2014-08-26 12:02:58 +00:00
<!-- Common Interface Language (CIL) Reference Guide -->
<!-- container_statements.xml -->
<sect1 >
<title > Container Statements</title>
<sect2 id= "block" >
<title > block</title>
<para > Start a new namespace where any CIL statement is valid.</para>
<para > <emphasis role= "bold" > Statement definition:</emphasis> </para>
<programlisting > < ![CDATA[
(block block_id
cil_statement
...
)]]>
</programlisting>
<para > <emphasis role= "bold" > Where:</emphasis> </para>
<informaltable frame= "all" >
<tgroup cols= "2" >
<colspec colwidth= "2 *" />
<colspec colwidth= "6 *" />
<tbody >
<row >
<entry >
<para > <literal > block</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "block" > block</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > block_id</literal> </para>
</entry>
<entry >
<para > The namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > cil_statement</literal> </para>
</entry>
<entry >
<para > Zero or more valid CIL statements.</para>
</entry>
</row>
</tbody> </tgroup>
</informaltable>
<para > <emphasis role= "bold" > Example:</emphasis> </para>
<para > See the <literal > <link linkend= "blockinherit" > blockinherit</link> </literal> statement for an example.</para>
</sect2>
<sect2 id= "blockabstract" >
<title > blockabstract</title>
<para > Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a <literal > <link linkend= "blockinherit" > blockinherit</link> </literal> statement.</para>
<para > <emphasis role= "bold" > Statement definition:</emphasis> </para>
<programlisting > < ![CDATA[
(block block_id
(blockabstract template_id)
cil_statement
...
)]]>
</programlisting>
<para > <emphasis role= "bold" > Where:</emphasis> </para>
<informaltable frame= "all" >
<tgroup cols= "2" >
<colspec colwidth= "2 *" />
<colspec colwidth= "6 *" />
<tbody >
<row >
<entry >
<para > <literal > block</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "block" > block</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > block_id</literal> </para>
</entry>
<entry >
<para > The namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > blockabstract</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "blockabstract" > blockabstract</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > template_id</literal> </para>
</entry>
<entry >
<para > The abstract namespace identifier. This must match the <literal > <link linkend= "block" > block_id</link> </literal> entry.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > cil_statement</literal> </para>
</entry>
<entry >
<para > Zero or more valid CIL statements forming the abstract block.</para>
</entry>
</row>
</tbody> </tgroup>
</informaltable>
<para > <emphasis role= "bold" > Example:</emphasis> </para>
<para > See the <literal > <link linkend= "blockinherit" > blockinherit</link> </literal> statement for an example.</para>
</sect2>
<sect2 id= "blockinherit" >
<title > blockinherit</title>
2015-02-18 14:25:20 +00:00
<para > Used to add common policy rules to the current namespace via a template that has been defined with the <literal > <link linkend= "blockabstract" > blockabstract</link> </literal> statement. All <literal > <link linkend= "blockinherit" > blockinherit</link> </literal> statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.</para>
2014-08-26 12:02:58 +00:00
<para > <emphasis role= "bold" > Statement definition:</emphasis> </para>
<programlisting > < ![CDATA[
(block block_id
(blockinherit template_id)
cil_statement
...
)]]>
</programlisting>
<para > <emphasis role= "bold" > Where:</emphasis> </para>
<informaltable frame= "all" >
<tgroup cols= "2" >
<colspec colwidth= "2 *" />
<colspec colwidth= "6 *" />
<tbody >
<row >
<entry >
<para > <literal > block</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "block" > block</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > block_id</literal> </para>
</entry>
<entry >
<para > The namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > blockinherit</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "blockinherit" > blockinherit</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > template_id</literal> </para>
</entry>
<entry >
<para > The inherited namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > cil_statement</literal> </para>
</entry>
<entry >
<para > Zero or more valid CIL statements.</para>
</entry>
</row>
</tbody> </tgroup>
</informaltable>
<para > <emphasis role= "bold" > Example:</emphasis> </para>
<para > This example contains a template <literal > client_server</literal> that is instantiated in two blocks (<literal > netserver_app</literal> and <literal > netclient_app</literal> ):</para>
<programlisting > < ![CDATA[
; This is the template block:
(block client_server
(blockabstract client_server)
; Log file labeling
(type log_file)
(typeattributeset file_type (log_file))
(typeattributeset data_file_type (log_file))
(allow process log_file (dir (write search create setattr add_name)))
(allow process log_file (file (create open append getattr setattr)))
(roletype object_r log_file)
(context log_file_context (u object_r log_file low_low))
; Process labeling
(type process)
(typeattributeset domain (process))
(call app_domain (process))
(call net_domain (process))
)
; This is a policy block that will inherit the abstract block above:
(block netclient_app
; Add common policy rules to namespace:
(blockinherit client_server)
; Label the log files
(filecon "/data/data/com.se4android.netclient/.*" file log_file_context)
)
; This is another policy block that will inherit the abstract block above:
(block netserver_app
; Add common policy rules to namespace:
(blockinherit client_server)
; Label the log files
(filecon "/data/data/com.se4android.netserver/.*" file log_file_context)
2015-02-18 14:25:20 +00:00
)
; This is an example of how blockinherits resolve inherits before copying
(block a
(type one))
(block b
; Notice that block a is declared here as well
(block a
(type two)))
; This will first copy the contents of block b, which results in type b.a.two being copied.
; Next, the contents of block a will be copied which will result in type a.one.
(block ab
(blockinherit b)
(blockinherit a))]]>
2014-08-26 12:02:58 +00:00
</programlisting>
</sect2>
<sect2 id= "optional" >
<title > optional</title>
<para > Declare an <literal > <link linkend= "optional" > optional</link> </literal> namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. <literal > <link linkend= "tunableif" > tunableif</link> </literal> and <literal > <link linkend= "macro" > macro</link> </literal> statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within <literal > <link linkend= "optional" > optional</link> </literal> 's that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:</para>
<informaltable frame= "all" >
<tgroup cols= "4" >
<tbody >
<row >
<entry >
<para > <literal > <link linkend= "allow" > allow</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
<entry >
<para > <literal > <link linkend= "allowx" > allowx</link> </literal> </para>
</entry>
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "auditallow" > auditallow</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
<entry >
<para > <literal > <link linkend= "auditallowx" > auditallowx</link> </literal> </para>
</entry>
</row>
<row >
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "booleanif" > booleanif</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "dontaudit" > dontaudit</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
<entry >
<para > <literal > <link linkend= "dontauditx" > dontauditx</link> </literal> </para>
</entry>
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "typepermissive" > typepermissive</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
</row>
<row >
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "rangetransition" > rangetransition</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "role" > role</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "roleallow" > roleallow</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "roleattribute" > roleattribute</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
</row>
<row >
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "roletransition" > roletransition</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "type" > type</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "typealias" > typealias</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "typeattribute" > typeattribute</link> </literal> </para>
</entry>
2015-08-28 18:39:20 +00:00
</row>
<row >
2014-08-26 12:02:58 +00:00
<entry >
<para > <literal > <link linkend= "typechange" > typechange</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "typemember" > typemember</link> </literal> </para>
</entry>
<entry >
<para > <literal > <link linkend= "typetransition" > typetransition</link> </literal> </para>
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para > <emphasis role= "bold" > Statement definition:</emphasis> </para>
<programlisting > < ![CDATA[
(optional optional_id
cil_statement
...
)]]>
</programlisting>
<para > <emphasis role= "bold" > Where:</emphasis> </para>
<informaltable frame= "all" >
<tgroup cols= "2" >
<colspec colwidth= "2 *" />
<colspec colwidth= "6 *" />
<tbody >
<row >
<entry >
<para > <literal > optional</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "optional" > optional</link> </literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > optional_id</literal> </para>
</entry>
<entry >
<para > The <literal > <link linkend= "optional" > optional</link> </literal> namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > cil_statement</literal> </para>
</entry>
<entry >
<para > Zero or more valid CIL statements.</para>
</entry>
</row>
</tbody> </tgroup>
</informaltable>
<para > <emphasis role= "bold" > Example:</emphasis> </para>
<para > This example will instantiate the optional block <literal > ext_gateway.move_file</literal> into policy providing all optional CIL statements can be resolved:</para>
<programlisting > < ![CDATA[
(block ext_gateway
......
(optional move_file
(typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
(allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))
(allow process msg_filter.move_file.in_file (file (write create getattr)))
(allow msg_filter.move_file.in_file unconfined.object (filesystem (associate)))
(typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file
msg_filter.move_file.out_file)
(allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search)))
(allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink)))
) ; End optional block
.....
) ; End block]]>
</programlisting>
</sect2>
<sect2 id= "in" >
<title > in</title>
<para > Allows the insertion of CIL statements into a named container (<literal > <link linkend= "block" > block</link> </literal> , <literal > <link linkend= "optional" > optional</link> </literal> or <literal > <link linkend= "macro" > macro</link> </literal> ). This statement is not allowed in <literal > <link linkend= "booleanif" > booleanif</link> </literal> or <literal > <link linkend= "tunableif" > tunableif</link> </literal> statements.</para>
<para > <emphasis role= "bold" > Statement definition:</emphasis> </para>
<programlisting > < ![CDATA[
(in container_id
cil_statement
...
)]]>
</programlisting>
<para > <emphasis role= "bold" > Where:</emphasis> </para>
<informaltable frame= "all" >
<tgroup cols= "2" >
<colspec colwidth= "2 *" />
<colspec colwidth= "6 *" />
<tbody >
<row >
<entry >
<para > <literal > in</literal> </para>
</entry>
<entry >
<para > The <literal > in</literal> keyword.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > container_id</literal> </para>
</entry>
<entry >
<para > A valid <literal > <link linkend= "block" > block</link> </literal> , <literal > <link linkend= "optional" > optional</link> </literal> or <literal > <link linkend= "macro" > macro</link> </literal> namespace identifier.</para>
</entry>
</row>
<row >
<entry >
<para > <literal > cil_statement</literal> </para>
</entry>
<entry >
<para > Zero or more valid CIL statements.</para>
</entry>
</row>
</tbody> </tgroup>
</informaltable>
<para > <emphasis role= "bold" > Example:</emphasis> </para>
<para > This will add rules to the container named <literal > system_server</literal> :</para>
<programlisting > < ![CDATA[
(in system_server
(dontaudit process secmark_demo.dns_packet (packet (send recv)))
(allow process secmark_demo.dns_packet (packet (send recv)))
)]]>
</programlisting>
</sect2>
</sect1>
