Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1b1d133be5350989cbd6c09e4f000e146f9ab7ae / . / private / access_vectors
blob: 57ab3a8f08b0526da6eafb0600c83fd917cfeaa2 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
156}
157
158class dir
159inherits file
160{
161 add_name
162 remove_name
163 reparent
164 search
165 rmdir
166 open
167 audit_access
168 execmod
169}
170
171class file
172inherits file
173{
174 execute_no_trans
175 entrypoint
176 execmod
177 open
178 audit_access
179}
180
181class lnk_file
182inherits file
183{
184 open
185 audit_access
186 execmod
187}
188
189class chr_file
190inherits file
191{
192 execute_no_trans
193 entrypoint
194 execmod
195 open
196 audit_access
197}
198
199class blk_file
200inherits file
201{
202 open
203 audit_access
204 execmod
205}
206
207class sock_file
208inherits file
209{
210 open
211 audit_access
212 execmod
213}
214
215class fifo_file
216inherits file
217{
218 open
219 audit_access
220 execmod
221}
222
223class fd
224{
225 use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]239 node_bind
240 name_connect
241}
242
243class udp_socket
244inherits socket
245{
246 node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252 node_bind
253}
254
255class node
256{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257 recvfrom
258 sendto
259}
260
261class netif
262{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]263 ingress
264 egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]280}
281
282class unix_dgram_socket
283inherits socket
284
Chenbo Feng08f92f92017-08-22 18:33:46 -0700[diff] [blame]285class bpf
286{
287 map_create
288 map_read
289 map_write
290 prog_load
291 prog_run
292}
293
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]294#
295# Define the access vector interpretation for process-related objects
296#
297
298class process
299{
300 fork
301 transition
302 sigchld # commonly granted from child to parent
303 sigkill # cannot be caught or ignored
304 sigstop # cannot be caught or ignored
305 signull # for kill(pid, 0)
306 signal # all other signals
307 ptrace
308 getsched
309 setsched
310 getsession
311 getpgid
312 setpgid
313 getcap
314 setcap
315 share
316 getattr
317 setexec
318 setfscreate
319 noatsecure
320 siginh
321 setrlimit
322 rlimitinh
323 dyntransition
324 setcurrent
325 execmem
326 execstack
327 execheap
328 setkeycreate
329 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]330 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]331}
332
Nick Kralevich1b1d1332018-09-07 10:48:55 -0700[diff] [blame^]333class process2
334{
335 nnp_transition
336 nosuid_transition
337}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]338
339#
340# Define the access vector interpretation for ipc-related objects
341#
342
343class ipc
344inherits ipc
345
346class sem
347inherits ipc
348
349class msgq
350inherits ipc
351{
352 enqueue
353}
354
355class msg
356{
357 send
358 receive
359}
360
361class shm
362inherits ipc
363{
364 lock
365}
366
367
368#
369# Define the access vector interpretation for the security server.
370#
371
372class security
373{
374 compute_av
375 compute_create
376 compute_member
377 check_context
378 load_policy
379 compute_relabel
380 compute_user
381 setenforce # was avc_toggle in system class
382 setbool
383 setsecparam
384 setcheckreqprot
385 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]386 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]387}
388
389
390#
391# Define the access vector interpretation for system operations.
392#
393
394class system
395{
396 ipc_info
397 syslog_read
398 syslog_mod
399 syslog_console
400 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]401 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]402}
403
404#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]405# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]406#
407
408class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]409inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]410
411class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]412inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]413
414#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]415# Extended Netlink classes
416#
417class netlink_route_socket
418inherits socket
419{
420 nlmsg_read
421 nlmsg_write
422}
423
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]424class netlink_tcpdiag_socket
425inherits socket
426{
427 nlmsg_read
428 nlmsg_write
429}
430
431class netlink_nflog_socket
432inherits socket
433
434class netlink_xfrm_socket
435inherits socket
436{
437 nlmsg_read
438 nlmsg_write
439}
440
441class netlink_selinux_socket
442inherits socket
443
444class netlink_audit_socket
445inherits socket
446{
447 nlmsg_read
448 nlmsg_write
449 nlmsg_relay
450 nlmsg_readpriv
451 nlmsg_tty_audit
452}
453
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]454class netlink_dnrt_socket
455inherits socket
456
457# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]458# access to IPSec network data by association
459#
460class association
461{
462 sendto
463 recvfrom
464 setcontext
465 polmatch
466}
467
468# Updated Netlink class for KOBJECT_UEVENT family.
469class netlink_kobject_uevent_socket
470inherits socket
471
472class appletalk_socket
473inherits socket
474
475class packet
476{
477 send
478 recv
479 relabelto
480 flow_in # deprecated
481 flow_out # deprecated
482 forward_in
483 forward_out
484}
485
486class key
487{
488 view
489 read
490 write
491 search
492 link
493 setattr
494 create
495}
496
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]497class dccp_socket
498inherits socket
499{
500 node_bind
501 name_connect
502}
503
504class memprotect
505{
506 mmap_zero
507}
508
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]509# network peer labels
510class peer
511{
512 recv
513}
514
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]515class kernel_service
516{
517 use_as_override
518 create_files_as
519}
520
521class tun_socket
522inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]523{
524 attach_queue
525}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]526
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]527class binder
528{
529 impersonate
530 call
531 set_context_mgr
532 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]533}
534
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]535class netlink_iscsi_socket
536inherits socket
537
538class netlink_fib_lookup_socket
539inherits socket
540
541class netlink_connector_socket
542inherits socket
543
544class netlink_netfilter_socket
545inherits socket
546
547class netlink_generic_socket
548inherits socket
549
550class netlink_scsitransport_socket
551inherits socket
552
553class netlink_rdma_socket
554inherits socket
555
556class netlink_crypto_socket
557inherits socket
558
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]559#
560# Define the access vector interpretation for controlling capabilities
561# in user namespaces
562#
563
564class cap_userns
565inherits cap
566
567class cap2_userns
568inherits cap2
569
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]570
571#
572# Define the access vector interpretation for the new socket classes
573# enabled by the extended_socket_class policy capability.
574#
575
576#
577# The next two classes were previously mapped to rawip_socket and therefore
578# have the same definition as rawip_socket (until further permissions
579# are defined).
580#
581class sctp_socket
582inherits socket
583{
584 node_bind
585}
586
587class icmp_socket
588inherits socket
589{
590 node_bind
591}
592
593#
594# The remaining network socket classes were previously
595# mapped to the socket class and therefore have the
596# same definition as socket.
597#
598
599class ax25_socket
600inherits socket
601
602class ipx_socket
603inherits socket
604
605class netrom_socket
606inherits socket
607
608class atmpvc_socket
609inherits socket
610
611class x25_socket
612inherits socket
613
614class rose_socket
615inherits socket
616
617class decnet_socket
618inherits socket
619
620class atmsvc_socket
621inherits socket
622
623class rds_socket
624inherits socket
625
626class irda_socket
627inherits socket
628
629class pppox_socket
630inherits socket
631
632class llc_socket
633inherits socket
634
635class can_socket
636inherits socket
637
638class tipc_socket
639inherits socket
640
641class bluetooth_socket
642inherits socket
643
644class iucv_socket
645inherits socket
646
647class rxrpc_socket
648inherits socket
649
650class isdn_socket
651inherits socket
652
653class phonet_socket
654inherits socket
655
656class ieee802154_socket
657inherits socket
658
659class caif_socket
660inherits socket
661
662class alg_socket
663inherits socket
664
665class nfc_socket
666inherits socket
667
668class vsock_socket
669inherits socket
670
671class kcm_socket
672inherits socket
673
674class qipcrtr_socket
675inherits socket
676
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]677class smc_socket
678inherits socket
679
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]680class property_service
681{
682 set
683}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]684
685class service_manager
686{
687 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]688 find
689 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]690}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]691
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]692class hwservice_manager
693{
694 add
695 find
696 list
697}
698
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]699class keystore_key
700{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]701 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]702 get
703 insert
704 delete
705 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]706 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]707 reset
708 password
709 lock
710 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]711 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]712 sign
713 verify
714 grant
715 duplicate
716 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]717 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]718 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]719 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]720}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]721
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]722class drmservice {
723 consumeRights
724 setPlaybackStatus
725 openDecryptSession
726 closeDecryptSession
727 initializeDecryptUnit
728 decrypt
729 finalizeDecryptUnit
730 pread
731}