tomoyotitle.png

Chapter 10: Using conditional parameters in policy

A permission line takes syntax shown below:

Category Operations Targets Conditions

The "Category Operations Targets" arguments are "Mandatory (non-omissible) parameters" and the "Conditions" argument is "Optional (omissible) parameters". This chapter describes "Optional (omissible) parameters".

10.1. Conditional parameters

Conditions can be used to refine policy and make entries more specific. This is useful for taking into account the user ID of a process when deciding what to allow or reject. This table summarizes the possible conditional parameters:

Conditional

Meaning

task.uid

UID of the current process

task.euid

Effective UID of the current process

task.suid

Saved UID of the current process

task.fsuid

Filesystem UID of the current process

task.gid

GID of the current process

task.egid

Effective GID of the current process

task.sgid

Saved GID of the current process

task.fsgid

Filesystem GID of the current process

task.pid

PID of the current process

task.ppid

PID of the parent process

path1.type

File type of the first object

path1.uid

UID of the first object

path1.gid

GID of the first object

path1.ino

Inode number of the first object

path1.perm

Permissions of the first object

path1.major

Major device number of the device file in which the first object resides.

path1.minor

Minor device number of the device file in which the first object resides.

path1.dev_major

Major device number of the first object, assuming it is a device file.
Can be combined with path1.type=block or path1.type=char conditions.

path1.dev_minor

Device minor number of the first object, assuming it is a device file.
Can be combined with path1.type=block or path1.type=char conditions.

path1.parent.uid

UID of the parent directory of the first object

path1.parent.gid

GID of the parent directory of the first object

path1.parent.ino

Inode number of the parent directory of the first object

path1.parent.perm

Permissions of the parent directory of the first object

path2.type

File type of the second object

path2.uid

UID of the second object

path2.gid

GID of the second object

path2.ino

Inode number of the second object

path2.perm

Permissions of the second object

path2.major

Major device number of the device file in which the second object resides.

path2.minor

Minor device number of the device file in which the second object resides.

path2.dev_major

Major device number of the second object, assuming it is a device file.
Can be combined with path2.type=block or path2.type=char conditions.

path2.dev_minor

Minor device number of the second object, assuming it is a device file.
Can be combined with path2.type=block or path2.type=char conditions.

path2.parent.uid

UID of the parent directory of the second object

path2.parent.gid

GID of the parent directory of the second object

path2.parent.ino

Inode number of the parent directory of the second object

path2.parent.perm

Permissions of the parent directory of the second object

exec.argc

Number of argv[] passed for the execute request.
Only available when the file execute directive or misc env directive has been specified.

exec.envc

Number of envp[] passed for the execute request.
Only available when the file execute directive or misc env directive has been specified.

exec.argv[n]

The "n"-th argument passed to the execute request.
Only available when the file execute directive or misc env directive has been specified.

exec.envp[var]

Value of environment variable "var" for the execute request.
Only available when the file execute directive or misc env directive has been specified.

exec.realpath

Dereferenced pathname of the requested program.
Only available when the file execute directive or misc env directive has been specified.

symlink.target

Content of a symlink to be created.
Only available when the file symlink directive has been specified.

The conditional parameters containing path1 and path2 refer to the first and second pathnames specified by the directive. In this example, path1 refers to the file "/dev/sda1" and path2 refers to the directory "/mnt/sda1/":

file mount /dev/sda1 /mnt/sda1/ ext3 0 path1.uid=0 path2.uid=0

However, you cannot use conditions like path2.uid=0 in this example because the second pathname does not exist as of the permission checks:

file rename /tmp/file1 /tmp/file2 path1.uid=0 path2.parent.uid=0

Likewise, you cannot use conditions like path1.uid=0 in this example because the pathname does not exist as of the permission checks:

file create /tmp/file 0644 path1.parent.uid=0

10.2. Tests

Matches may be made using the following tests:

Operator

Meaning

Example

=

"String value" or "Single numeric value" or "Bitmask operations": Positive match
"Numeric value range": One or more values match

task.uid=0

!=

"String value" or "Single numeric value" or "Bitmask operations": Negative match
"Numeric value range": None of the values match

task.gid!=0

10.3. Values

The value to be compared with one variable may take the form of a single integer, a range of integers, or another variable:

Value

Example

Integer

task.uid=0
task.uid!=0

Range

task.uid=100-500
task.uid!=100-500

Conditional

task.uid=path1.uid
task.uid!=path1.uid

There are one exception. the "exec.argv[n]", "exec.envp[var]", "exec.realpath" and "symlink.target" variables can be compared with only string values.

10.4. Types of file

The following types of file are available:

Type of file

Meaning

path1.type=block

path1 is a block device file

path1.type=char

path1 is a character device file

path1.type=directory

path1 is a directory

path1.type=fifo

path1 is a FIFO

path1.type=file

path1 is a regular file

path1.type=socket

path1 is a socket

path1.type=symlink

path1 is a symbolic link

path1.type!=block

path1 is not a block device file

path1.type!=char

path1 is not a character device file

path1.type!=directory

path1 is not a directory

path1.type!=fifo

path1 is not a FIFO

path1.type!=file

path1 is not a regular file

path1.type!=socket

path1 is not a socket

path1.type!=symlink

path1 is not a symbolic link

You can apply for "path2" as well as "path1". But you cannot apply "path1.parent" and "path2.parent" because they are by definition always directories.

10.5. Types of permission

The following types of DAC permission comparison are available:

Condition

Meaning

path1.perm=num1-num2

Permissions are between num1 and num2

path1.perm=setuid

Setuid bit is on

path1.perm=setgid

Setgid bit is on

path1.perm=sticky

Sticky bit is on

path1.perm=owner_read

Owner read bit is on

path1.perm=owner_write

Owner write bit is on

path1.perm=owner_execute

Owner execute bit is on

path1.perm=group_read

Group read bit is on

path1.perm=group_write

Group write bit is on

path1.perm=group_execute

Group execute bit is on

path1.perm=others_read

Others read bit is on

path1.perm=others_write

Others write bit is on

path1.perm=others_execute

Others execute bit is on

path1.perm!=num1-num2

Permissions are not between num1 and num2

path1.perm!=setuid

Setuid bit is off

path1.perm!=setgid

Setgid bit is off

path1.perm!=sticky

Sticky bit is off

path1.perm!=owner_read

Owner read bit is off

path1.perm!=owner_write

Owner write bit is off

path1.perm!=owner_execute

Owner execute bit is off

path1.perm!=group_read

Group read bit is off

path1.perm!=group_write

Group write bit is off

path1.perm!=group_execute

Group execute bit is off

path1.perm!=others_read

Others read bit is off

path1.perm!=others_write

Others write bit is off

path1.perm!=others_execute

Others execute bit is off

You can apply for "path1.parent", "path2" and "path2.parent" as well as "path1".

10.6. Example usage

If you wish to deny login as the root user from a specific domain (e.g. "<kernel> /sbin/agetty /bin/login"), the following could be inserted into domain policy:

file execute /bin/bash task.uid!=0

If you wish to allow login for a range of user ID's from a specific domain (e.g. "<kernel> /sbin/agetty /bin/login"), the following could be inserted into domain policy:

file execute /bin/bash task.uid=500-1000

If you wish to allow a domain to read a temporary file only if they own it, the following could be inserted into domain policy:

file read /tmp/file001.tmp task.uid=path1.uid

If you wish to allow the execution of a program only when certain conditions are met, the following could be inserted into domain policy:

file execute /usr/bin/ssh exec.realpath="/usr/bin/ssh" exec.argv[0]="ssh"
file execute /usr/bin/firefox exec.realpath="/usr/lib/firefox-3.6/firefox" exec.argv[0]="/usr/bin/firefox" exec.envc=0