1######################################### 2# MLS declarations 3# 4 5# Generate the desired number of sensitivities and categories. 6gen_sens(mls_num_sens) 7gen_cats(mls_num_cats) 8 9# Generate level definitions for each sensitivity and category. 10gen_levels(mls_num_sens,mls_num_cats) 11 12 13################################################# 14# MLS policy constraints 15# 16 17# 18# Process constraints 19# 20 21# Process transition: Require equivalence unless the subject is trusted. 22mlsconstrain process { transition dyntransition } 23 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 24 25# Process read operations: No read up unless trusted. 26mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 27 (l1 dom l2 or t1 == mlstrustedsubject); 28 29# Process write operations: No write down unless trusted. 30mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 31 (l1 domby l2 or t1 == mlstrustedsubject); 32 33# 34# Socket constraints 35# 36 37# Create/relabel operations: Subject must be equivalent to object unless 38# the subject is trusted. Sockets inherit the range of their creator. 39mlsconstrain socket_class_set { create relabelfrom relabelto } 40 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 41 42# Datagram send: Sender must be dominated by receiver unless one of them is 43# trusted. 44mlsconstrain unix_dgram_socket { sendto } 45 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 46 47# Stream connect: Client must be equivalent to server unless one of them 48# is trusted. 49mlsconstrain unix_stream_socket { connectto } 50 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 51 52# 53# Directory/file constraints 54# 55 56# Create/relabel operations: Subject must be equivalent to object unless 57# the subject is trusted. Also, files should always be single-level. 58# Do NOT exempt mlstrustedobject types from this constraint. 59mlsconstrain dir_file_class_set { create relabelfrom relabelto } 60 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 61 62# Read operations: Subject must dominate object unless the subject 63# or the object is trusted. 64mlsconstrain dir { read getattr search } 65 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 66 67mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 68 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 69 70# Write operations: Subject must be dominated by the object unless the 71# subject or the object is trusted. 72mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 73 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 74 75mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 76 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 77 78# Special case for FIFOs. 79# These can be unnamed pipes, in which case they will be labeled with the 80# creating process' label. Thus we also have an exemption when the "object" 81# is a MLS trusted subject and can receive data at any level. 82mlsconstrain fifo_file { read getattr } 83 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 84 85mlsconstrain fifo_file { write setattr append unlink link rename } 86 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 87 88# 89# IPC constraints 90# 91 92# Create/destroy: equivalence or trusted. 93mlsconstrain ipc_class_set { create destroy } 94 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 95 96# Read ops: No read up unless trusted. 97mlsconstrain ipc_class_set r_ipc_perms 98 (l1 dom l2 or t1 == mlstrustedsubject); 99 100# Write ops: No write down unless trusted. 101mlsconstrain ipc_class_set w_ipc_perms 102 (l1 domby l2 or t1 == mlstrustedsubject); 103 104# 105# Binder IPC constraints 106# 107# Presently commented out, as apps are expected to call one another. 108# This would only make sense if apps were assigned categories 109# based on allowable communications rather than per-app categories. 110#mlsconstrain binder call 111# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 112