From d923d54c08e7c211e8cac90c12cfed871c15a7c9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 6 May 2008 14:37:05 +0000 Subject: [PATCH] trunk: X application data class from Eamon Walsh and Ted Toth. --- Changelog | 1 + policy/flask/access_vectors | 7 +++++++ policy/flask/security_classes | 1 + policy/mls | 12 ++++++++++++ 4 files changed, 21 insertions(+) diff --git a/Changelog b/Changelog index 17d4d04c2..0bf0f0dd1 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- X application data class from Eamon Walsh and Ted Toth. - Move user roles into individual modules. - Make hald_log_t a log file. - Cryptsetup runs shell scripts. Patch from Martin Orr. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index b5631e934..2ba6fa57a 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -775,3 +775,10 @@ class peer { recv } + +class x_application_data +{ + paste + paste_after_confirm + copy +} diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 5b758d9d7..2a03e6590 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -114,5 +114,6 @@ class capability2 class x_resource # userspace class x_event # userspace class x_synthetic_event # userspace +class x_application_data # userspace # FLASK diff --git a/policy/mls b/policy/mls index beed2f8e8..665c1c69b 100644 --- a/policy/mls +++ b/policy/mls @@ -568,6 +568,18 @@ mlsconstrain x_event { send } ( t1 == mlsxwinwrite )); +# +# MLS policy for the x_application_data class +# + +# the x_application_data "paste" ops (explicit single level) +mlsconstrain x_application_data { paste } + ( l1 eq l2 ); + +# the x_application_data "paste_after_confirm" ops (downgrade permitted) +mlsconstrain x_application_data { paste_after_confirm } + ( l1 domby l2 ); + # # MLS policy for the pax class