Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / cd62a4a56a5a0cec5268e343e19561b4ddd569b4^! / . / private / access_vectors
commitcd62a4a56a5a0cec5268e343e19561b4ddd569b4[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Tue Jan 14 14:27:45 2020 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Tue Jan 14 14:59:08 2020 -0500
treeb8cde1df27fb3559ef9381a8a68bd2e674e7cd6c
parent184fe45549da14b48b36f4b89b0abc1e34ff60c9 [diff] [blame]
access_vectors: re-organize common file perms

The open, audit_access, execmod, and watch* permissions
are all defined in the COMMON_FILE_PERMS in the kernel
classmap and inherited by all the file-related classes;
we can do the same in the policy by putting them into the
common file declaration.

refpolicy recently similarly reorganized its definitions and added the
watch* permissions to common file, see:
https://github.com/SELinuxProject/refpolicy/commit/e5dbe7527690d95cced0e58052746fb59d9321c7
https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da2871700384f0f9d831be18
https://github.com/SELinuxProject/refpolicy/commit/3952ecb4dd4435c8e017a0d2733ba49b02730764

Adding new permissions to the end of the existing classes was only
required for kernels that predate the dynamic class/perm mapping
support (< v2.6.33).

Test: policy still builds

Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/private/access_vectors b/private/access_vectors
index 8c6aa68..cd1ad12 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -27,6 +27,14 @@
 	execute
 	quotaon
 	mounton
+	audit_access
+	open
+	execmod
+	watch
+	watch_mount
+	watch_sb
+	watch_with_perm
+	watch_reads
 }
 
 
@@ -164,14 +172,6 @@
 	reparent
 	search
 	rmdir
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class file
@@ -179,82 +179,26 @@
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
-	audit_access
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class lnk_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class chr_file
 inherits file
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
-	audit_access
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class blk_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class sock_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class fifo_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class fd
 {