-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathschemaTemplate.yaml
151 lines (122 loc) · 5.54 KB
/
schemaTemplate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Pipeline is a sequence of entry, zero or more filters, and exit,
# but yamale - and YAML - lacks a method of forcing sequence order.
# Therefore,
# - have three required elements in the map, entry, filters, exit
# - inclusion of filters is optional; if included, their order is
# defined by an 'order' number
# - have code know about the sequence and "do the right thing",
# mapping from n-1's types to n's, etc.
#
pipeline:
entry: include('entry')
filters: list(include('filter'), required=False)
exit: include('exit')
entry: any(include('receiver'), include('getter'))
# Probably only ever a sender, but maybe folders? TBD...
exit: any(include('sender'))
#type: any(include('sender'), include('folder'))
receiver:
type: regex('receiver') # regex forces specific string; str() does not
# this should be common between all entry types, but I cannot think of
# how to generalize without having an arbitrary placeholder in each one
folder: include('folder')
common: include('networkAgentCommon')
# I'd rather do this, but it is messier than I thought
# protocol: include('protocol')
protocol: enum('udp')
port: include('port')
sender:
type: regex('sender') # regex forces specific string; str() does not
common: include('networkAgentCommon')
# I'd rather do this, but it is messier than I thought
# protocol: include('protocol')
protocol: enum('udp','ssh')
getter:
type: regex('getter') # regex forces specific string; str() does not
# this should be common between all entry types, but I cannot think of
# how to generalize without having an arbitrary placeholder in each one
folder: include('folder')
common: include('networkAgentCommon')
# I'd rather do this, but it is messier than I thought
# protocol: include('protocol')
protocol: enum('ssh')
networkAgentCommon:
interfaceType: include('interfaceType')
processInfo: include('processInfo')
# Move this to entry types - only needed there; N+1 gets it from N
# # read or write, depending whether entry or exit
# folder: include('folder')
# I'd rather do this, but it is messier than I thought
# protocol: enum('tcp', 'udp', 'ssh') # protocol varies by agent
filter:
order: int() # specify this manually - use this in the generation code....
processInfo: include('processInfo')
in: include('in', required=False) # get from entry or N-1
# the folders are necessary, for their paths (*fc); types can be generated
out: include('out')
# error folder is optional - some models use, some do not not
err: include('err', required=False)
canExecs: include('canExecs', required=False)
canExecs: list(include('canExec'))
canExec:
processInfo: include('processInfo')
# easiest way to define this, but we will ignore path, e.g., et al,
# if defining a canExec - we care mostly/only about processType
# maybe canExec is just a list of processTypes this can execute?
# or is it better to specify paths and derive processTypes? Hmm...
# is in really necessary? Or is n-1's out?
in: include('folder')
out: include('folder')
err: include('folder')
admin: include('processInfo')
auth: include('processInfo')
folder:
path: include('path')
folderType: include('folderType', required=False) # autogenerate from elements N and N+1
fileTransition: include('fileTransition', required=False)
processInfo:
name: str()
path: include('path') # executable path, for *fc, for transitions
description: str(required=False)
processType: include('processType', required=False) # auto-generate for now
startedBy: include('startedBy')
# processes often need to log....
logging: list(include('logging'), required=False)
logging: any( include('logFolder'), include('logNetwork') )
logFolder:
# will need basic dir perms on the folder
folder: include('folder')
# if included, is a specific file to write to
file: include('path', required=False)
logNetwork:
# if included, will need basic access to this interface
interfaceType: include('interfaceType', required=False)
# depending on the port or protocol, additional perms may be required
port: include('port', required=False)
protocol: include('loggingProtocol', required=False)
# really a placeholder for now, need to figure this out
loggingProtocol: enum('udp','tcp','syslog','ssh')
startedBy: any(include('user'), include('system'), include('process'))
user:
userRole: include('role')
processTransition: include('processTransition', required=False)
# pretty sure this is going to be a placeholder - we will derive the
# init transition - provided that the string exists, we go this way
system:
systemTransition: include('initTransition')
# included but not currently supported - for later, when we use this more generally
process: any( include('receiver'), include('sender'), include('getter'), include('pipeline'), include('filter'), include('admin'), include('auth'))
# this is for later, when we use this scheme more generally
processes: list(include('process'), min=1)
# many of these should be replaced by regex, e.g.
# primitives/terminals to be validated
fileTransition: str() # for now # regex
initTransition: str() # for now # regex # only used in system; cf comments thereupon
processTransition: str() # for now # regex
# fairly well understood primitives/terminals
port: int()
interfaceType: str() # the SELinux type for the interface # regex
path: str() # for now; likely # regex
role: str() # an SELinux role # regex
processType: str() # the actual SELinux type for the process # regex
folderType: str() # the actual SELinux type for the folder # regex