Chapter 10: Using conditional parameters in policy
A permission line takes syntax shown below:
Category Operations Targets Conditions
The "Category Operations Targets" arguments are "Mandatory (non-omissible) parameters" and the "Conditions" argument is "Optional (omissible) parameters". This chapter describes "Optional (omissible) parameters".
10.1. Conditional parameters
Conditions can be used to refine policy and make entries more specific. This is useful for taking into account the user ID of a process when deciding what to allow or reject. This table summarizes the possible conditional parameters:
Conditional |
Meaning |
|---|---|
task.type |
Task type of the current process |
task.uid |
UID of the current process |
task.euid |
Effective UID of the current process |
task.suid |
Saved UID of the current process |
task.fsuid |
Filesystem UID of the current process |
task.gid |
GID of the current process |
task.egid |
Effective GID of the current process |
task.sgid |
Saved GID of the current process |
task.fsgid |
Filesystem GID of the current process |
task.pid |
PID of the current process |
task.ppid |
PID of the parent process |
path1.type |
File type of the first object |
path1.uid |
UID of the first object |
path1.gid |
GID of the first object |
path1.ino |
Inode number of the first object |
path1.perm |
Permissions of the first object |
path1.major |
Major device number of the device file in which the first object resides. |
path1.minor |
Minor device number of the device file in which the first object resides. |
path1.dev_major |
Major device number of the first object, assuming it is a device file. |
path1.dev_minor |
Device minor number of the first object, assuming it is a device file. |
path1.parent.uid |
UID of the parent directory of the first object |
path1.parent.gid |
GID of the parent directory of the first object |
path1.parent.ino |
Inode number of the parent directory of the first object |
path1.parent.perm |
Permissions of the parent directory of the first object |
path2.type |
File type of the second object |
path2.uid |
UID of the second object |
path2.gid |
GID of the second object |
path2.ino |
Inode number of the second object |
path2.perm |
Permissions of the second object |
path2.major |
Major device number of the device file in which the second object resides. |
path2.minor |
Minor device number of the device file in which the second object resides. |
path2.dev_major |
Major device number of the second object, assuming it is a device file. |
path2.dev_minor |
Minor device number of the second object, assuming it is a device file. |
path2.parent.uid |
UID of the parent directory of the second object |
path2.parent.gid |
GID of the parent directory of the second object |
path2.parent.ino |
Inode number of the parent directory of the second object |
path2.parent.perm |
Permissions of the parent directory of the second object |
exec.argc |
Number of argv[] passed for the execute request. |
exec.envc |
Number of envp[] passed for the execute request. |
exec.argv[n] |
The "n"-th argument passed to the execute request. |
exec.envp[var] |
Value of environment variable "var" for the execute request. |
exec.realpath |
Dereferenced pathname of the requested program. |
symlink.target |
Content of a symlink to be created. |
The conditional parameters containing path1 and path2 refer to the first and second pathnames specified by the directive. In this example, path1 refers to the file "/dev/sda1" and path2 refers to the directory "/mnt/sda1/":
file mount /dev/sda1 /mnt/sda1/ ext3 0 path1.uid=0 path2.uid=0
However, you cannot use conditions like path2.uid=0 in this example because the second pathname does not exist as of the permission checks:
file rename /tmp/file1 /tmp/file2 path1.uid=0 path2.parent.uid=0
Likewise, you cannot use conditions like path1.uid=0 in this example because the pathname does not exist as of the permission checks:
file create /tmp/file 0644 path1.parent.uid=0
10.2. Tests
Matches may be made using the following tests:
Operator |
Meaning |
Example |
|---|---|---|
= |
"String value" or "Single numeric value" or "Bitmask operations": Positive match |
task.uid=0 |
!= |
"String value" or "Single numeric value" or "Bitmask operations": Negative match |
task.gid!=0 |
10.3. Values
The value to be compared with one variable may take the form of a single integer, a range of integers, or another variable:
Value |
Example |
|---|---|
Integer |
task.uid=0 |
Range |
task.uid=100-500 |
Conditional |
task.uid=path1.uid |
There are two exceptions. the "exec.argv[n]", "exec.envp[var]", "exec.realpath" and "symlink.target" variables can be compared with only string values. The "task.type" variable can be compared with only execute_handler .
10.4. Types of task
The following types of task are available:
Type of task |
Meaning |
|---|---|
task.type=execute_handler |
The current process is a program specified by either task auto_execute_handler or task denied_execute_handler directives. |
task.type!=execute_handler |
The current process is a program specified by neither task auto_execute_handler nor task denied_execute_handler directives. |
10.5. Types of file
The following types of file are available:
Type of file |
Meaning |
|---|---|
path1.type=block |
path1 is a block device file |
path1.type=char |
path1 is a character device file |
path1.type=directory |
path1 is a directory |
path1.type=fifo |
path1 is a FIFO |
path1.type=file |
path1 is a regular file |
path1.type=socket |
path1 is a socket |
path1.type=symlink |
path1 is a symbolic link |
path1.type!=block |
path1 is not a block device file |
path1.type!=char |
path1 is not a character device file |
path1.type!=directory |
path1 is not a directory |
path1.type!=fifo |
path1 is not a FIFO |
path1.type!=file |
path1 is not a regular file |
path1.type!=socket |
path1 is not a socket |
path1.type!=symlink |
path1 is not a symbolic link |
You can apply for "path2" as well as "path1". But you cannot apply "path1.parent" and "path2.parent" because they are by definition always directories.
10.6. Types of permission
The following types of DAC permission comparison are available:
Condition |
Meaning |
path1.perm=num1-num2 |
Permissions are between num1 and num2 |
path1.perm=setuid |
Setuid bit is on |
path1.perm=setgid |
Setgid bit is on |
path1.perm=sticky |
Sticky bit is on |
path1.perm=owner_read |
Owner read bit is on |
path1.perm=owner_write |
Owner write bit is on |
path1.perm=owner_execute |
Owner execute bit is on |
path1.perm=group_read |
Group read bit is on |
path1.perm=group_write |
Group write bit is on |
path1.perm=group_execute |
Group execute bit is on |
path1.perm=others_read |
Others read bit is on |
path1.perm=others_write |
Others write bit is on |
path1.perm=others_execute |
Others execute bit is on |
path1.perm!=num1-num2 |
Permissions are not between num1 and num2 |
path1.perm!=setuid |
Setuid bit is off |
path1.perm!=setgid |
Setgid bit is off |
path1.perm!=sticky |
Sticky bit is off |
path1.perm!=owner_read |
Owner read bit is off |
path1.perm!=owner_write |
Owner write bit is off |
path1.perm!=owner_execute |
Owner execute bit is off |
path1.perm!=group_read |
Group read bit is off |
path1.perm!=group_write |
Group write bit is off |
path1.perm!=group_execute |
Group execute bit is off |
path1.perm!=others_read |
Others read bit is off |
path1.perm!=others_write |
Others write bit is off |
path1.perm!=others_execute |
Others execute bit is off |
You can apply for "path1.parent", "path2" and "path2.parent" as well as "path1".
10.7. Example usage
If you wish to deny login as the root user from a specific domain (e.g. "<kernel> /sbin/agetty /bin/login"), the following could be inserted into domain policy:
file execute /bin/bash task.uid!=0
If you wish to allow login for a range of user ID's from a specific domain (e.g. "<kernel> /sbin/agetty /bin/login"), the following could be inserted into domain policy:
file execute /bin/bash task.uid=500-1000
If you wish to allow a domain to read a temporary file only if they own it, the following could be inserted into domain policy:
file read /tmp/file001.tmp task.uid=path1.uid
If you wish to allow the execution of a program only when certain conditions are met, the following could be inserted into domain policy:
file execute /usr/bin/ssh exec.realpath="/usr/bin/ssh" exec.argv[0]="ssh" file execute /usr/bin/firefox exec.realpath="/usr/lib/firefox-3.6/firefox" exec.argv[0]="/usr/bin/firefox" exec.envc=0
If you wish to perform more complicated checks, you can use execute_handler feature described in Chapter 13: Judging execute requests outside of the kernel.