Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 254ad0da3ac3709cbce81af2a6faeb23317afea3 / . / private / access_vectors
blob: 14e17120731adf464b10f92ecb04bf12e005f04b [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
156}
157
158class dir
159inherits file
160{
161 add_name
162 remove_name
163 reparent
164 search
165 rmdir
166 open
167 audit_access
168 execmod
169}
170
171class file
172inherits file
173{
174 execute_no_trans
175 entrypoint
176 execmod
177 open
178 audit_access
179}
180
181class lnk_file
182inherits file
183{
184 open
185 audit_access
186 execmod
187}
188
189class chr_file
190inherits file
191{
192 execute_no_trans
193 entrypoint
194 execmod
195 open
196 audit_access
197}
198
199class blk_file
200inherits file
201{
202 open
203 audit_access
204 execmod
205}
206
207class sock_file
208inherits file
209{
210 open
211 audit_access
212 execmod
213}
214
215class fifo_file
216inherits file
217{
218 open
219 audit_access
220 execmod
221}
222
223class fd
224{
225 use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]239 node_bind
240 name_connect
241}
242
243class udp_socket
244inherits socket
245{
246 node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252 node_bind
253}
254
255class node
256{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257 recvfrom
258 sendto
259}
260
261class netif
262{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]263 ingress
264 egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]280}
281
282class unix_dgram_socket
283inherits socket
284
285#
286# Define the access vector interpretation for process-related objects
287#
288
289class process
290{
291 fork
292 transition
293 sigchld # commonly granted from child to parent
294 sigkill # cannot be caught or ignored
295 sigstop # cannot be caught or ignored
296 signull # for kill(pid, 0)
297 signal # all other signals
298 ptrace
299 getsched
300 setsched
301 getsession
302 getpgid
303 setpgid
304 getcap
305 setcap
306 share
307 getattr
308 setexec
309 setfscreate
310 noatsecure
311 siginh
312 setrlimit
313 rlimitinh
314 dyntransition
315 setcurrent
316 execmem
317 execstack
318 execheap
319 setkeycreate
320 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]321 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]322}
323
324
325#
326# Define the access vector interpretation for ipc-related objects
327#
328
329class ipc
330inherits ipc
331
332class sem
333inherits ipc
334
335class msgq
336inherits ipc
337{
338 enqueue
339}
340
341class msg
342{
343 send
344 receive
345}
346
347class shm
348inherits ipc
349{
350 lock
351}
352
353
354#
355# Define the access vector interpretation for the security server.
356#
357
358class security
359{
360 compute_av
361 compute_create
362 compute_member
363 check_context
364 load_policy
365 compute_relabel
366 compute_user
367 setenforce # was avc_toggle in system class
368 setbool
369 setsecparam
370 setcheckreqprot
371 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]372 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]373}
374
375
376#
377# Define the access vector interpretation for system operations.
378#
379
380class system
381{
382 ipc_info
383 syslog_read
384 syslog_mod
385 syslog_console
386 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]387 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]388}
389
390#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]391# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]392#
393
394class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]395inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]396
397class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]398inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]399
400#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]401# Extended Netlink classes
402#
403class netlink_route_socket
404inherits socket
405{
406 nlmsg_read
407 nlmsg_write
408}
409
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]410class netlink_tcpdiag_socket
411inherits socket
412{
413 nlmsg_read
414 nlmsg_write
415}
416
417class netlink_nflog_socket
418inherits socket
419
420class netlink_xfrm_socket
421inherits socket
422{
423 nlmsg_read
424 nlmsg_write
425}
426
427class netlink_selinux_socket
428inherits socket
429
430class netlink_audit_socket
431inherits socket
432{
433 nlmsg_read
434 nlmsg_write
435 nlmsg_relay
436 nlmsg_readpriv
437 nlmsg_tty_audit
438}
439
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]440class netlink_dnrt_socket
441inherits socket
442
443# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]444# access to IPSec network data by association
445#
446class association
447{
448 sendto
449 recvfrom
450 setcontext
451 polmatch
452}
453
454# Updated Netlink class for KOBJECT_UEVENT family.
455class netlink_kobject_uevent_socket
456inherits socket
457
458class appletalk_socket
459inherits socket
460
461class packet
462{
463 send
464 recv
465 relabelto
466 flow_in # deprecated
467 flow_out # deprecated
468 forward_in
469 forward_out
470}
471
472class key
473{
474 view
475 read
476 write
477 search
478 link
479 setattr
480 create
481}
482
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]483class dccp_socket
484inherits socket
485{
486 node_bind
487 name_connect
488}
489
490class memprotect
491{
492 mmap_zero
493}
494
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]495# network peer labels
496class peer
497{
498 recv
499}
500
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]501class kernel_service
502{
503 use_as_override
504 create_files_as
505}
506
507class tun_socket
508inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]509{
510 attach_queue
511}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]512
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]513class binder
514{
515 impersonate
516 call
517 set_context_mgr
518 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]519}
520
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]521class netlink_iscsi_socket
522inherits socket
523
524class netlink_fib_lookup_socket
525inherits socket
526
527class netlink_connector_socket
528inherits socket
529
530class netlink_netfilter_socket
531inherits socket
532
533class netlink_generic_socket
534inherits socket
535
536class netlink_scsitransport_socket
537inherits socket
538
539class netlink_rdma_socket
540inherits socket
541
542class netlink_crypto_socket
543inherits socket
544
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]545#
546# Define the access vector interpretation for controlling capabilities
547# in user namespaces
548#
549
550class cap_userns
551inherits cap
552
553class cap2_userns
554inherits cap2
555
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]556
557#
558# Define the access vector interpretation for the new socket classes
559# enabled by the extended_socket_class policy capability.
560#
561
562#
563# The next two classes were previously mapped to rawip_socket and therefore
564# have the same definition as rawip_socket (until further permissions
565# are defined).
566#
567class sctp_socket
568inherits socket
569{
570 node_bind
571}
572
573class icmp_socket
574inherits socket
575{
576 node_bind
577}
578
579#
580# The remaining network socket classes were previously
581# mapped to the socket class and therefore have the
582# same definition as socket.
583#
584
585class ax25_socket
586inherits socket
587
588class ipx_socket
589inherits socket
590
591class netrom_socket
592inherits socket
593
594class atmpvc_socket
595inherits socket
596
597class x25_socket
598inherits socket
599
600class rose_socket
601inherits socket
602
603class decnet_socket
604inherits socket
605
606class atmsvc_socket
607inherits socket
608
609class rds_socket
610inherits socket
611
612class irda_socket
613inherits socket
614
615class pppox_socket
616inherits socket
617
618class llc_socket
619inherits socket
620
621class can_socket
622inherits socket
623
624class tipc_socket
625inherits socket
626
627class bluetooth_socket
628inherits socket
629
630class iucv_socket
631inherits socket
632
633class rxrpc_socket
634inherits socket
635
636class isdn_socket
637inherits socket
638
639class phonet_socket
640inherits socket
641
642class ieee802154_socket
643inherits socket
644
645class caif_socket
646inherits socket
647
648class alg_socket
649inherits socket
650
651class nfc_socket
652inherits socket
653
654class vsock_socket
655inherits socket
656
657class kcm_socket
658inherits socket
659
660class qipcrtr_socket
661inherits socket
662
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]663class smc_socket
664inherits socket
665
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]666class property_service
667{
668 set
669}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]670
671class service_manager
672{
673 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]674 find
675 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]676}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]677
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]678class hwservice_manager
679{
680 add
681 find
682 list
683}
684
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]685class keystore_key
686{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]687 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]688 get
689 insert
690 delete
691 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]692 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]693 reset
694 password
695 lock
696 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]697 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]698 sign
699 verify
700 grant
701 duplicate
702 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]703 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]704 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]705 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]706}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]707
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]708class drmservice {
709 consumeRights
710 setPlaybackStatus
711 openDecryptSession
712 closeDecryptSession
713 initializeDecryptUnit
714 decrypt
715 finalizeDecryptUnit
716 pread
717}