Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 483fd267359a457ca4ac4c4a2cbce38af6c15981 / . / access_vectors
blob: 5b5b6ad69d244d82edbec82bdd698a771cbf5fc3 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
27 swapon
28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
50# socket-specific
51 bind
52 connect
53 listen
54 accept
55 getopt
56 setopt
57 shutdown
58 recvfrom
59 sendto
60 recv_msg
61 send_msg
62 name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71 create
72 destroy
73 getattr
74 setattr
75 read
76 write
77 associate
78 unix_read
79 unix_write
80}
81
82#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]83# Define the access vectors.
84#
85# class class_name [ inherits common_name ] { permission_name ... }
86
87
88#
89# Define the access vector interpretation for file-related objects.
90#
91
92class filesystem
93{
94 mount
95 remount
96 unmount
97 getattr
98 relabelfrom
99 relabelto
100 transition
101 associate
102 quotamod
103 quotaget
104}
105
106class dir
107inherits file
108{
109 add_name
110 remove_name
111 reparent
112 search
113 rmdir
114 open
115 audit_access
116 execmod
117}
118
119class file
120inherits file
121{
122 execute_no_trans
123 entrypoint
124 execmod
125 open
126 audit_access
127}
128
129class lnk_file
130inherits file
131{
132 open
133 audit_access
134 execmod
135}
136
137class chr_file
138inherits file
139{
140 execute_no_trans
141 entrypoint
142 execmod
143 open
144 audit_access
145}
146
147class blk_file
148inherits file
149{
150 open
151 audit_access
152 execmod
153}
154
155class sock_file
156inherits file
157{
158 open
159 audit_access
160 execmod
161}
162
163class fifo_file
164inherits file
165{
166 open
167 audit_access
168 execmod
169}
170
171class fd
172{
173 use
174}
175
176
177#
178# Define the access vector interpretation for network-related objects.
179#
180
181class socket
182inherits socket
183
184class tcp_socket
185inherits socket
186{
187 connectto
188 newconn
189 acceptfrom
190 node_bind
191 name_connect
192}
193
194class udp_socket
195inherits socket
196{
197 node_bind
198}
199
200class rawip_socket
201inherits socket
202{
203 node_bind
204}
205
206class node
207{
208 tcp_recv
209 tcp_send
210 udp_recv
211 udp_send
212 rawip_recv
213 rawip_send
214 enforce_dest
215 dccp_recv
216 dccp_send
217 recvfrom
218 sendto
219}
220
221class netif
222{
223 tcp_recv
224 tcp_send
225 udp_recv
226 udp_send
227 rawip_recv
228 rawip_send
229 dccp_recv
230 dccp_send
231 ingress
232 egress
233}
234
235class netlink_socket
236inherits socket
237
238class packet_socket
239inherits socket
240
241class key_socket
242inherits socket
243
244class unix_stream_socket
245inherits socket
246{
247 connectto
248 newconn
249 acceptfrom
250}
251
252class unix_dgram_socket
253inherits socket
254
255#
256# Define the access vector interpretation for process-related objects
257#
258
259class process
260{
261 fork
262 transition
263 sigchld # commonly granted from child to parent
264 sigkill # cannot be caught or ignored
265 sigstop # cannot be caught or ignored
266 signull # for kill(pid, 0)
267 signal # all other signals
268 ptrace
269 getsched
270 setsched
271 getsession
272 getpgid
273 setpgid
274 getcap
275 setcap
276 share
277 getattr
278 setexec
279 setfscreate
280 noatsecure
281 siginh
282 setrlimit
283 rlimitinh
284 dyntransition
285 setcurrent
286 execmem
287 execstack
288 execheap
289 setkeycreate
290 setsockcreate
291}
292
293
294#
295# Define the access vector interpretation for ipc-related objects
296#
297
298class ipc
299inherits ipc
300
301class sem
302inherits ipc
303
304class msgq
305inherits ipc
306{
307 enqueue
308}
309
310class msg
311{
312 send
313 receive
314}
315
316class shm
317inherits ipc
318{
319 lock
320}
321
322
323#
324# Define the access vector interpretation for the security server.
325#
326
327class security
328{
329 compute_av
330 compute_create
331 compute_member
332 check_context
333 load_policy
334 compute_relabel
335 compute_user
336 setenforce # was avc_toggle in system class
337 setbool
338 setsecparam
339 setcheckreqprot
340 read_policy
341}
342
343
344#
345# Define the access vector interpretation for system operations.
346#
347
348class system
349{
350 ipc_info
351 syslog_read
352 syslog_mod
353 syslog_console
354 module_request
355}
356
357#
358# Define the access vector interpretation for controling capabilies
359#
360
361class capability
362{
363 # The capabilities are defined in include/linux/capability.h
364 # Capabilities >= 32 are defined in the capability2 class.
365 # Care should be taken to ensure that these are consistent with
366 # those definitions. (Order matters)
367
368 chown
369 dac_override
370 dac_read_search
371 fowner
372 fsetid
373 kill
374 setgid
375 setuid
376 setpcap
377 linux_immutable
378 net_bind_service
379 net_broadcast
380 net_admin
381 net_raw
382 ipc_lock
383 ipc_owner
384 sys_module
385 sys_rawio
386 sys_chroot
387 sys_ptrace
388 sys_pacct
389 sys_admin
390 sys_boot
391 sys_nice
392 sys_resource
393 sys_time
394 sys_tty_config
395 mknod
396 lease
397 audit_write
398 audit_control
399 setfcap
400}
401
402class capability2
403{
404 mac_override # unused by SELinux
405 mac_admin # unused by SELinux
406 syslog
Stephen Smalleya1ce2fa2012-08-10 09:23:21 -0400[diff] [blame]407 wake_alarm
408 block_suspend
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]409}
410
411#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]412# Extended Netlink classes
413#
414class netlink_route_socket
415inherits socket
416{
417 nlmsg_read
418 nlmsg_write
419}
420
421class netlink_firewall_socket
422inherits socket
423{
424 nlmsg_read
425 nlmsg_write
426}
427
428class netlink_tcpdiag_socket
429inherits socket
430{
431 nlmsg_read
432 nlmsg_write
433}
434
435class netlink_nflog_socket
436inherits socket
437
438class netlink_xfrm_socket
439inherits socket
440{
441 nlmsg_read
442 nlmsg_write
443}
444
445class netlink_selinux_socket
446inherits socket
447
448class netlink_audit_socket
449inherits socket
450{
451 nlmsg_read
452 nlmsg_write
453 nlmsg_relay
454 nlmsg_readpriv
455 nlmsg_tty_audit
456}
457
458class netlink_ip6fw_socket
459inherits socket
460{
461 nlmsg_read
462 nlmsg_write
463}
464
465class netlink_dnrt_socket
466inherits socket
467
468# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]469# access to IPSec network data by association
470#
471class association
472{
473 sendto
474 recvfrom
475 setcontext
476 polmatch
477}
478
479# Updated Netlink class for KOBJECT_UEVENT family.
480class netlink_kobject_uevent_socket
481inherits socket
482
483class appletalk_socket
484inherits socket
485
486class packet
487{
488 send
489 recv
490 relabelto
491 flow_in # deprecated
492 flow_out # deprecated
493 forward_in
494 forward_out
495}
496
497class key
498{
499 view
500 read
501 write
502 search
503 link
504 setattr
505 create
506}
507
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]508class dccp_socket
509inherits socket
510{
511 node_bind
512 name_connect
513}
514
515class memprotect
516{
517 mmap_zero
518}
519
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]520# network peer labels
521class peer
522{
523 recv
524}
525
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]526class kernel_service
527{
528 use_as_override
529 create_files_as
530}
531
532class tun_socket
533inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]534{
535 attach_queue
536}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]537
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]538class binder
539{
540 impersonate
541 call
542 set_context_mgr
543 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]544}
545
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]546class property_service
547{
548 set
549}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]550
551class service_manager
552{
553 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]554 find
555 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]556}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]557
558class keystore_key
559{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]560 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]561 get
562 insert
563 delete
564 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]565 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]566 reset
567 password
568 lock
569 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]570 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]571 sign
572 verify
573 grant
574 duplicate
575 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]576 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]577 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]578}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]579
580class debuggerd
581{
582 dump_tombstone
583 dump_backtrace
584}
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]585
586class drmservice {
587 consumeRights
588 setPlaybackStatus
589 openDecryptSession
590 closeDecryptSession
591 initializeDecryptUnit
592 decrypt
593 finalizeDecryptUnit
594 pread
595}