-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdifc.slang
47 lines (37 loc) · 1.51 KB
/
difc.slang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import("../strong/strong.slang")
defcon difcAccessPolicyTargetingFile(?P, ?FileScid, ?Name, ?RootScid) :-
spec('Local DIFC access policies targeting a file'),
{
approveAccessByMembership($P, ?Tag, $Name, $RootScid) :-
?FileOwner := rootPrincipal($FileScid),
?FileOwner: accessToDir(?Tag, $FileScid).
approveAccessByMembership($P, ?Tag, $Name, $RootScid)?
label('DIFCAccessPolicyTargetingFile/$FileScid').
}.
defcon difcAccessPolicyTargetingSet(?P, ?Name, ?RootScid) :-
spec('Local DIFC access policies targeting a set'),
{
approveAccessByMembership($P, ?Tag, $Name, $RootScid) :-
?FileOwner: accessToDir(?Tag, ?FileScid),
?Froot := rootPrincipal(?FileScid),
?FileOwner = ?Froot.
approveAccessByMembership($P, ?Tag, $Name, $RootScid)?
label('DIFCAccessPolicyTargetingSet/$RootDir/$Name').
}.
defguard accessNamedObjectUnderDIFC(?P, ?Name, ?RootDir) :-
spec("Check if a principal can access a named object"),
resolve(?RootDir, ?Name, ?Scid, ?LastCertToken),
?ObjRoot := rootPrincipal(?Scid),
?ObjSet := label(?ObjRoot, ?Scid),
?DifcRulesRef := difcAccessPolicyTargetingSet(?P, ?Name, ?RootDir),
?SubgoalsRef := inferQuerySet(?DifcRulesRef, ?ObjSet),
?SRNEvalRulesRef := label("SRN-standard-evaluation"),
?MembershipPolicyRef := label("standard-membership-policy"),
?AccessPolicyRef := label("standard-access-policy"),
{
link($ObjSet).
link($SRNEvalRulesRef).
link($MembershipPolicyRef).
link($AccessPolicyRef).
link($BearerRef).
}.