libsepol/tests/policies/test-linker/small-base.conf - platform/external/selinux - Git at Google

 # FLASK

 #
 # Define the security object classes
 #

 class security
 class process
 class system
 class capability

 # file-related classes
 class filesystem
 class file
 class dir
 class fd
 class lnk_file
 class chr_file
 class blk_file
 class sock_file
 class fifo_file

 # network-related classes
 class socket
 class tcp_socket
 class udp_socket
 class rawip_socket
 class node
 class netif
 class netlink_socket
 class packet_socket
 class key_socket
 class unix_stream_socket
 class unix_dgram_socket

 # sysv-ipc-related classes
 class sem
 class msg
 class msgq
 class shm
 class ipc

 # FLASK
 # FLASK

 #
 # Define initial security identifiers
 #

 sid kernel


 # FLASK
 #
 # Define common prefixes for access vectors
 #
 # common common_name { permission_name ... }


 #
 # Define a common prefix for file access vectors.
 #

 common file
 {
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	unlink
 	link
 	rename
 	execute
 	swapon
 	quotaon
 	mounton
 }


 #
 # Define a common prefix for socket access vectors.
 #

 common socket
 {
 # inherited from file
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 # socket-specific
 	bind
 	connect
 	listen
 	accept
 	getopt
 	setopt
 	shutdown
 	recvfrom
 	sendto
 	recv_msg
 	send_msg
 	name_bind
 }

 #
 # Define a common prefix for ipc access vectors.
 #

 common ipc
 {
 	create
 	destroy
 	getattr
 	setattr
 	read
 	write
 	associate
 	unix_read
 	unix_write
 }

 #
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }


 #
 # Define the access vector interpretation for file-related objects.
 #

 class filesystem
 {
 	mount
 	remount
 	unmount
 	getattr
 	relabelfrom
 	relabelto
 	transition
 	associate
 	quotamod
 	quotaget
 }

 class dir
 inherits file
 {
 	add_name
 	remove_name
 	reparent
 	search
 	rmdir
 }

 class file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 }

 class lnk_file
 inherits file

 class chr_file
 inherits file

 class blk_file
 inherits file

 class sock_file
 inherits file

 class fifo_file
 inherits file

 class fd
 {
 	use
 }


 #
 # Define the access vector interpretation for network-related objects.
 #

 class socket
 inherits socket

 class tcp_socket
 inherits socket
 {
 	connectto
 	newconn
 	acceptfrom
 }

 class udp_socket
 inherits socket

 class rawip_socket
 inherits socket

 class node
 {
 	tcp_recv
 	tcp_send
 	udp_recv
 	udp_send
 	rawip_recv
 	rawip_send
 	enforce_dest
 }

 class netif
 {
 	tcp_recv
 	tcp_send
 	udp_recv
 	udp_send
 	rawip_recv
 	rawip_send
 }

 class netlink_socket
 inherits socket

 class packet_socket
 inherits socket

 class key_socket
 inherits socket

 class unix_stream_socket
 inherits socket
 {
 	connectto
 	newconn
 	acceptfrom
 }

 class unix_dgram_socket
 inherits socket


 #
 # Define the access vector interpretation for process-related objects
 #

 class process
 {
 	fork
 	transition
 	sigchld # commonly granted from child to parent
 	sigkill # cannot be caught or ignored
 	sigstop # cannot be caught or ignored
 	signull # for kill(pid, 0)
 	signal  # all other signals
 	ptrace
 	getsched
 	setsched
 	getsession
 	getpgid
 	setpgid
 	getcap
 	setcap
 	share
 }


 #
 # Define the access vector interpretation for ipc-related objects
 #

 class ipc
 inherits ipc

 class sem
 inherits ipc

 class msgq
 inherits ipc
 {
 	enqueue
 }

 class msg
 {
 	send
 	receive
 }

 class shm
 inherits ipc
 {
 	lock
 }


 #
 # Define the access vector interpretation for the security server.
 #

 class security
 {
 	compute_av
 	transition_sid
 	member_sid
 	sid_to_context
 	context_to_sid
 	load_policy
 	get_sids
 	change_sid
 	get_user_sids
 }


 #
 # Define the access vector interpretation for system operations.
 #

 class system
 {
 	ipc_info
 	avc_toggle
 	nfsd_control
 	bdflush
 	syslog_read
 	syslog_mod
 	syslog_console
 	ichsid
 }

 #
 # Define the access vector interpretation for controlling capabilities
 #

 class capability
 {
 	# The capabilities are defined in include/linux/capability.h
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)

 	chown
 	dac_override
 	dac_read_search
 	fowner
 	fsetid
 	kill
 	setgid
 	setuid
 	setpcap
 	linux_immutable
 	net_bind_service
 	net_broadcast
 	net_admin
 	net_raw
 	ipc_lock
 	ipc_owner
 	sys_module
 	sys_rawio
 	sys_chroot
 	sys_ptrace
 	sys_pacct
 	sys_admin
 	sys_boot
 	sys_nice
 	sys_resource
 	sys_time
 	sys_tty_config
 	mknod
 	lease
 }

 ifdef(`enable_mls',`
 sensitivity s0;

 #
 # Define the ordering of the sensitivity levels (least to greatest)
 #
 dominance { s0 }


 #
 # Define the categories
 #
 # Each category has a name and zero or more aliases.
 #
 category c0; category c1; category c2; category c3;
 category c4; category c5; category c6; category c7;
 category c8; category c9; category c10; category c11;
 category c12; category c13; category c14; category c15;
 category c16; category c17; category c18; category c19;
 category c20; category c21; category c22; category c23;

 level s0:c0.c23;

 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 ')

 ####################################
 ####################################
 #####################################

 #g_b stands for global base

 type enable_optional;

 #decorative type for finding this decl, every block should have one
 type tag_g_b;

 attribute g_b_attr_1;
 attribute g_b_attr_2;
 attribute g_b_attr_3;
 attribute g_b_attr_4;
 attribute g_b_attr_5;
 attribute g_b_attr_6;

 type g_b_type_1, g_b_attr_1;
 type g_b_type_2, g_b_attr_2;
 type g_b_type_3;

 role g_b_role_1;
 role g_b_role_2;
 role g_b_role_3;
 role g_b_role_4;
 role g_b_role_1 types g_b_type_1;
 role g_b_role_2 types g_b_type_2;
 role g_b_role_3 types g_b_type_2;
 role g_b_role_4 types g_b_type_2;

 bool g_b_bool_1 false;
 bool g_b_bool_2 true;

 allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
 allow g_b_type_1 g_b_type_2 : file *; # test *
 allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~

 typealias g_b_type_3 alias g_b_alias_1;

 if (g_b_bool_1) {
 	allow g_b_type_1 g_b_type_2: lnk_file read;
 }


 optional {
 	require {
 		type enable_optional;
 		attribute g_m1_attr_2;
 	}
 	type tag_o1_b;

 	attribute o1_b_attr_1;
 	type o1_b_type_1, o1_b_attr_1;
 	bool o1_b_bool_1 true;
 	role o1_b_role_1;
 	role o1_b_role_1 types o1_b_type_1;
 	role o1_b_role_2;
 	role o1_b_role_2 types o1_b_type_1;

 	attribute o1_b_attr_2;

 	type o1_b_type_2, g_m1_attr_2;

 	if (o1_b_bool_1) {
 		allow o1_b_type_1 o1_b_type_2: lnk_file write;
 	}

 }

 optional {
 	require {
 		# this should be activated by module 1
 		type g_m1_type_1;
 		attribute o3_m1_attr_2;
 	}
 	type tag_o2_b;

 	type o2_b_type_1, o3_m1_attr_2;
 }

 optional {
 	require {
 		#this block should not come on
 		type invalid_type;
 	}
 	type tag_o3_b;


 	attribute o3_b_attr_1;
 	type o3_b_type_1;
 	bool o3_b_bool_1 true;

 	role o3_b_role_1;
 	role o3_b_role_1 types o3_b_type_1;

 	allow g_b_type_1 invalid_type : sem { create destroy };
 }

 optional {
 	require {
 		# also should be enabled by module 1
 		type enable_optional;
 		type g_m1_type_1;
 		attribute o3_m1_attr_1;
 		attribute g_m1_attr_3;
 	}

 	type tag_o4_b;

 	attribute o4_b_attr_1;

 	role o4_b_role_1;
 	role o4_b_role_1 types g_m1_type_1;

 	# test for attr declared in module optional, added to in base optional
 	type o4_b_type_1, o3_m1_attr_1;

 	type o4_b_type_2, g_m1_attr_3;
 }

 optional {
 	require {
 		attribute g_m1_attr_4;
 		attribute o4_m1_attr_1;
 	}
 	type tag_o5_b;

 	type o5_b_type_1, g_m1_attr_4;
 	type o5_b_type_2, o4_m1_attr_1;
 }

 optional {
 	require {
 		type enable_optional;
 	}
 	type tag_o6_b;

 	typealias g_b_type_3 alias g_b_alias_2;
 }

 optional {
 	require {
 		type g_m_alias_1;
 	}
 	type tag_o7_b;

 	allow g_m_alias_1 enable_optional:file read;
 }

 gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
 gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)

 ####################################
 #line 1 "initial_sid_contexts"

 sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)


 ############################################
 #line 1 "fs_use"
 #
 fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
 fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
 fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);


 genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)


 ####################################
 #line 1 "net_contexts"

 #portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0

 #netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0

 #
 #nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0

 nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(g_b_user_1:object_r:g_b_type_1, s0)
	# FLASK

	#
	# Define the security object classes
	#

	class security
	class process
	class system
	class capability

	# file-related classes
	class filesystem
	class file
	class dir
	class fd
	class lnk_file
	class chr_file
	class blk_file
	class sock_file
	class fifo_file

	# network-related classes
	class socket
	class tcp_socket
	class udp_socket
	class rawip_socket
	class node
	class netif
	class netlink_socket
	class packet_socket
	class key_socket
	class unix_stream_socket
	class unix_dgram_socket

	# sysv-ipc-related classes
	class sem
	class msg
	class msgq
	class shm
	class ipc

	# FLASK
	# FLASK

	#
	# Define initial security identifiers
	#

	sid kernel


	# FLASK
	#
	# Define common prefixes for access vectors
	#
	# common common_name { permission_name ... }


	#
	# Define a common prefix for file access vectors.
	#

	common file
	{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
	}


	#
	# Define a common prefix for socket access vectors.
	#

	common socket
	{
	# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
	}

	#
	# Define a common prefix for ipc access vectors.
	#

	common ipc
	{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
	}

	#
	# Define the access vectors.
	#
	# class class_name [ inherits common_name ] { permission_name ... }


	#
	# Define the access vector interpretation for file-related objects.
	#

	class filesystem
	{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
	}

	class dir
	inherits file
	{
	add_name
	remove_name
	reparent
	search
	rmdir
	}

	class file
	inherits file
	{
	execute_no_trans
	entrypoint
	}

	class lnk_file
	inherits file

	class chr_file
	inherits file

	class blk_file
	inherits file

	class sock_file
	inherits file

	class fifo_file
	inherits file

	class fd
	{
	use
	}


	#
	# Define the access vector interpretation for network-related objects.
	#

	class socket
	inherits socket

	class tcp_socket
	inherits socket
	{
	connectto
	newconn
	acceptfrom
	}

	class udp_socket
	inherits socket

	class rawip_socket
	inherits socket

	class node
	{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
	}

	class netif
	{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	}

	class netlink_socket
	inherits socket

	class packet_socket
	inherits socket

	class key_socket
	inherits socket

	class unix_stream_socket
	inherits socket
	{
	connectto
	newconn
	acceptfrom
	}

	class unix_dgram_socket
	inherits socket


	#
	# Define the access vector interpretation for process-related objects
	#

	class process
	{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	}


	#
	# Define the access vector interpretation for ipc-related objects
	#

	class ipc
	inherits ipc

	class sem
	inherits ipc

	class msgq
	inherits ipc
	{
	enqueue
	}

	class msg
	{
	send
	receive
	}

	class shm
	inherits ipc
	{
	lock
	}


	#
	# Define the access vector interpretation for the security server.
	#

	class security
	{
	compute_av
	transition_sid
	member_sid
	sid_to_context
	context_to_sid
	load_policy
	get_sids
	change_sid
	get_user_sids
	}


	#
	# Define the access vector interpretation for system operations.
	#

	class system
	{
	ipc_info
	avc_toggle
	nfsd_control
	bdflush
	syslog_read
	syslog_mod
	syslog_console
	ichsid
	}

	#
	# Define the access vector interpretation for controlling capabilities
	#

	class capability
	{
	# The capabilities are defined in include/linux/capability.h
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	}

	ifdef(`enable_mls',`
	sensitivity s0;

	#
	# Define the ordering of the sensitivity levels (least to greatest)
	#
	dominance { s0 }


	#
	# Define the categories
	#
	# Each category has a name and zero or more aliases.
	#
	category c0; category c1; category c2; category c3;
	category c4; category c5; category c6; category c7;
	category c8; category c9; category c10; category c11;
	category c12; category c13; category c14; category c15;
	category c16; category c17; category c18; category c19;
	category c20; category c21; category c22; category c23;

	level s0:c0.c23;

	mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
	( h1 dom h2 );
	')

	####################################
	####################################
	#####################################

	#g_b stands for global base

	type enable_optional;

	#decorative type for finding this decl, every block should have one
	type tag_g_b;

	attribute g_b_attr_1;
	attribute g_b_attr_2;
	attribute g_b_attr_3;
	attribute g_b_attr_4;
	attribute g_b_attr_5;
	attribute g_b_attr_6;

	type g_b_type_1, g_b_attr_1;
	type g_b_type_2, g_b_attr_2;
	type g_b_type_3;

	role g_b_role_1;
	role g_b_role_2;
	role g_b_role_3;
	role g_b_role_4;
	role g_b_role_1 types g_b_type_1;
	role g_b_role_2 types g_b_type_2;
	role g_b_role_3 types g_b_type_2;
	role g_b_role_4 types g_b_type_2;

	bool g_b_bool_1 false;
	bool g_b_bool_2 true;

	allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
	allow g_b_type_1 g_b_type_2 : file ; # test
	allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~

	typealias g_b_type_3 alias g_b_alias_1;

	if (g_b_bool_1) {
	allow g_b_type_1 g_b_type_2: lnk_file read;
	}


	optional {
	require {
	type enable_optional;
	attribute g_m1_attr_2;
	}
	type tag_o1_b;

	attribute o1_b_attr_1;
	type o1_b_type_1, o1_b_attr_1;
	bool o1_b_bool_1 true;
	role o1_b_role_1;
	role o1_b_role_1 types o1_b_type_1;
	role o1_b_role_2;
	role o1_b_role_2 types o1_b_type_1;

	attribute o1_b_attr_2;

	type o1_b_type_2, g_m1_attr_2;

	if (o1_b_bool_1) {
	allow o1_b_type_1 o1_b_type_2: lnk_file write;
	}

	}

	optional {
	require {
	# this should be activated by module 1
	type g_m1_type_1;
	attribute o3_m1_attr_2;
	}
	type tag_o2_b;

	type o2_b_type_1, o3_m1_attr_2;
	}

	optional {
	require {
	#this block should not come on
	type invalid_type;
	}
	type tag_o3_b;


	attribute o3_b_attr_1;
	type o3_b_type_1;
	bool o3_b_bool_1 true;

	role o3_b_role_1;
	role o3_b_role_1 types o3_b_type_1;

	allow g_b_type_1 invalid_type : sem { create destroy };
	}

	optional {
	require {
	# also should be enabled by module 1
	type enable_optional;
	type g_m1_type_1;
	attribute o3_m1_attr_1;
	attribute g_m1_attr_3;
	}

	type tag_o4_b;

	attribute o4_b_attr_1;

	role o4_b_role_1;
	role o4_b_role_1 types g_m1_type_1;

	# test for attr declared in module optional, added to in base optional
	type o4_b_type_1, o3_m1_attr_1;

	type o4_b_type_2, g_m1_attr_3;
	}

	optional {
	require {
	attribute g_m1_attr_4;
	attribute o4_m1_attr_1;
	}
	type tag_o5_b;

	type o5_b_type_1, g_m1_attr_4;
	type o5_b_type_2, o4_m1_attr_1;
	}

	optional {
	require {
	type enable_optional;
	}
	type tag_o6_b;

	typealias g_b_type_3 alias g_b_alias_2;
	}

	optional {
	require {
	type g_m_alias_1;
	}
	type tag_o7_b;

	allow g_m_alias_1 enable_optional:file read;
	}

	gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
	gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)

	####################################
	#line 1 "initial_sid_contexts"

	sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)


	############################################
	#line 1 "fs_use"
	#
	fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
	fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
	fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);


	genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)


	####################################
	#line 1 "net_contexts"

	#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0

	#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0

	#
	#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0

	nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(g_b_user_1:object_r:g_b_type_1, s0)