]>
Commit | Line | Data |
---|---|---|
134191be | 1 | |
134191be CP |
2 | # |
3 | # Define the constraints | |
4 | # | |
5 | # constrain class_set perm_set expression ; | |
6 | # | |
7 | # expression : ( expression ) | |
8 | # | not expression | |
9 | # | expression and expression | |
10 | # | expression or expression | |
11 | # | u1 op u2 | |
12 | # | r1 role_op r2 | |
13 | # | t1 op t2 | |
14 | # | u1 op names | |
15 | # | u2 op names | |
16 | # | r1 op names | |
17 | # | r2 op names | |
18 | # | t1 op names | |
19 | # | t2 op names | |
20 | # | |
21 | # op : == | != | |
22 | # role_op : == | != | eq | dom | domby | incomp | |
23 | # | |
24 | # names : name | { name_list } | |
25 | # name_list : name | name_list name | |
26 | # | |
27 | ||
296273a7 CP |
28 | define(`basic_ubac_conditions',` |
29 | ifdef(`enable_ubac',` | |
30 | u1 == u2 | |
31 | or u1 == system_u | |
32 | or u2 == system_u | |
33 | or t1 != ubac_constrained_type | |
34 | or t2 != ubac_constrained_type | |
35 | ') | |
36 | ') | |
37 | ||
38 | define(`basic_ubac_constraint',` | |
39 | ifdef(`enable_ubac',` | |
40 | constrain $1 all_$1_perms | |
41 | ( | |
42 | basic_ubac_conditions | |
43 | ); | |
44 | ') | |
45 | ') | |
46 | ||
47 | define(`exempted_ubac_constraint',` | |
48 | ifdef(`enable_ubac',` | |
49 | constrain $1 all_$1_perms | |
50 | ( | |
51 | basic_ubac_conditions | |
52 | or t1 == $2 | |
53 | ); | |
54 | ') | |
55 | ') | |
56 | ||
57 | ######################################## | |
134191be | 58 | # |
296273a7 | 59 | # File rules |
134191be | 60 | # |
296273a7 CP |
61 | |
62 | exempted_ubac_constraint(dir, ubacfile) | |
63 | exempted_ubac_constraint(file, ubacfile) | |
64 | exempted_ubac_constraint(lnk_file, ubacfile) | |
65 | exempted_ubac_constraint(fifo_file, ubacfile) | |
66 | exempted_ubac_constraint(sock_file, ubacfile) | |
67 | exempted_ubac_constraint(chr_file, ubacfile) | |
68 | exempted_ubac_constraint(blk_file, ubacfile) | |
69 | ||
5b6bd092 | 70 | # SELinux object identity change constraint: |
296273a7 | 71 | constrain dir_file_class_set { create relabelto relabelfrom } |
350b6ab7 CP |
72 | ( |
73 | u1 == u2 | |
296273a7 CP |
74 | or t1 == can_change_object_identity |
75 | ); | |
2e863f8a | 76 | |
296273a7 CP |
77 | ######################################## |
78 | # | |
79 | # Process rules | |
80 | # | |
c98340cf | 81 | |
23d5ab8d CP |
82 | ifdef(`enable_ubac',` |
83 | constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } | |
84 | ( | |
85 | basic_ubac_conditions | |
86 | or t1 == ubacproc | |
87 | ); | |
88 | ') | |
bd56da4a | 89 | |
296273a7 CP |
90 | constrain process { transition noatsecure siginh rlimitinh } |
91 | ( | |
92 | u1 == u2 | |
93 | or ( t1 == can_change_process_identity and t2 == process_user_target ) | |
94 | or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) | |
350b6ab7 | 95 | or ( t1 == can_system_change and u2 == system_u ) |
350b6ab7 CP |
96 | or ( t1 == process_uncond_exempt ) |
97 | ); | |
134191be | 98 | |
296273a7 | 99 | constrain process { transition noatsecure siginh rlimitinh } |
350b6ab7 | 100 | ( |
f657cb14 CP |
101 | r1 == r2 |
102 | or ( t1 == can_change_process_role and t2 == process_user_target ) | |
103 | or ( t1 == cron_source_domain and t2 == cron_job_domain ) | |
104 | or ( t1 == can_system_change and r2 == system_r ) | |
350b6ab7 CP |
105 | or ( t1 == process_uncond_exempt ) |
106 | ); | |
134191be | 107 | |
134191be | 108 | constrain process dyntransition |
bd56da4a CP |
109 | ( |
110 | u1 == u2 and r1 == r2 | |
111 | ); | |
134191be | 112 | |
296273a7 CP |
113 | # These permissions do not have ubac constraints: |
114 | # fork | |
115 | # setexec | |
116 | # setfscreate | |
117 | # setcurrent | |
118 | # execmem | |
119 | # execstack | |
120 | # execheap | |
121 | # setkeycreate | |
122 | # setsockcreate | |
123 | ||
124 | ######################################## | |
134191be | 125 | # |
296273a7 | 126 | # File descriptor rules |
134191be | 127 | # |
bd56da4a | 128 | |
296273a7 CP |
129 | exempted_ubac_constraint(fd, ubacfd) |
130 | ||
131 | ######################################## | |
132 | # | |
133 | # Socket rules | |
134 | # | |
135 | ||
136 | exempted_ubac_constraint(socket, ubacsock) | |
137 | exempted_ubac_constraint(tcp_socket, ubacsock) | |
138 | exempted_ubac_constraint(udp_socket, ubacsock) | |
139 | exempted_ubac_constraint(rawip_socket, ubacsock) | |
140 | exempted_ubac_constraint(netlink_socket, ubacsock) | |
141 | exempted_ubac_constraint(packet_socket, ubacsock) | |
142 | exempted_ubac_constraint(key_socket, ubacsock) | |
143 | exempted_ubac_constraint(unix_stream_socket, ubacsock) | |
144 | exempted_ubac_constraint(unix_dgram_socket, ubacsock) | |
145 | exempted_ubac_constraint(netlink_route_socket, ubacsock) | |
146 | exempted_ubac_constraint(netlink_firewall_socket, ubacsock) | |
147 | exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock) | |
148 | exempted_ubac_constraint(netlink_nflog_socket, ubacsock) | |
149 | exempted_ubac_constraint(netlink_xfrm_socket, ubacsock) | |
150 | exempted_ubac_constraint(netlink_selinux_socket, ubacsock) | |
151 | exempted_ubac_constraint(netlink_audit_socket, ubacsock) | |
152 | exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock) | |
153 | exempted_ubac_constraint(netlink_dnrt_socket, ubacsock) | |
154 | exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) | |
155 | exempted_ubac_constraint(appletalk_socket, ubacsock) | |
156 | exempted_ubac_constraint(dccp_socket, ubacsock) | |
9711c7bd | 157 | exempted_ubac_constraint(tun_socket, ubacsock) |
134191be CP |
158 | |
159 | constrain socket_class_set { create relabelto relabelfrom } | |
bd56da4a CP |
160 | ( |
161 | u1 == u2 | |
bd56da4a CP |
162 | or t1 == can_change_object_identity |
163 | ); | |
296273a7 CP |
164 | |
165 | ######################################## | |
166 | # | |
167 | # SysV IPC rules | |
168 | ||
169 | exempted_ubac_constraint(sem, ubacipc) | |
170 | exempted_ubac_constraint(msg, ubacipc) | |
171 | exempted_ubac_constraint(msgq, ubacipc) | |
172 | exempted_ubac_constraint(shm, ubacipc) | |
173 | exempted_ubac_constraint(ipc, ubacipc) | |
174 | ||
175 | ######################################## | |
176 | # | |
177 | # SE-X Windows rules | |
178 | # | |
179 | ||
180 | exempted_ubac_constraint(x_drawable, ubacxwin) | |
181 | exempted_ubac_constraint(x_screen, ubacxwin) | |
182 | exempted_ubac_constraint(x_gc, ubacxwin) | |
183 | exempted_ubac_constraint(x_font, ubacxwin) | |
184 | exempted_ubac_constraint(x_colormap, ubacxwin) | |
185 | exempted_ubac_constraint(x_property, ubacxwin) | |
186 | exempted_ubac_constraint(x_selection, ubacxwin) | |
187 | exempted_ubac_constraint(x_cursor, ubacxwin) | |
188 | exempted_ubac_constraint(x_client, ubacxwin) | |
189 | exempted_ubac_constraint(x_device, ubacxwin) | |
190 | exempted_ubac_constraint(x_server, ubacxwin) | |
191 | exempted_ubac_constraint(x_extension, ubacxwin) | |
192 | exempted_ubac_constraint(x_resource, ubacxwin) | |
193 | exempted_ubac_constraint(x_event, ubacxwin) | |
194 | exempted_ubac_constraint(x_synthetic_event, ubacxwin) | |
195 | exempted_ubac_constraint(x_application_data, ubacxwin) | |
196 | ||
197 | ######################################## | |
198 | # | |
199 | # D-BUS rules | |
200 | # | |
201 | ||
202 | exempted_ubac_constraint(dbus, ubacdbus) | |
203 | ||
204 | ######################################## | |
205 | # | |
206 | # Key rules | |
207 | # | |
208 | ||
209 | exempted_ubac_constraint(key, ubackey) | |
210 | ||
211 | ######################################## | |
212 | # | |
213 | # Database rules | |
214 | # | |
215 | ||
216 | exempted_ubac_constraint(db_database, ubacdb) | |
217 | exempted_ubac_constraint(db_table, ubacdb) | |
218 | exempted_ubac_constraint(db_procedure, ubacdb) | |
219 | exempted_ubac_constraint(db_column, ubacdb) | |
220 | exempted_ubac_constraint(db_tuple, ubacdb) | |
221 | exempted_ubac_constraint(db_blob, ubacdb) | |
222 | ||
223 | ||
224 | ||
225 | basic_ubac_constraint(association) | |
226 | basic_ubac_constraint(peer) | |
227 | ||
228 | ||
229 | # these classes have no UBAC restrictions | |
230 | #class security | |
231 | #class system | |
232 | #class capability | |
233 | #class memprotect | |
234 | #class passwd # userspace | |
235 | #class node | |
236 | #class netif | |
237 | #class packet | |
238 | #class capability2 | |
239 | #class nscd # userspace | |
240 | #class context # userspace | |
241 | ||
242 | ||
243 | ||
244 | undefine(`basic_ubac_constraint') | |
245 | undefine(`basic_ubac_conditions') | |
246 | undefine(`exempted_ubac_constraint') |