Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 01d95c23ab8c14d72e4ce98b3dda64ce81ab6306 / . / access_vectors
blob: c38aa7b5f7376925ac68d259be59159ad86aa5b3 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
27 swapon
28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
50# socket-specific
51 bind
52 connect
53 listen
54 accept
55 getopt
56 setopt
57 shutdown
58 recvfrom
59 sendto
60 recv_msg
61 send_msg
62 name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71 create
72 destroy
73 getattr
74 setattr
75 read
76 write
77 associate
78 unix_read
79 unix_write
80}
81
82#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]83# Define the access vectors.
84#
85# class class_name [ inherits common_name ] { permission_name ... }
86
87
88#
89# Define the access vector interpretation for file-related objects.
90#
91
92class filesystem
93{
94 mount
95 remount
96 unmount
97 getattr
98 relabelfrom
99 relabelto
100 transition
101 associate
102 quotamod
103 quotaget
104}
105
106class dir
107inherits file
108{
109 add_name
110 remove_name
111 reparent
112 search
113 rmdir
114 open
115 audit_access
116 execmod
117}
118
119class file
120inherits file
121{
122 execute_no_trans
123 entrypoint
124 execmod
125 open
126 audit_access
127}
128
129class lnk_file
130inherits file
131{
132 open
133 audit_access
134 execmod
135}
136
137class chr_file
138inherits file
139{
140 execute_no_trans
141 entrypoint
142 execmod
143 open
144 audit_access
145}
146
147class blk_file
148inherits file
149{
150 open
151 audit_access
152 execmod
153}
154
155class sock_file
156inherits file
157{
158 open
159 audit_access
160 execmod
161}
162
163class fifo_file
164inherits file
165{
166 open
167 audit_access
168 execmod
169}
170
171class fd
172{
173 use
174}
175
176
177#
178# Define the access vector interpretation for network-related objects.
179#
180
181class socket
182inherits socket
183
184class tcp_socket
185inherits socket
186{
187 connectto
188 newconn
189 acceptfrom
190 node_bind
191 name_connect
192}
193
194class udp_socket
195inherits socket
196{
197 node_bind
198}
199
200class rawip_socket
201inherits socket
202{
203 node_bind
204}
205
206class node
207{
208 tcp_recv
209 tcp_send
210 udp_recv
211 udp_send
212 rawip_recv
213 rawip_send
214 enforce_dest
215 dccp_recv
216 dccp_send
217 recvfrom
218 sendto
219}
220
221class netif
222{
223 tcp_recv
224 tcp_send
225 udp_recv
226 udp_send
227 rawip_recv
228 rawip_send
229 dccp_recv
230 dccp_send
231 ingress
232 egress
233}
234
235class netlink_socket
236inherits socket
237
238class packet_socket
239inherits socket
240
241class key_socket
242inherits socket
243
244class unix_stream_socket
245inherits socket
246{
247 connectto
248 newconn
249 acceptfrom
250}
251
252class unix_dgram_socket
253inherits socket
254
255#
256# Define the access vector interpretation for process-related objects
257#
258
259class process
260{
261 fork
262 transition
263 sigchld # commonly granted from child to parent
264 sigkill # cannot be caught or ignored
265 sigstop # cannot be caught or ignored
266 signull # for kill(pid, 0)
267 signal # all other signals
268 ptrace
269 getsched
270 setsched
271 getsession
272 getpgid
273 setpgid
274 getcap
275 setcap
276 share
277 getattr
278 setexec
279 setfscreate
280 noatsecure
281 siginh
282 setrlimit
283 rlimitinh
284 dyntransition
285 setcurrent
286 execmem
287 execstack
288 execheap
289 setkeycreate
290 setsockcreate
291}
292
293
294#
295# Define the access vector interpretation for ipc-related objects
296#
297
298class ipc
299inherits ipc
300
301class sem
302inherits ipc
303
304class msgq
305inherits ipc
306{
307 enqueue
308}
309
310class msg
311{
312 send
313 receive
314}
315
316class shm
317inherits ipc
318{
319 lock
320}
321
322
323#
324# Define the access vector interpretation for the security server.
325#
326
327class security
328{
329 compute_av
330 compute_create
331 compute_member
332 check_context
333 load_policy
334 compute_relabel
335 compute_user
336 setenforce # was avc_toggle in system class
337 setbool
338 setsecparam
339 setcheckreqprot
340 read_policy
341}
342
343
344#
345# Define the access vector interpretation for system operations.
346#
347
348class system
349{
350 ipc_info
351 syslog_read
352 syslog_mod
353 syslog_console
354 module_request
355}
356
357#
358# Define the access vector interpretation for controling capabilies
359#
360
361class capability
362{
363 # The capabilities are defined in include/linux/capability.h
364 # Capabilities >= 32 are defined in the capability2 class.
365 # Care should be taken to ensure that these are consistent with
366 # those definitions. (Order matters)
367
368 chown
369 dac_override
370 dac_read_search
371 fowner
372 fsetid
373 kill
374 setgid
375 setuid
376 setpcap
377 linux_immutable
378 net_bind_service
379 net_broadcast
380 net_admin
381 net_raw
382 ipc_lock
383 ipc_owner
384 sys_module
385 sys_rawio
386 sys_chroot
387 sys_ptrace
388 sys_pacct
389 sys_admin
390 sys_boot
391 sys_nice
392 sys_resource
393 sys_time
394 sys_tty_config
395 mknod
396 lease
397 audit_write
398 audit_control
399 setfcap
400}
401
402class capability2
403{
404 mac_override # unused by SELinux
405 mac_admin # unused by SELinux
406 syslog
Stephen Smalleya1ce2fa2012-08-10 09:23:21 -0400[diff] [blame]407 wake_alarm
408 block_suspend
Woojung Min3198cb52015-10-01 15:49:32 +0900[diff] [blame]409 audit_read
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]410}
411
412#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]413# Extended Netlink classes
414#
415class netlink_route_socket
416inherits socket
417{
418 nlmsg_read
419 nlmsg_write
420}
421
422class netlink_firewall_socket
423inherits socket
424{
425 nlmsg_read
426 nlmsg_write
427}
428
429class netlink_tcpdiag_socket
430inherits socket
431{
432 nlmsg_read
433 nlmsg_write
434}
435
436class netlink_nflog_socket
437inherits socket
438
439class netlink_xfrm_socket
440inherits socket
441{
442 nlmsg_read
443 nlmsg_write
444}
445
446class netlink_selinux_socket
447inherits socket
448
449class netlink_audit_socket
450inherits socket
451{
452 nlmsg_read
453 nlmsg_write
454 nlmsg_relay
455 nlmsg_readpriv
456 nlmsg_tty_audit
457}
458
459class netlink_ip6fw_socket
460inherits socket
461{
462 nlmsg_read
463 nlmsg_write
464}
465
466class netlink_dnrt_socket
467inherits socket
468
469# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]470# access to IPSec network data by association
471#
472class association
473{
474 sendto
475 recvfrom
476 setcontext
477 polmatch
478}
479
480# Updated Netlink class for KOBJECT_UEVENT family.
481class netlink_kobject_uevent_socket
482inherits socket
483
484class appletalk_socket
485inherits socket
486
487class packet
488{
489 send
490 recv
491 relabelto
492 flow_in # deprecated
493 flow_out # deprecated
494 forward_in
495 forward_out
496}
497
498class key
499{
500 view
501 read
502 write
503 search
504 link
505 setattr
506 create
507}
508
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]509class dccp_socket
510inherits socket
511{
512 node_bind
513 name_connect
514}
515
516class memprotect
517{
518 mmap_zero
519}
520
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]521# network peer labels
522class peer
523{
524 recv
525}
526
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]527class kernel_service
528{
529 use_as_override
530 create_files_as
531}
532
533class tun_socket
534inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]535{
536 attach_queue
537}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]538
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]539class binder
540{
541 impersonate
542 call
543 set_context_mgr
544 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]545}
546
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame^]547class netlink_iscsi_socket
548inherits socket
549
550class netlink_fib_lookup_socket
551inherits socket
552
553class netlink_connector_socket
554inherits socket
555
556class netlink_netfilter_socket
557inherits socket
558
559class netlink_generic_socket
560inherits socket
561
562class netlink_scsitransport_socket
563inherits socket
564
565class netlink_rdma_socket
566inherits socket
567
568class netlink_crypto_socket
569inherits socket
570
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]571class property_service
572{
573 set
574}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]575
576class service_manager
577{
578 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]579 find
580 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]581}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]582
583class keystore_key
584{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]585 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]586 get
587 insert
588 delete
589 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]590 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]591 reset
592 password
593 lock
594 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]595 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]596 sign
597 verify
598 grant
599 duplicate
600 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]601 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]602 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]603}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]604
605class debuggerd
606{
607 dump_tombstone
608 dump_backtrace
609}
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]610
611class drmservice {
612 consumeRights
613 setPlaybackStatus
614 openDecryptSession
615 closeDecryptSession
616 initializeDecryptUnit
617 decrypt
618 finalizeDecryptUnit
619 pread
620}