| <!-- Common Interface Language (CIL) Reference Guide --> |
| <!-- access_vector_rules.xml --> |
| |
| <sect1 id="av_rules"> |
| <title>Access Vector Rules</title> |
| <sect2 id="allow"> |
| <title>allow</title> |
| <para>Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class (<literal><link linkend="validatetrans">validatetrans</link></literal> or <literal><link linkend="mlsvalidatetrans">mlsvalidatetrans</link></literal>) or source, target class and permissions (<literal><link linkend="constrain">constrain</link></literal> or <literal><link linkend="mlsconstrain">mlsconstrain</link></literal> statements).</para> |
| <para><emphasis role="bold">Rule definition:</emphasis></para> |
| <programlisting><![CDATA[(allow source_id target_id|self classpermissionset_id ...)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2.25 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal><link linkend="allow">allow</link></literal></para> |
| </entry> |
| <entry> |
| <para>The <literal><link linkend="allow">allow</link></literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>source_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>target_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>classpermissionset_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Examples:</emphasis></para> |
| <para>These examples show a selection of possible permutations of <literal><link linkend="allow">allow</link></literal> rules:</para> |
| <programlisting><![CDATA[ |
| (class binder (impersonate call set_context_mgr transfer receive)) |
| (class property_service (set)) |
| (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) |
| |
| (classpermission cps_zygote) |
| (classpermissionset cps_zygote (zygote (not (specifyids)))) |
| |
| (classmap android_classes (set_1 set_2 set_3)) |
| |
| (classmapping android_classes set_1 (binder (all))) |
| (classmapping android_classes set_1 (property_service (set))) |
| (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) |
| |
| (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) |
| (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) |
| |
| (classmapping android_classes set_3 cps_zygote) |
| (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) |
| |
| (block av_rules |
| (type type_1) |
| (type type_2) |
| (type type_3) |
| (type type_4) |
| (type type_5) |
| |
| (typeattribute all_types) |
| (typeattributeset all_types (all)) |
| |
| ; These examples have named and anonymous classpermissionset's and |
| ; classmap/classmapping statements |
| (allow type_1 self (property_service (set))) ; anonymous |
| (allow type_2 self (zygote (specifyids))) ; anonymous |
| (allow type_3 self cps_zygote) ; named |
| (allow type_4 self (android_classes (set_3))) ; classmap/classmapping |
| (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping |
| |
| ;; This rule will cause the build to fail unless --disable-neverallow |
| ; (neverallow type_5 all_types (property_service (set))) |
| (allow type_5 type_5 (property_service (set))) |
| (allow type_1 all_types (property_service (set))) |
| )]]> |
| </programlisting> |
| </sect2> |
| |
| <sect2 id="auditallow"> |
| <title>auditallow</title> |
| <para>Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event.</para> |
| <para><emphasis role="bold">Rule definition:</emphasis></para> |
| <programlisting><![CDATA[(auditallow source_id target_id|self classpermissionset_id ...)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2.5 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>auditallow</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>auditallow</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>source_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>target_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>classpermissionset_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Example:</emphasis></para> |
| <para>This example will log an audit event whenever the corresponding <literal><link linkend="allow">allow</link></literal> rule grants access to the specified permissions:</para> |
| <programlisting><![CDATA[ |
| (allow release_app.process secmark_demo.browser_packet (packet (send recv append bind))) |
| |
| (auditallow release_app.process secmark_demo.browser_packet (packet (send recv))) |
| ]]> |
| </programlisting> |
| </sect2> |
| |
| <sect2 id="dontaudit"> |
| <title>dontaudit</title> |
| <para>Do not audit the access rights defined when access denied. This stops excessive log entries for known events.</para> |
| <para>Note that these rules can be omitted by the CIL compiler command line parameter <literal>-D</literal> or <literal>--disable-dontaudit</literal> flags.</para> |
| <para><emphasis role="bold">Rule definition:</emphasis></para> |
| <programlisting><![CDATA[(dontaudit source_id target_id|self classpermissionset_id ...)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2.25 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>dontaudit</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>dontaudit</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>source_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>target_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>classpermissionset_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Example:</emphasis></para> |
| <para>This example will not audit the denied access:</para> |
| <programlisting><![CDATA[(dontaudit zygote.process self (capability (fsetid)))]]> |
| </programlisting> |
| </sect2> |
| |
| <sect2 id="neverallow"> |
| <title>neverallow</title> |
| <para>Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified.</para> |
| <para>Note that these rules can be over-ridden by the CIL compiler command line parameter <literal>-N</literal> or <literal>--disable-neverallow</literal> flags.</para> |
| <para><emphasis role="bold">Rule definition:</emphasis></para> |
| <programlisting><![CDATA[(neverallow source_id target_id|self classpermissionset_id ...)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2.25 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>neverallow</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>neverallow</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>source_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>target_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> |
| <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>classpermissionset_id</literal></para> |
| </entry> |
| <entry> |
| <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Example:</emphasis></para> |
| <para>This example will not compile as <literal>type_3</literal> is not allowed to be a source type for the <literal><link linkend="allow">allow</link></literal> rule:</para> |
| <programlisting><![CDATA[ |
| (class property_service (set)) |
| |
| (block av_rules |
| (type type_1) |
| (type type_2) |
| (type type_3) |
| (typeattribute all_types) |
| (typeattributeset all_types ((all))) |
| |
| (neverallow type_3 all_types (property_service (set))) |
| ; This rule will fail compilation: |
| (allow type_3 self (property_service (set))) |
| )]]> |
| </programlisting> |
| </sect2> |
| |
| </sect1> |