[refpolicy] x_keyboard/x_pointer MLS constraints

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] x_keyboard/x_pointer MLS constraints
Date: Tue, 16 Jul 2013 09:16:00 -0400	[thread overview]
Message-ID: <51E54790.40700@tresys.com> (raw)

I was reviewing the policy, when I noticed that there were no MLS constraints for the x_keyboard and x_pointer classes.  Is there any reason not to add these constraints (which are copied from x_device):

diff --git a/policy/mls b/policy/mls
index d218387..f11e5e2 100644
--- a/policy/mls
+++ b/policy/mls
@@ -666,6 +666,42 @@ mlsconstrain x_application_data { paste_after_confirm }
        ( l1 dom l2 );


+#
+# MLS policy for the x_pointer class
+#
+
+# the x_pointer "read" ops
+mlsconstrain x_pointer { getattr use read getfocus grab }
+       (( l1 dom l2 ) or
+        (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+        ( t1 == mlsxwinread ));
+
+# the x_pointer "write" ops (implicit single level)
+mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
+       (( l1 eq l2 ) or
+        (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+        ( t1 == mlsxwinwritexinput ) or
+        ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_keyboard class
+#
+
+# the x_keyboard "read" ops
+mlsconstrain x_keyboard { getattr use read getfocus grab }
+       (( l1 dom l2 ) or
+        (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+        ( t1 == mlsxwinread ));
+
+# the x_keyboard "write" ops (implicit single level)
+mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
+       (( l1 eq l2 ) or
+        (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+        ( t1 == mlsxwinwritexinput ) or
+        ( t1 == mlsxwinwrite ));
+
+

 #
 # MLS policy for the dbus class


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

                 reply	other threads:[~2013-07-16 13:16 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d218387 dfblob:f11e5e2 )
 OR (
bs:"[refpolicy] x_keyboard/x_pointer MLS constraints" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51E54790.40700@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.