Skip to content
Snippets Groups Projects
Select Git revision
  • c46ef41cfe801749753b964b75975170f6c2d597
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

mls

Blame
    • Stephen Smalley's avatar
      025b7df2
      sepolicy: Clean up mls constraints. · 025b7df2
      Stephen Smalley authored
      
      Require equivalence for all write operations.  We were already
      doing this for app_data_file as a result of restricting open
      rather than read/write, so this makes the model consistent across
      all objects and operations.  It also addresses the scenario where
      we have mixed usage of levelFrom=all and levelFrom=user for
      different apps on the same device where the dominated-by (domby)
      relation may not be sufficiently restrictive.
      
      Drop the System V IPC constraints since System V IPC is never allowed
      by TE and thus these constraints are dead policy.
      
      Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      025b7df2
      History
      sepolicy: Clean up mls constraints.
      Stephen Smalley authored
      
      Require equivalence for all write operations.  We were already
      doing this for app_data_file as a result of restricting open
      rather than read/write, so this makes the model consistent across
      all objects and operations.  It also addresses the scenario where
      we have mixed usage of levelFrom=all and levelFrom=user for
      different apps on the same device where the dominated-by (domby)
      relation may not be sufficiently restrictive.
      
      Drop the System V IPC constraints since System V IPC is never allowed
      by TE and thus these constraints are dead policy.
      
      Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    mls 4.31 KiB
    #########################################
    # MLS declarations
    #
    
    # Generate the desired number of sensitivities and categories.
    gen_sens(mls_num_sens)
    gen_cats(mls_num_cats)
    
    # Generate level definitions for each sensitivity and category.
    gen_levels(mls_num_sens,mls_num_cats)
    
    
    #################################################
    # MLS policy constraints
    #
    
    #
    # Process constraints
    #
    
    # Process transition:  Require equivalence unless the subject is trusted.
    mlsconstrain process { transition dyntransition }
    	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
    
    # Process read operations: No read up unless trusted.
    mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
    	     (l1 dom l2 or t1 == mlstrustedsubject);
    
    # Process write operations:  Require equivalence unless trusted.
    mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
    	     (l1 eq l2 or t1 == mlstrustedsubject);
    
    #
    # Socket constraints
    #
    
    # Create/relabel operations:  Subject must be equivalent to object unless
    # the subject is trusted.  Sockets inherit the range of their creator.
    mlsconstrain socket_class_set { create relabelfrom relabelto }
    	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
    
    # Datagram send: Sender must be equivalent to the receiver unless one of them
    # is trusted.
    mlsconstrain unix_dgram_socket { sendto }
    	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    
    # Stream connect:  Client must be equivalent to server unless one of them
    # is trusted.
    mlsconstrain unix_stream_socket { connectto }
    	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
    
    #
    # Directory/file constraints
    #
    
    # Create/relabel operations:  Subject must be equivalent to object unless
    # the subject is trusted. Also, files should always be single-level.
    # Do NOT exempt mlstrustedobject types from this constraint.
    mlsconstrain dir_file_class_set { create relabelfrom relabelto }
    	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
    
    #
    # Constraints for app data files only.
    #
    
    # Only constrain open, not read/write.
    # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
    # Subject must be equivalent to object unless the subject is trusted.
    mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
    	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
    mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
    	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
    
    #
    # Constraints for file types other than app data files.
    #
    
    # Read operations: Subject must dominate object unless the subject
    # or the object is trusted.
    mlsconstrain dir { read getattr search }
    	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
    
    mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
    	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
    
    # Write operations: Subject must be equivalent to the object unless the
    # subject or the object is trusted.
    mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
    	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
    
    mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
    	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
    
    # Special case for FIFOs.
    # These can be unnamed pipes, in which case they will be labeled with the
    # creating process' label. Thus we also have an exemption when the "object"
    # is a domain type, so that processes can communicate via unnamed pipes
    # passed by binder or local socket IPC.
    mlsconstrain fifo_file { read getattr }
    	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
    
    mlsconstrain fifo_file { write setattr append unlink link rename }
    	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
    
    #
    # Binder IPC constraints
    #
    # Presently commented out, as apps are expected to call one another.
    # This would only make sense if apps were assigned categories
    # based on allowable communications rather than per-app categories.
    #mlsconstrain binder call
    #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);