Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8a003607064804307201d0738e1e284442f9826b / . / private / access_vectors
blob: 875d7ba1fd4069cb1d5b8fbc2912667a31ba28ad [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]27 quotaon
28 mounton
29}
30
31
32#
33# Define a common prefix for socket access vectors.
34#
35
36common socket
37{
38# inherited from file
39 ioctl
40 read
41 write
42 create
43 getattr
44 setattr
45 lock
46 relabelfrom
47 relabelto
48 append
49# socket-specific
50 bind
51 connect
52 listen
53 accept
54 getopt
55 setopt
56 shutdown
57 recvfrom
58 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59 name_bind
60}
61
62#
63# Define a common prefix for ipc access vectors.
64#
65
66common ipc
67{
68 create
69 destroy
70 getattr
71 setattr
72 read
73 write
74 associate
75 unix_read
76 unix_write
77}
78
79#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame^]80# Define a common for capability access vectors.
81#
82common cap
83{
84 # The capabilities are defined in include/linux/capability.h
85 # Capabilities >= 32 are defined in the cap2 common.
86 # Care should be taken to ensure that these are consistent with
87 # those definitions. (Order matters)
88
89 chown
90 dac_override
91 dac_read_search
92 fowner
93 fsetid
94 kill
95 setgid
96 setuid
97 setpcap
98 linux_immutable
99 net_bind_service
100 net_broadcast
101 net_admin
102 net_raw
103 ipc_lock
104 ipc_owner
105 sys_module
106 sys_rawio
107 sys_chroot
108 sys_ptrace
109 sys_pacct
110 sys_admin
111 sys_boot
112 sys_nice
113 sys_resource
114 sys_time
115 sys_tty_config
116 mknod
117 lease
118 audit_write
119 audit_control
120 setfcap
121}
122
123common cap2
124{
125 mac_override # unused by SELinux
126 mac_admin # unused by SELinux
127 syslog
128 wake_alarm
129 block_suspend
130 audit_read
131}
132
133#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]134# Define the access vectors.
135#
136# class class_name [ inherits common_name ] { permission_name ... }
137
138
139#
140# Define the access vector interpretation for file-related objects.
141#
142
143class filesystem
144{
145 mount
146 remount
147 unmount
148 getattr
149 relabelfrom
150 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]151 associate
152 quotamod
153 quotaget
154}
155
156class dir
157inherits file
158{
159 add_name
160 remove_name
161 reparent
162 search
163 rmdir
164 open
165 audit_access
166 execmod
167}
168
169class file
170inherits file
171{
172 execute_no_trans
173 entrypoint
174 execmod
175 open
176 audit_access
177}
178
179class lnk_file
180inherits file
181{
182 open
183 audit_access
184 execmod
185}
186
187class chr_file
188inherits file
189{
190 execute_no_trans
191 entrypoint
192 execmod
193 open
194 audit_access
195}
196
197class blk_file
198inherits file
199{
200 open
201 audit_access
202 execmod
203}
204
205class sock_file
206inherits file
207{
208 open
209 audit_access
210 execmod
211}
212
213class fifo_file
214inherits file
215{
216 open
217 audit_access
218 execmod
219}
220
221class fd
222{
223 use
224}
225
226
227#
228# Define the access vector interpretation for network-related objects.
229#
230
231class socket
232inherits socket
233
234class tcp_socket
235inherits socket
236{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]237 node_bind
238 name_connect
239}
240
241class udp_socket
242inherits socket
243{
244 node_bind
245}
246
247class rawip_socket
248inherits socket
249{
250 node_bind
251}
252
253class node
254{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]255 recvfrom
256 sendto
257}
258
259class netif
260{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]261 ingress
262 egress
263}
264
265class netlink_socket
266inherits socket
267
268class packet_socket
269inherits socket
270
271class key_socket
272inherits socket
273
274class unix_stream_socket
275inherits socket
276{
277 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]278}
279
280class unix_dgram_socket
281inherits socket
282
283#
284# Define the access vector interpretation for process-related objects
285#
286
287class process
288{
289 fork
290 transition
291 sigchld # commonly granted from child to parent
292 sigkill # cannot be caught or ignored
293 sigstop # cannot be caught or ignored
294 signull # for kill(pid, 0)
295 signal # all other signals
296 ptrace
297 getsched
298 setsched
299 getsession
300 getpgid
301 setpgid
302 getcap
303 setcap
304 share
305 getattr
306 setexec
307 setfscreate
308 noatsecure
309 siginh
310 setrlimit
311 rlimitinh
312 dyntransition
313 setcurrent
314 execmem
315 execstack
316 execheap
317 setkeycreate
318 setsockcreate
319}
320
321
322#
323# Define the access vector interpretation for ipc-related objects
324#
325
326class ipc
327inherits ipc
328
329class sem
330inherits ipc
331
332class msgq
333inherits ipc
334{
335 enqueue
336}
337
338class msg
339{
340 send
341 receive
342}
343
344class shm
345inherits ipc
346{
347 lock
348}
349
350
351#
352# Define the access vector interpretation for the security server.
353#
354
355class security
356{
357 compute_av
358 compute_create
359 compute_member
360 check_context
361 load_policy
362 compute_relabel
363 compute_user
364 setenforce # was avc_toggle in system class
365 setbool
366 setsecparam
367 setcheckreqprot
368 read_policy
369}
370
371
372#
373# Define the access vector interpretation for system operations.
374#
375
376class system
377{
378 ipc_info
379 syslog_read
380 syslog_mod
381 syslog_console
382 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]383 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]384}
385
386#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame^]387# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]388#
389
390class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame^]391inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]392
393class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame^]394inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]395
396#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]397# Extended Netlink classes
398#
399class netlink_route_socket
400inherits socket
401{
402 nlmsg_read
403 nlmsg_write
404}
405
406class netlink_firewall_socket
407inherits socket
408{
409 nlmsg_read
410 nlmsg_write
411}
412
413class netlink_tcpdiag_socket
414inherits socket
415{
416 nlmsg_read
417 nlmsg_write
418}
419
420class netlink_nflog_socket
421inherits socket
422
423class netlink_xfrm_socket
424inherits socket
425{
426 nlmsg_read
427 nlmsg_write
428}
429
430class netlink_selinux_socket
431inherits socket
432
433class netlink_audit_socket
434inherits socket
435{
436 nlmsg_read
437 nlmsg_write
438 nlmsg_relay
439 nlmsg_readpriv
440 nlmsg_tty_audit
441}
442
443class netlink_ip6fw_socket
444inherits socket
445{
446 nlmsg_read
447 nlmsg_write
448}
449
450class netlink_dnrt_socket
451inherits socket
452
453# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]454# access to IPSec network data by association
455#
456class association
457{
458 sendto
459 recvfrom
460 setcontext
461 polmatch
462}
463
464# Updated Netlink class for KOBJECT_UEVENT family.
465class netlink_kobject_uevent_socket
466inherits socket
467
468class appletalk_socket
469inherits socket
470
471class packet
472{
473 send
474 recv
475 relabelto
476 flow_in # deprecated
477 flow_out # deprecated
478 forward_in
479 forward_out
480}
481
482class key
483{
484 view
485 read
486 write
487 search
488 link
489 setattr
490 create
491}
492
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]493class dccp_socket
494inherits socket
495{
496 node_bind
497 name_connect
498}
499
500class memprotect
501{
502 mmap_zero
503}
504
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]505# network peer labels
506class peer
507{
508 recv
509}
510
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]511class kernel_service
512{
513 use_as_override
514 create_files_as
515}
516
517class tun_socket
518inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]519{
520 attach_queue
521}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]522
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]523class binder
524{
525 impersonate
526 call
527 set_context_mgr
528 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]529}
530
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]531class netlink_iscsi_socket
532inherits socket
533
534class netlink_fib_lookup_socket
535inherits socket
536
537class netlink_connector_socket
538inherits socket
539
540class netlink_netfilter_socket
541inherits socket
542
543class netlink_generic_socket
544inherits socket
545
546class netlink_scsitransport_socket
547inherits socket
548
549class netlink_rdma_socket
550inherits socket
551
552class netlink_crypto_socket
553inherits socket
554
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame^]555#
556# Define the access vector interpretation for controlling capabilities
557# in user namespaces
558#
559
560class cap_userns
561inherits cap
562
563class cap2_userns
564inherits cap2
565
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]566class property_service
567{
568 set
569}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]570
571class service_manager
572{
573 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]574 find
575 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]576}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]577
578class keystore_key
579{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]580 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]581 get
582 insert
583 delete
584 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]585 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]586 reset
587 password
588 lock
589 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]590 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]591 sign
592 verify
593 grant
594 duplicate
595 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]596 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]597 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]598}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]599
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]600class drmservice {
601 consumeRights
602 setPlaybackStatus
603 openDecryptSession
604 closeDecryptSession
605 initializeDecryptUnit
606 decrypt
607 finalizeDecryptUnit
608 pread
609}