| ################################################# |
| # MLS policy constraints |
| # |
| |
| # |
| # Process constraints |
| # |
| |
| # Process transition: Require equivalence unless the subject is trusted. |
| mlsconstrain process { transition dyntransition } |
| ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| |
| # Process read operations: No read up unless trusted. |
| mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } |
| (l1 dom l2 or t1 == mlstrustedsubject); |
| |
| # Process write operations: Require equivalence unless trusted. |
| mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } |
| (l1 eq l2 or t1 == mlstrustedsubject); |
| |
| # |
| # Socket constraints |
| # |
| |
| # Create/relabel operations: Subject must be equivalent to object unless |
| # the subject is trusted. Sockets inherit the range of their creator. |
| mlsconstrain socket_class_set { create relabelfrom relabelto } |
| ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| |
| # Datagram send: Sender must be equivalent to the receiver unless one of them |
| # is trusted. |
| mlsconstrain unix_dgram_socket { sendto } |
| (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| |
| # Stream connect: Client must be equivalent to server unless one of them |
| # is trusted. |
| mlsconstrain unix_stream_socket { connectto } |
| (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| |
| # |
| # Directory/file constraints |
| # |
| |
| # Create/relabel operations: Subject must be equivalent to object unless |
| # the subject is trusted. Also, files should always be single-level. |
| # Do NOT exempt mlstrustedobject types from this constraint. |
| mlsconstrain dir_file_class_set { create relabelfrom relabelto } |
| (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); |
| |
| # |
| # Userfaultfd constraints |
| # |
| # To enforce that anonymous inodes are self contained in the application's process. |
| mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod } |
| (l1 eq l2); |
| |
| # |
| # Constraints for app data files only. |
| # |
| |
| # Only constrain open, not read/write, so already open fds can be used. |
| # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. |
| # Subject must dominate object unless the subject is trusted. |
| mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } |
| (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject); |
| mlsconstrain { file sock_file } { open setattr unlink link rename } |
| ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); |
| |
| # For symlinks in app data files, require equivalence in order to manipulate or follow (read). |
| mlsconstrain { lnk_file } { open setattr unlink link rename read } |
| ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject); |
| # But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. |
| # TODO: Migrate to equivalence when it's no longer needed. |
| mlsconstrain { lnk_file } { open setattr unlink link rename read } |
| ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); |
| |
| # |
| # Constraints for file types other than app data files. |
| # |
| |
| # Read operations: Subject must dominate object unless the subject |
| # or the object is trusted. |
| mlsconstrain dir { read getattr search } |
| (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject |
| or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) ); |
| |
| mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } |
| (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| # Write operations: Subject must be equivalent to the object unless the |
| # subject or the object is trusted. |
| mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } |
| (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } |
| (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| # Special case for FIFOs. |
| # These can be unnamed pipes, in which case they will be labeled with the |
| # creating process' label. Thus we also have an exemption when the "object" |
| # is a domain type, so that processes can communicate via unnamed pipes |
| # passed by binder or local socket IPC. |
| mlsconstrain fifo_file { read getattr } |
| (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); |
| |
| mlsconstrain fifo_file { write setattr append unlink link rename } |
| (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); |
| |
| # |
| # Binder IPC constraints |
| # |
| # Presently commented out, as apps are expected to call one another. |
| # This would only make sense if apps were assigned categories |
| # based on allowable communications rather than per-app categories. |
| #mlsconstrain binder call |
| # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |