| Message ID | 20230413193445.588395-10-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | Add CIL Deny Rule | expand |
On 4/13/2023 3:34 PM, James Carter wrote: > Signed-off-by: James Carter <jwcart2@gmail.com> > --- > v3: Remove the "*Where" section, since the notself patch series moves all of > that to beginning of the access vector section before talking about specific > rules. It doesn't look to me like the patch matches this description. I still see a "where" section added. (Presumably the updated patch should also add deny to the "av_flavor" portion of the new common "Where" section) -Daniel > > secilc/docs/cil_access_vector_rules.md | 67 ++++++++++++++++++++++++++ > 1 file changed, 67 insertions(+) > > diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md > index 034185da..385c4f4a 100644 > --- a/secilc/docs/cil_access_vector_rules.md > +++ b/secilc/docs/cil_access_vector_rules.md > @@ -175,6 +175,73 @@ This example will not compile as `type_3` is not allowed to be a source type for > (allow type_3 self (property_service (set))) > ) > ``` > +deny > +---------- > + > +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking. > + > +**Rule definition:** > + > +```secil > + (deny source_id target_id|self classpermissionset_id ...) > +``` > + > +**Where:** > + > +<table> > +<colgroup> > +<col width="27%" /> > +<col width="72%" /> > +</colgroup> > +<tbody> > +<tr class="odd"> > +<td align="left"><p><code>deny</code></p></td> > +<td align="left"><p>The <code>deny</code> keyword.</p></td> > +</tr> > +<tr class="even"> > +<td align="left"><p><code>source_id</code></p></td> > +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> > +</tr> > +<tr class="odd"> > +<td align="left"><p><code>target_id</code></p></td> > +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> > +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> > +</tr> > +<tr class="even"> > +<td align="left"><p><code>classpermissionset_id</code></p></td> > +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> > +</tr> > +</tbody> > +</table> > + > +**Example:** > + > +```secil > + (class class1 (perm1 perm2)) > + > + (type type1) > + (type type2) > + (allow type1 type2 (class1 (perm1))) ; Allow-1 > + (deny type1 type2 (class1 (perm1))) ; Deny-1 > + ; Allow-1 will be complete removed by Deny-1. > + > + (type type3) > + (type type4) > + (allow type3 type4 (class1 (perm1 perm2))) ; Allow-2 > + (deny type3 type4 (class1 (perm1))) ; Deny-2 > + ; Allow-2 will be removed and replaced with the following when Deny-2 is evaluated > + ; (allow type3 type4 (class1 (perm2))) > + > + (type type5) > + (type type6) > + (typeattribute attr1) > + (typeattributeset attr1 (type5 type6)) > + (allow attr1 attr1 (class1 (perm1))) ; Allow-3 > + (deny type5 type6 (class1 (perm1))) ; Deny-3 > + ; Allow-3 will be removed and replaced with the following when Deny-3 is evaluated > + ; (allow type6 attr1 (class1 (perm1))) > + ; (allow type5 type5 (class1 (perm1))) > +``` > > allowx > ------
diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md index 034185da..385c4f4a 100644 --- a/secilc/docs/cil_access_vector_rules.md +++ b/secilc/docs/cil_access_vector_rules.md @@ -175,6 +175,73 @@ This example will not compile as `type_3` is not allowed to be a source type for (allow type_3 self (property_service (set))) ) ``` +deny +---------- + +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking. + +**Rule definition:** + +```secil + (deny source_id target_id|self classpermissionset_id ...) +``` + +**Where:** + +<table> +<colgroup> +<col width="27%" /> +<col width="72%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>deny</code></p></td> +<td align="left"><p>The <code>deny</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>source_id</code></p></td> +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>target_id</code></p></td> +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>classpermissionset_id</code></p></td> +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> +</tr> +</tbody> +</table> + +**Example:** + +```secil + (class class1 (perm1 perm2)) + + (type type1) + (type type2) + (allow type1 type2 (class1 (perm1))) ; Allow-1 + (deny type1 type2 (class1 (perm1))) ; Deny-1 + ; Allow-1 will be complete removed by Deny-1. + + (type type3) + (type type4) + (allow type3 type4 (class1 (perm1 perm2))) ; Allow-2 + (deny type3 type4 (class1 (perm1))) ; Deny-2 + ; Allow-2 will be removed and replaced with the following when Deny-2 is evaluated + ; (allow type3 type4 (class1 (perm2))) + + (type type5) + (type type6) + (typeattribute attr1) + (typeattributeset attr1 (type5 type6)) + (allow attr1 attr1 (class1 (perm1))) ; Allow-3 + (deny type5 type6 (class1 (perm1))) ; Deny-3 + ; Allow-3 will be removed and replaced with the following when Deny-3 is evaluated + ; (allow type6 attr1 (class1 (perm1))) + ; (allow type5 type5 (class1 (perm1))) +``` allowx ------
Signed-off-by: James Carter <jwcart2@gmail.com> --- v3: Remove the "*Where" section, since the notself patch series moves all of that to beginning of the access vector section before talking about specific rules. secilc/docs/cil_access_vector_rules.md | 67 ++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)