mirror of https://github.com/dzavalishin/oskit/
318 lines
4.2 KiB
Plaintext
Executable File
318 lines
4.2 KiB
Plaintext
Executable File
# Copyright (c) 1999, 2000 The University of Utah and the Flux Group.
|
|
# All rights reserved.
|
|
#
|
|
# Contributed by the Computer Security Research division,
|
|
# INFOSEC Research and Technology Office, NSA.
|
|
#
|
|
# This file is part of the Flux OSKit. The OSKit is free software, also known
|
|
# as "open source;" you can redistribute it and/or modify it under the terms
|
|
# of the GNU General Public License (GPL), version 2, as published by the Free
|
|
# Software Foundation (FSF). To explore alternate licensing terms, contact
|
|
# the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271.
|
|
#
|
|
# The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
# FOR A PARTICULAR PURPOSE. See the GPL for more details. You should have
|
|
# received a copy of the GPL along with the OSKit; see the file COPYING. If
|
|
# not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA.
|
|
|
|
#
|
|
# Define common prefixes for access vectors
|
|
#
|
|
# common common_name { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define a common prefix for file access vectors.
|
|
#
|
|
|
|
common file
|
|
{
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
append
|
|
access
|
|
unlink
|
|
link
|
|
rename
|
|
execute
|
|
pathconf
|
|
}
|
|
|
|
|
|
#
|
|
# Define a common prefix for socket access vectors.
|
|
#
|
|
|
|
common socket
|
|
{
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
bind
|
|
connect
|
|
getopt
|
|
setopt
|
|
shutdown
|
|
recvfrom
|
|
sendto
|
|
recv_msg
|
|
send_msg
|
|
name_bind
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vectors.
|
|
#
|
|
# class class_name [ inherits common_name ] { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for file-related objects.
|
|
#
|
|
|
|
class filesystem
|
|
{
|
|
mount
|
|
remount
|
|
unmount
|
|
getattr
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
associate
|
|
lookupi
|
|
}
|
|
|
|
class dir
|
|
inherits file
|
|
{
|
|
add_name
|
|
remove_name
|
|
reparent
|
|
search
|
|
rmdir
|
|
mounton
|
|
mountassociate
|
|
}
|
|
|
|
class file
|
|
inherits file
|
|
|
|
class lnk_file
|
|
inherits file
|
|
|
|
class chr_file
|
|
inherits file
|
|
|
|
class blk_file
|
|
inherits file
|
|
|
|
class sock_file
|
|
inherits file
|
|
|
|
class fifo_file
|
|
inherits file
|
|
|
|
class pipe
|
|
inherits file
|
|
|
|
|
|
class fd
|
|
{
|
|
create
|
|
getattr
|
|
setattr
|
|
inherit
|
|
receive
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for network-related objects.
|
|
#
|
|
|
|
class socket
|
|
inherits socket
|
|
|
|
class tcp_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
listen
|
|
accept
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
|
|
class udp_socket
|
|
inherits socket
|
|
|
|
class rawip_socket
|
|
inherits socket
|
|
|
|
class node
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
enforce_dest
|
|
}
|
|
|
|
class netif
|
|
{
|
|
getattr
|
|
setattr
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
}
|
|
|
|
class netlink_socket
|
|
inherits socket
|
|
|
|
class packet_socket
|
|
inherits socket
|
|
|
|
class unix_stream_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
listen
|
|
accept
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
|
|
class unix_dgram_socket
|
|
inherits socket
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for process-related objects
|
|
#
|
|
|
|
class process
|
|
{
|
|
execute
|
|
fork
|
|
transition
|
|
sigkill
|
|
sigstop
|
|
signal
|
|
chroot
|
|
setid
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for the security server.
|
|
#
|
|
|
|
class security
|
|
{
|
|
compute_av
|
|
notify_perm
|
|
transition_sid
|
|
member_sid
|
|
sid_to_context
|
|
context_to_sid
|
|
load_policy
|
|
get_sids
|
|
register_avc
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for system operations.
|
|
#
|
|
|
|
class system
|
|
{
|
|
reboot
|
|
net_io_control
|
|
route_control
|
|
arp_control
|
|
rarp_control
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for subjects.
|
|
#
|
|
|
|
class subject
|
|
{
|
|
read
|
|
write
|
|
execute
|
|
create_object
|
|
specify_client
|
|
specify_server
|
|
connect
|
|
call
|
|
send
|
|
thread_scheduler
|
|
task_keeper
|
|
map
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for the AVC.
|
|
#
|
|
|
|
class avc
|
|
{
|
|
grant
|
|
try_revoke
|
|
revoke
|
|
reset
|
|
set_auditallow
|
|
set_auditdeny
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for mempools and segments.
|
|
#
|
|
|
|
class memory
|
|
{
|
|
segment_create
|
|
segment_destroy
|
|
segment_map
|
|
segment_getsize
|
|
segment_setsize
|
|
segment_createcopy
|
|
mempool_create
|
|
mempool_destroy
|
|
mempool_addsubpool
|
|
mempool_addsegment
|
|
mempool_gettickets
|
|
mempool_settickets
|
|
segment_associate
|
|
subpool_associate
|
|
}
|
|
|