Changeset 2677
- Timestamp:
- 05/07/08 09:54:32
(7 months ago)
- Author:
- pebenito
- Message:
rbacsep: more constraint work
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r2676 |
r2677 |
|
| 1 | | define(`basic_rbac_exemptions',` |
|---|
| | 1 | # |
|---|
| | 2 | # Define the RBAC constraints |
|---|
| | 3 | # |
|---|
| | 4 | # constrain class_set perm_set expression ; |
|---|
| | 5 | # |
|---|
| | 6 | # expression : ( expression ) |
|---|
| | 7 | # | not expression |
|---|
| | 8 | # | expression and expression |
|---|
| | 9 | # | expression or expression |
|---|
| | 10 | # | u1 op u2 |
|---|
| | 11 | # | r1 role_op r2 |
|---|
| | 12 | # | t1 op t2 |
|---|
| | 13 | # | u1 op names |
|---|
| | 14 | # | u2 op names |
|---|
| | 15 | # | r1 op names |
|---|
| | 16 | # | r2 op names |
|---|
| | 17 | # | t1 op names |
|---|
| | 18 | # | t2 op names |
|---|
| | 19 | # |
|---|
| | 20 | # op : == | != |
|---|
| | 21 | # role_op : == | != | eq | dom | domby | incomp |
|---|
| | 22 | # |
|---|
| | 23 | # names : name | { name_list } |
|---|
| | 24 | # name_list : name | name_list name |
|---|
| | 25 | # |
|---|
| | 26 | |
|---|
| | 27 | |
|---|
| | 28 | define(`basic_rbac_conditions',` |
|---|
| 2 | 29 | r1 == r2 |
|---|
| 3 | 30 | or r1 == system_r |
|---|
| … | … | |
| 9 | 36 | constrain $1 all_$1_perms |
|---|
| 10 | 37 | ( |
|---|
| 11 | | basic_rbac_exemptions() |
|---|
| | 38 | basic_rbac_conditions |
|---|
| | 39 | ); |
|---|
| | 40 | ') |
|---|
| | 41 | |
|---|
| | 42 | define(`exempted_rbac_constraint',` |
|---|
| | 43 | constrain $1 all_$1_perms |
|---|
| | 44 | ( |
|---|
| | 45 | basic_rbac_conditions |
|---|
| | 46 | or r1 domby $2 |
|---|
| | 47 | or t1 == $3 |
|---|
| | 48 | or t2 == $4 |
|---|
| 12 | 49 | ); |
|---|
| 13 | 50 | ') |
|---|
| … | … | |
| 33 | 70 | constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit } |
|---|
| 34 | 71 | ( |
|---|
| 35 | | basic_rbac_exemptions() |
|---|
| 36 | | ); |
|---|
| 37 | | |
|---|
| 38 | | #cjp: not sure what to do with these |
|---|
| 39 | | # noatsecure |
|---|
| 40 | | # siginh |
|---|
| 41 | | # rlimitinh |
|---|
| 42 | | |
|---|
| 43 | | constrain process transition |
|---|
| | 72 | basic_rbac_conditions |
|---|
| | 73 | ); |
|---|
| | 74 | |
|---|
| | 75 | constrain process { transition noatsecure siginh rlimitinh } |
|---|
| 44 | 76 | ( |
|---|
| 45 | 77 | r1 == r2 |
|---|
| … | … | |
| 65 | 97 | # setkeycreate |
|---|
| 66 | 98 | # setsockcreate |
|---|
| | 99 | |
|---|
| | 100 | ######################################## |
|---|
| | 101 | # |
|---|
| | 102 | # File descriptor rules |
|---|
| | 103 | # |
|---|
| | 104 | |
|---|
| | 105 | basic_rbac_constraint(fd) |
|---|
| 67 | 106 | |
|---|
| 68 | 107 | ######################################## |
|---|
| … | … | |
| 159 | 198 | |
|---|
| 160 | 199 | # these classes have no RBAC restrictions |
|---|
| 161 | | #class fd |
|---|
| 162 | 200 | #class security |
|---|
| 163 | 201 | #class system |
|---|
| … | … | |
| 173 | 211 | |
|---|
| 174 | 212 | undefine(`basic_rbac_constraint') |
|---|
| 175 | | undefine(`basic_rbac_exemptions') |
|---|
| 176 | | |
|---|
| | 213 | undefine(`basic_rbac_conditions') |
|---|
| | 214 | undefine(`exempted_rbac_constraint') |
|---|
Download in other formats:
* Generating other formats may take time.
