diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2012-01-04 12:33:27 -0500 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2012-01-04 12:33:27 -0500 |
| commit | 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 (patch) | |
| tree | 70cf7ff792b5f782a2963f87c873b7a7ae926af4 /mls | |
| download | android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.tar.gz android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.tar.bz2 android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.zip | |
SE Android policy.
Diffstat (limited to 'mls')
| -rw-r--r-- | mls | 112 |
1 files changed, 112 insertions, 0 deletions
@@ -0,0 +1,112 @@ +######################################### +# MLS declarations +# + +# Generate the desired number of sensitivities and categories. +gen_sens(mls_num_sens) +gen_cats(mls_num_cats) + +# Generate level definitions for each sensitivity and category. +gen_levels(mls_num_sens,mls_num_cats) + + +################################################# +# MLS policy constraints +# + +# +# Process constraints +# + +# Process transition: Require equivalence unless the subject is trusted. +mlsconstrain process { transition dyntransition } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Process read operations: No read up unless trusted. +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (l1 dom l2 or t1 == mlstrustedsubject); + +# Process write operations: No write down unless trusted. +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Socket constraints +# + +# These permissions are between the process and its local socket, +# not between a process/socket and its peer. +# Equivalence is the normal situation; anything else requires trust. +mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Datagram send: Sender must be dominated by receiver unless one of them is +# trusted. +mlsconstrain unix_dgram_socket { sendto } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Stream connect: Client must be equivalent to server unless one of them +# is trusted. +mlsconstrain unix_stream_socket { connectto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# +# Directory/file constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Also, files should always be single-level. +# Do NOT exempt mlstrustedobject types from this constraint. +mlsconstrain dir_file_class_set { create relabelfrom relabelto } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read operations: Subject must dominate object unless the subject +# or the object is trusted. +mlsconstrain dir { read getattr search } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Write operations: Subject must be dominated by the object unless the +# subject or the object is trusted. +mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Special case for FIFOs. +# These can be unnamed pipes, in which case they will be labeled with the +# creating process' label. Thus we also have an exemption when the "object" +# is a MLS trusted subject and can receive data at any level. +mlsconstrain fifo_file { read getattr } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +mlsconstrain fifo_file { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +# +# IPC constraints +# + +# Create/destroy: equivalence or trusted. +mlsconstrain ipc_class_set { create destroy } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read ops: No read up unless trusted. +mlsconstrain ipc_class_set r_ipc_perms + (l1 dom l2 or t1 == mlstrustedsubject); + +# Write ops: No write down unless trusted. +mlsconstrain ipc_class_set w_ipc_perms + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Binder IPC constraints +# +# Presently commented out, as apps are expected to call one another. +# This would only make sense if apps were assigned categories +# based on allowable communications rather than per-app categories. +#mlsconstrain binder call +# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |