Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results

mls

Blame
    • mls 4.03 KiB 
    #########################################
# MLS declarations
#

# Generate the desired number of sensitivities and categories.
gen_sens(mls_num_sens)
gen_cats(mls_num_cats)

# Generate level definitions for each sensitivity and category.
gen_levels(mls_num_sens,mls_num_cats)


#################################################
# MLS policy constraints
#

#
# Process constraints
#

# Process transition:  Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
	     (l1 dom l2 or t1 == mlstrustedsubject);

# Process write operations:  No write down unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
	     (l1 domby l2 or t1 == mlstrustedsubject);

#
# Socket constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted.  Sockets inherit the range of their creator.
mlsconstrain socket_class_set { create relabelfrom relabelto }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Datagram send: Sender must be dominated by receiver unless one of them is
# trusted.
mlsconstrain unix_dgram_socket { sendto }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

# Stream connect:  Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

#
# Directory/file constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Write operations: Subject must be dominated by the object unless the
    # subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a MLS trusted subject and can receive data at any level.
mlsconstrain fifo_file { read getattr }
	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);

mlsconstrain fifo_file { write setattr append unlink link rename }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);

#
# IPC constraints
#

# Create/destroy: equivalence or trusted.
mlsconstrain ipc_class_set { create destroy }
	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

# Read ops: No read up unless trusted.
mlsconstrain ipc_class_set r_ipc_perms
	     (l1 dom l2 or t1 == mlstrustedsubject);

# Write ops: No write down unless trusted.
mlsconstrain ipc_class_set w_ipc_perms
	     (l1 domby l2 or t1 == mlstrustedsubject);

#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);