1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
/*-
* Copyright (c) 2001 Networks Associates Technologies, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by NAI Labs, the
* Security Research Division of Network Associates, Inc. under
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id$
* $FreeBSD$
*/
#ifndef LOMAC_PLM_H
#define LOMAC_PLM_H
enum plm_level {
LOW,
SUBJ,
HIGH
};
enum plm_flags {
PLM_NOFLAGS, /* rule applies to this node and its children */
PLM_CHILDOF /* rule applies to node's children, not the node */
};
#define LOWWRITE LN_ATTR_LOWWRITE
#define LOWNOOPEN LN_ATTR_LOWNOOPEN
#define NONETDEMOTE LN_ATTR_NONETDEMOTE
#define NODEMOTE LN_ATTR_NODEMOTE
static u_int plm_levelflags_to_node_flags[3][2] = {
{ LN_LOWEST_LEVEL, LN_INHERIT_LOW },
{ LN_SUBJ_LEVEL, LN_INHERIT_SUBJ },
{ LN_HIGHEST_LEVEL, LN_INHERIT_HIGH }
};
typedef struct plm_rule {
enum plm_level level; /* LOMAC level */
enum plm_flags flags; /* flags for PLM evaluation */
unsigned int attr; /* LN_ATTR_MASK of flags */
const char *path; /* absolute path for this PLM rule */
} plm_rule_t;
/* The `plm' array maps levels onto all of the files in the filesystem */
static plm_rule_t plm[] = {
{ HIGH, PLM_NOFLAGS, 0, "/" }, /* everything initially inherits high level */
{ HIGH, PLM_CHILDOF, 0, "/" },
{ HIGH, PLM_NOFLAGS, NONETDEMOTE, "/sbin/dhclient" },
{ HIGH, PLM_CHILDOF, 0, "/var" },
{ HIGH, PLM_CHILDOF, LOWWRITE, "/dev" },
{ HIGH, PLM_NOFLAGS, LOWNOOPEN, "/dev/mdctl" },
{ HIGH, PLM_NOFLAGS, LOWNOOPEN, "/dev/pci" },
{ HIGH, PLM_NOFLAGS, LOWNOOPEN, "/dev/kmem" },
{ HIGH, PLM_NOFLAGS, LOWNOOPEN, "/dev/mem" },
{ HIGH, PLM_NOFLAGS, LOWNOOPEN, "/dev/io" },
{ HIGH, PLM_CHILDOF, 0, "/etc" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/tmp" },
{ SUBJ, PLM_CHILDOF, 0, "/tmp" },
{ HIGH, PLM_NOFLAGS, 0, "/tmp/.X11-unix" },
{ HIGH, PLM_CHILDOF, LOWWRITE, "/tmp/.X11-unix" },
{ SUBJ, PLM_CHILDOF, 0, "/proc" },
{ LOW, PLM_CHILDOF, 0, "/mnt" }, /* all nfs mounts are low */
{ LOW, PLM_CHILDOF, 0, "/home" },
{ HIGH, PLM_NOFLAGS, NONETDEMOTE, "/usr/bin/env-nonetdemote" },
{ HIGH, PLM_NOFLAGS, NODEMOTE, "/usr/bin/env-nodemote" },
{ LOW, PLM_CHILDOF, 0, "/usr/home" },
{ LOW, PLM_CHILDOF, 0, "/var/lib" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/var/tmp" },
{ SUBJ, PLM_CHILDOF, 0, "/var/tmp" },
{ LOW, PLM_NOFLAGS, 0, "/var/tmp/vi.recover" },
{ SUBJ, PLM_CHILDOF, 0, "/var/tmp/vi.recover" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/usr/tmp" },
{ SUBJ, PLM_CHILDOF, 0, "/usr/tmp" },
{ HIGH, PLM_NOFLAGS, 0, "/usr/tmp/.X11-unix" },
{ HIGH, PLM_CHILDOF, LOWWRITE, "/usr/tmp/.X11-unix" },
{ LOW, PLM_NOFLAGS, 0, "/var/mail" },
{ LOW, PLM_CHILDOF, 0, "/var/mail" },
{ LOW, PLM_NOFLAGS, 0, "/var/spool/mqueue" },
{ LOW, PLM_CHILDOF, 0, "/var/spool/mqueue" },
{ LOW, PLM_NOFLAGS, 0, "/dev/log" },
{ HIGH, PLM_NOFLAGS, 0, "/home/ftp" },
{ HIGH, PLM_NOFLAGS, 0, "/usr/home/ftp" },
{ HIGH, PLM_NOFLAGS, 0, "/mnt/cdrom" }, /* cdrom is high */
{ HIGH, PLM_NOFLAGS, 0, "/home/samba" },
{ HIGH, PLM_NOFLAGS, 0, "/usr/home/samba" },
{ LOW, PLM_NOFLAGS, 0, "/dev/printer" },
{ HIGH, PLM_CHILDOF, 0, "/var/log" },
{ LOW, PLM_NOFLAGS, 0, "/var/log/sendmail.st" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/var/run/utmp" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/var/log/lastlog" },
{ HIGH, PLM_NOFLAGS, LOWWRITE, "/var/log/wtmp" },
{ 0, 0, 0 }
};
#endif /* LOMAC_PLM_H */
|
