| Message ID | 1448984310-17097-2-git-send-email-slawrence@tresys.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On 12/01/2015 10:38 AM, Steve Lawrence wrote: > Signed-off-by: Steve Lawrence <slawrence@tresys.com> Applied. Thanks, Jim > --- > secilc/docs/cil_access_vector_rules.xml | 67 ++++++++++++++++++++++ > .../docs/cil_class_and_permission_statements.xml | 2 +- > 2 files changed, 68 insertions(+), 1 deletion(-) > > diff --git a/secilc/docs/cil_access_vector_rules.xml b/secilc/docs/cil_access_vector_rules.xml > index 985fc3d..e768558 100644 > --- a/secilc/docs/cil_access_vector_rules.xml > +++ b/secilc/docs/cil_access_vector_rules.xml > @@ -448,4 +448,71 @@ > </programlisting> > </sect2> > > + <sect2 id="neverallowx"> > + <title>neverallowx</title> > + <para>Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified.</para> > + <para>Note that these rules can be over-ridden by the CIL compiler command line parameter <literal>-N</literal> or <literal>--disable-neverallow</literal> flags.</para> > + <para><emphasis role="bold">Rule definition:</emphasis></para> > + <programlisting><![CDATA[(neverallowx source_id target_id|self permissionx_id)]]></programlisting> > + <para><emphasis role="bold">Where:</emphasis></para> > + <informaltable frame="all"> > + <tgroup cols="2"> > + <colspec colwidth="2.25 *"/> > + <colspec colwidth="6 *"/> > + <tbody> > + <row> > + <entry> > + <para><literal>neverallowx</literal></para> > + </entry> > + <entry> > + <para>The <literal>neverallowx</literal> keyword.</para> > + </entry> > + </row> > + <row> > + <entry> > + <para><literal>source_id</literal></para> > + </entry> > + <entry> > + <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> > + </entry> > + </row> > + <row> > + <entry> > + <para><literal>target_id</literal></para> > + </entry> > + <entry> > + <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> > + <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> > + </entry> > + </row> > + <row> > + <entry> > + <para><literal>permissionx_id</literal></para> > + </entry> > + <entry> > + <para>A single named or anonymous <literal><link linkend="permissionx">permissionx</link></literal>.</para> > + </entry> > + </row> > + </tbody></tgroup> > + </informaltable> > + > + <para><emphasis role="bold">Example:</emphasis></para> > + <para>This example will not compile as <literal>type_3</literal> is not allowed to be a source type and ioctl range for the <literal><link linkend="allowx">allowx</link></literal> rule:</para> > + <programlisting><![CDATA[ > +(class property_service (ioctl)) > + > +(block av_rules > + (type type_1) > + (type type_2) > + (type type_3) > + (typeattribute all_types) > + (typeattributeset all_types ((all))) > + > + (neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF))) > + ; This rule will fail compilation: > + (allowx type_3 self (ioctl property_service (0x20A0))) > +)]]> > + </programlisting> > + </sect2> > + > </sect1> > diff --git a/secilc/docs/cil_class_and_permission_statements.xml b/secilc/docs/cil_class_and_permission_statements.xml > index 20c3eb7..f4982e0 100644 > --- a/secilc/docs/cil_class_and_permission_statements.xml > +++ b/secilc/docs/cil_class_and_permission_statements.xml > @@ -508,7 +508,7 @@ > > <sect2 id="permissionx"> > <title>permissionx</title> > - <para>Defines a named extended permission, which can be used in the <literal><link linkend="allowx">allowx</link></literal>, <literal><link linkend="auditallowx">auditallowx</link></literal>, and <literal><link linkend="dontauditx">dontauditx</link></literal> statements.</para> > + <para>Defines a named extended permission, which can be used in the <literal><link linkend="allowx">allowx</link></literal>, <literal><link linkend="auditallowx">auditallowx</link></literal>, <literal><link linkend="dontauditx">dontauditx</link></literal>, and <literal><link linkend="neverallowx">neverallowx</link></literal> statements.</para> > <para><emphasis role="bold">Statement definition:</emphasis></para> > <programlisting><![CDATA[(permissionx permissionx_id (kind class_id (permission ... | expr ...)))]]></programlisting> > <para><emphasis role="bold">Where:</emphasis></para> >
diff --git a/secilc/docs/cil_access_vector_rules.xml b/secilc/docs/cil_access_vector_rules.xml index 985fc3d..e768558 100644 --- a/secilc/docs/cil_access_vector_rules.xml +++ b/secilc/docs/cil_access_vector_rules.xml @@ -448,4 +448,71 @@ </programlisting> </sect2> + <sect2 id="neverallowx"> + <title>neverallowx</title> + <para>Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified.</para> + <para>Note that these rules can be over-ridden by the CIL compiler command line parameter <literal>-N</literal> or <literal>--disable-neverallow</literal> flags.</para> + <para><emphasis role="bold">Rule definition:</emphasis></para> + <programlisting><![CDATA[(neverallowx source_id target_id|self permissionx_id)]]></programlisting> + <para><emphasis role="bold">Where:</emphasis></para> + <informaltable frame="all"> + <tgroup cols="2"> + <colspec colwidth="2.25 *"/> + <colspec colwidth="6 *"/> + <tbody> + <row> + <entry> + <para><literal>neverallowx</literal></para> + </entry> + <entry> + <para>The <literal>neverallowx</literal> keyword.</para> + </entry> + </row> + <row> + <entry> + <para><literal>source_id</literal></para> + </entry> + <entry> + <para>A single previously defined source <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> + </entry> + </row> + <row> + <entry> + <para><literal>target_id</literal></para> + </entry> + <entry> + <para>A single previously defined target <literal><link linkend="type">type</link></literal>, <literal><link linkend="typealias">typealias</link></literal> or <literal><link linkend="typeattribute">typeattribute</link></literal> identifier.</para> + <para>The <literal>self</literal> keyword may be used instead to signify that source and target are the same.</para> + </entry> + </row> + <row> + <entry> + <para><literal>permissionx_id</literal></para> + </entry> + <entry> + <para>A single named or anonymous <literal><link linkend="permissionx">permissionx</link></literal>.</para> + </entry> + </row> + </tbody></tgroup> + </informaltable> + + <para><emphasis role="bold">Example:</emphasis></para> + <para>This example will not compile as <literal>type_3</literal> is not allowed to be a source type and ioctl range for the <literal><link linkend="allowx">allowx</link></literal> rule:</para> + <programlisting><![CDATA[ +(class property_service (ioctl)) + +(block av_rules + (type type_1) + (type type_2) + (type type_3) + (typeattribute all_types) + (typeattributeset all_types ((all))) + + (neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF))) + ; This rule will fail compilation: + (allowx type_3 self (ioctl property_service (0x20A0))) +)]]> + </programlisting> + </sect2> + </sect1> diff --git a/secilc/docs/cil_class_and_permission_statements.xml b/secilc/docs/cil_class_and_permission_statements.xml index 20c3eb7..f4982e0 100644 --- a/secilc/docs/cil_class_and_permission_statements.xml +++ b/secilc/docs/cil_class_and_permission_statements.xml @@ -508,7 +508,7 @@ <sect2 id="permissionx"> <title>permissionx</title> - <para>Defines a named extended permission, which can be used in the <literal><link linkend="allowx">allowx</link></literal>, <literal><link linkend="auditallowx">auditallowx</link></literal>, and <literal><link linkend="dontauditx">dontauditx</link></literal> statements.</para> + <para>Defines a named extended permission, which can be used in the <literal><link linkend="allowx">allowx</link></literal>, <literal><link linkend="auditallowx">auditallowx</link></literal>, <literal><link linkend="dontauditx">dontauditx</link></literal>, and <literal><link linkend="neverallowx">neverallowx</link></literal> statements.</para> <para><emphasis role="bold">Statement definition:</emphasis></para> <programlisting><![CDATA[(permissionx permissionx_id (kind class_id (permission ... | expr ...)))]]></programlisting> <para><emphasis role="bold">Where:</emphasis></para>
Signed-off-by: Steve Lawrence <slawrence@tresys.com> --- secilc/docs/cil_access_vector_rules.xml | 67 ++++++++++++++++++++++ .../docs/cil_class_and_permission_statements.xml | 2 +- 2 files changed, 68 insertions(+), 1 deletion(-)