 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
39 
40 #
41 # Directory/file constraints
42 #
43 
44 # Create/relabel operations:  Subject must be equivalent to object unless
45 # the subject is trusted. Also, files should always be single-level.
46 # Do NOT exempt mlstrustedobject types from this constraint.
47 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
48 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
49 
50 #
51 # Userfaultfd constraints
52 #
53 # To enforce that anonymous inodes are self contained in the application's process.
54 mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
55 	     (l1 eq l2);
56 
57 #
58 # Constraints for app data files only.
59 #
60 
61 # Only constrain open, not read/write, so already open fds can be used.
62 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
63 # Subject must dominate object unless the subject is trusted.
64 mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
65 	     (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
66 mlsconstrain { file sock_file } { open setattr unlink link rename }
67 	     ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
68 
69 # For symlinks in app data files, require equivalence in order to manipulate or follow (read).
70 mlsconstrain { lnk_file } { open setattr unlink link rename read }
71 	     ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
72 # But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
73 # TODO: Migrate to equivalence when it's no longer needed.
74 mlsconstrain { lnk_file } { open setattr unlink link rename read }
75 	     ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
76 
77 #
78 # Constraints for file types other than app data files.
79 #
80 
81 # Read operations: Subject must dominate object unless the subject
82 # or the object is trusted.
83 mlsconstrain dir { read getattr search }
84 	     (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
85 	     or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
86 
87 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
88 	     (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
89 
90 # Write operations: Subject must be equivalent to the object unless the
91 # subject or the object is trusted.
92 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
93 	     (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
94 
95 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
96 	     (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
97 
98 # Special case for FIFOs.
99 # These can be unnamed pipes, in which case they will be labeled with the
100 # creating process' label. Thus we also have an exemption when the "object"
101 # is a domain type, so that processes can communicate via unnamed pipes
102 # passed by binder or local socket IPC.
103 mlsconstrain fifo_file { read getattr }
104 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
105 
106 mlsconstrain fifo_file { write setattr append unlink link rename }
107 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
108 
109 #
110 # Binder IPC constraints
111 #
112 # Presently commented out, as apps are expected to call one another.
113 # This would only make sense if apps were assigned categories
114 # based on allowable communications rather than per-app categories.
115 #mlsconstrain binder call
116 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
117