Blame - private/access_vectors - android_system_sepolicy

blob: 22f2ffa1df01c7647b015b5e110ee4e09945e799 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	23	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	24	unlink
				25	link
				26	rename
				27	execute
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	28	quotaon
				29	mounton
Stephen Smalley	cd62a4a	2020-01-14 14:27:45 -0500	[diff] [blame]	30	audit_access
				31	open
				32	execmod
				33	watch
				34	watch_mount
				35	watch_sb
				36	watch_with_perm
				37	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	38	}
				39
				40
				41	#
				42	# Define a common prefix for socket access vectors.
				43	#
				44
				45	common socket
				46	{
				47	# inherited from file
				48	ioctl
				49	read
				50	write
				51	create
				52	getattr
				53	setattr
				54	lock
				55	relabelfrom
				56	relabelto
				57	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	58	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	59	# socket-specific
				60	bind
				61	connect
				62	listen
				63	accept
				64	getopt
				65	setopt
				66	shutdown
				67	recvfrom
				68	sendto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	69	name_bind
				70	}
				71
				72	#
				73	# Define a common prefix for ipc access vectors.
				74	#
				75
				76	common ipc
				77	{
				78	create
				79	destroy
				80	getattr
				81	setattr
				82	read
				83	write
				84	associate
				85	unix_read
				86	unix_write
				87	}
				88
				89	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	90	# Define a common for capability access vectors.
				91	#
				92	common cap
				93	{
				94	# The capabilities are defined in include/linux/capability.h
				95	# Capabilities >= 32 are defined in the cap2 common.
				96	# Care should be taken to ensure that these are consistent with
				97	# those definitions. (Order matters)
				98
				99	chown
				100	dac_override
				101	dac_read_search
				102	fowner
				103	fsetid
				104	kill
				105	setgid
				106	setuid
				107	setpcap
				108	linux_immutable
				109	net_bind_service
				110	net_broadcast
				111	net_admin
				112	net_raw
				113	ipc_lock
				114	ipc_owner
				115	sys_module
				116	sys_rawio
				117	sys_chroot
				118	sys_ptrace
				119	sys_pacct
				120	sys_admin
				121	sys_boot
				122	sys_nice
				123	sys_resource
				124	sys_time
				125	sys_tty_config
				126	mknod
				127	lease
				128	audit_write
				129	audit_control
				130	setfcap
				131	}
				132
				133	common cap2
				134	{
				135	mac_override # unused by SELinux
Stephen Smalley	8715460	2020-01-16 10:29:15 -0500	[diff] [blame]	136	mac_admin
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	137	syslog
				138	wake_alarm
				139	block_suspend
				140	audit_read
Alistair Delva	178f0ac	2020-06-05 10:15:30 -0700	[diff] [blame]	141	perfmon
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	142	}
				143
				144	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	145	# Define the access vectors.
				146	#
				147	# class class_name [ inherits common_name ] { permission_name ... }
				148
				149
				150	#
				151	# Define the access vector interpretation for file-related objects.
				152	#
				153
				154	class filesystem
				155	{
				156	mount
				157	remount
				158	unmount
				159	getattr
				160	relabelfrom
				161	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	162	associate
				163	quotamod
				164	quotaget
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	165	watch
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	166	}
				167
				168	class dir
				169	inherits file
				170	{
				171	add_name
				172	remove_name
				173	reparent
				174	search
				175	rmdir
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	176	}
				177
				178	class file
				179	inherits file
				180	{
				181	execute_no_trans
				182	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	183	}
				184
Lokesh Gidra	06edcd8	2021-03-11 11:32:47 -0800	[diff] [blame]	185	class anon_inode
				186	inherits file
				187
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	188	class lnk_file
				189	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	190
				191	class chr_file
				192	inherits file
				193	{
				194	execute_no_trans
				195	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	196	}
				197
				198	class blk_file
				199	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	200
				201	class sock_file
				202	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	203
				204	class fifo_file
				205	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	206
				207	class fd
				208	{
				209	use
				210	}
				211
				212
				213	#
				214	# Define the access vector interpretation for network-related objects.
				215	#
				216
				217	class socket
				218	inherits socket
				219
				220	class tcp_socket
				221	inherits socket
				222	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	223	node_bind
				224	name_connect
				225	}
				226
				227	class udp_socket
				228	inherits socket
				229	{
				230	node_bind
				231	}
				232
				233	class rawip_socket
				234	inherits socket
				235	{
				236	node_bind
				237	}
				238
				239	class node
				240	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	241	recvfrom
				242	sendto
				243	}
				244
				245	class netif
				246	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	247	ingress
				248	egress
				249	}
				250
				251	class netlink_socket
				252	inherits socket
				253
				254	class packet_socket
				255	inherits socket
				256
				257	class key_socket
				258	inherits socket
				259
				260	class unix_stream_socket
				261	inherits socket
				262	{
				263	connectto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	264	}
				265
				266	class unix_dgram_socket
				267	inherits socket
				268
				269	#
				270	# Define the access vector interpretation for process-related objects
				271	#
				272
				273	class process
				274	{
				275	fork
				276	transition
				277	sigchld # commonly granted from child to parent
				278	sigkill # cannot be caught or ignored
				279	sigstop # cannot be caught or ignored
				280	signull # for kill(pid, 0)
				281	signal # all other signals
				282	ptrace
				283	getsched
				284	setsched
				285	getsession
				286	getpgid
				287	setpgid
				288	getcap
				289	setcap
				290	share
				291	getattr
				292	setexec
				293	setfscreate
				294	noatsecure
				295	siginh
				296	setrlimit
				297	rlimitinh
				298	dyntransition
				299	setcurrent
				300	execmem
				301	execstack
				302	execheap
				303	setkeycreate
				304	setsockcreate
Stephen Smalley	91a3eea	2017-05-17 12:12:12 -0400	[diff] [blame]	305	getrlimit
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	306	}
				307
Nick Kralevich	1b1d133	2018-09-07 10:48:55 -0700	[diff] [blame]	308	class process2
				309	{
				310	nnp_transition
				311	nosuid_transition
				312	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	313
				314	#
				315	# Define the access vector interpretation for ipc-related objects
				316	#
				317
				318	class ipc
				319	inherits ipc
				320
				321	class sem
				322	inherits ipc
				323
				324	class msgq
				325	inherits ipc
				326	{
				327	enqueue
				328	}
				329
				330	class msg
				331	{
				332	send
				333	receive
				334	}
				335
				336	class shm
				337	inherits ipc
				338	{
				339	lock
				340	}
				341
				342
				343	#
				344	# Define the access vector interpretation for the security server.
				345	#
				346
				347	class security
				348	{
				349	compute_av
				350	compute_create
				351	compute_member
				352	check_context
				353	load_policy
				354	compute_relabel
				355	compute_user
				356	setenforce # was avc_toggle in system class
				357	setbool
				358	setsecparam
				359	setcheckreqprot
				360	read_policy
Stephen Smalley	5099231	2017-07-10 14:45:15 -0400	[diff] [blame]	361	validate_trans
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	362	}
				363
				364
				365	#
				366	# Define the access vector interpretation for system operations.
				367	#
				368
				369	class system
				370	{
				371	ipc_info
				372	syslog_read
				373	syslog_mod
				374	syslog_console
				375	module_request
Jeff Vander Stoep	a16b058	2016-04-07 11:06:05 -0700	[diff] [blame]	376	module_load
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	377	}
				378
				379	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	380	# Define the access vector interpretation for controlling capabilities
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	381	#
				382
				383	class capability
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	384	inherits cap
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	385
				386	class capability2
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	387	inherits cap2
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	388
				389	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	390	# Extended Netlink classes
				391	#
				392	class netlink_route_socket
				393	inherits socket
				394	{
				395	nlmsg_read
				396	nlmsg_write
Jeff Vander Stoep	fb69c8e	2019-10-16 15:19:40 +0200	[diff] [blame]	397	nlmsg_readpriv
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	398	}
				399
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	400	class netlink_tcpdiag_socket
				401	inherits socket
				402	{
				403	nlmsg_read
				404	nlmsg_write
				405	}
				406
				407	class netlink_nflog_socket
				408	inherits socket
				409
				410	class netlink_xfrm_socket
				411	inherits socket
				412	{
				413	nlmsg_read
				414	nlmsg_write
				415	}
				416
				417	class netlink_selinux_socket
				418	inherits socket
				419
				420	class netlink_audit_socket
				421	inherits socket
				422	{
				423	nlmsg_read
				424	nlmsg_write
				425	nlmsg_relay
				426	nlmsg_readpriv
				427	nlmsg_tty_audit
				428	}
				429
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	430	class netlink_dnrt_socket
				431	inherits socket
				432
				433	# Define the access vector interpretation for controlling
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	434	# access to IPSec network data by association
				435	#
				436	class association
				437	{
				438	sendto
				439	recvfrom
				440	setcontext
				441	polmatch
				442	}
				443
				444	# Updated Netlink class for KOBJECT_UEVENT family.
				445	class netlink_kobject_uevent_socket
				446	inherits socket
				447
				448	class appletalk_socket
				449	inherits socket
				450
				451	class packet
				452	{
				453	send
				454	recv
				455	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	456	forward_in
				457	forward_out
				458	}
				459
				460	class key
				461	{
				462	view
				463	read
				464	write
				465	search
				466	link
				467	setattr
				468	create
				469	}
				470
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	471	class dccp_socket
				472	inherits socket
				473	{
				474	node_bind
				475	name_connect
				476	}
				477
				478	class memprotect
				479	{
				480	mmap_zero
				481	}
				482
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	483	# network peer labels
				484	class peer
				485	{
				486	recv
				487	}
				488
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	489	class kernel_service
				490	{
				491	use_as_override
				492	create_files_as
				493	}
				494
				495	class tun_socket
				496	inherits socket
Nick Kralevich	d7af45d	2014-06-06 16:51:11 -0700	[diff] [blame]	497	{
				498	attach_queue
				499	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	500
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	501	class binder
				502	{
				503	impersonate
				504	call
				505	set_context_mgr
				506	transfer
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	507	}
				508
Stephen Smalley	01d95c2	2015-05-21 16:17:26 -0400	[diff] [blame]	509	class netlink_iscsi_socket
				510	inherits socket
				511
				512	class netlink_fib_lookup_socket
				513	inherits socket
				514
				515	class netlink_connector_socket
				516	inherits socket
				517
				518	class netlink_netfilter_socket
				519	inherits socket
				520
				521	class netlink_generic_socket
				522	inherits socket
				523
				524	class netlink_scsitransport_socket
				525	inherits socket
				526
				527	class netlink_rdma_socket
				528	inherits socket
				529
				530	class netlink_crypto_socket
				531	inherits socket
				532
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	533	class infiniband_pkey
				534	{
				535	access
				536	}
				537
				538	class infiniband_endport
				539	{
				540	manage_subnet
				541	}
				542
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	543	#
				544	# Define the access vector interpretation for controlling capabilities
				545	# in user namespaces
				546	#
				547
				548	class cap_userns
				549	inherits cap
				550
				551	class cap2_userns
				552	inherits cap2
				553
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	554
				555	#
				556	# Define the access vector interpretation for the new socket classes
				557	# enabled by the extended_socket_class policy capability.
				558	#
				559
				560	#
				561	# The next two classes were previously mapped to rawip_socket and therefore
				562	# have the same definition as rawip_socket (until further permissions
				563	# are defined).
				564	#
				565	class sctp_socket
				566	inherits socket
				567	{
				568	node_bind
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	569	name_connect
				570	association
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	571	}
				572
				573	class icmp_socket
				574	inherits socket
				575	{
				576	node_bind
				577	}
				578
				579	#
				580	# The remaining network socket classes were previously
				581	# mapped to the socket class and therefore have the
				582	# same definition as socket.
				583	#
				584
				585	class ax25_socket
				586	inherits socket
				587
				588	class ipx_socket
				589	inherits socket
				590
				591	class netrom_socket
				592	inherits socket
				593
				594	class atmpvc_socket
				595	inherits socket
				596
				597	class x25_socket
				598	inherits socket
				599
				600	class rose_socket
				601	inherits socket
				602
				603	class decnet_socket
				604	inherits socket
				605
				606	class atmsvc_socket
				607	inherits socket
				608
				609	class rds_socket
				610	inherits socket
				611
				612	class irda_socket
				613	inherits socket
				614
				615	class pppox_socket
				616	inherits socket
				617
				618	class llc_socket
				619	inherits socket
				620
				621	class can_socket
				622	inherits socket
				623
				624	class tipc_socket
				625	inherits socket
				626
				627	class bluetooth_socket
				628	inherits socket
				629
				630	class iucv_socket
				631	inherits socket
				632
				633	class rxrpc_socket
				634	inherits socket
				635
				636	class isdn_socket
				637	inherits socket
				638
				639	class phonet_socket
				640	inherits socket
				641
				642	class ieee802154_socket
				643	inherits socket
				644
				645	class caif_socket
				646	inherits socket
				647
				648	class alg_socket
				649	inherits socket
				650
				651	class nfc_socket
				652	inherits socket
				653
				654	class vsock_socket
				655	inherits socket
				656
				657	class kcm_socket
				658	inherits socket
				659
				660	class qipcrtr_socket
				661	inherits socket
				662
Stephen Smalley	2be9799	2017-05-17 12:06:49 -0400	[diff] [blame]	663	class smc_socket
				664	inherits socket
				665
Nick Kralevich	f5a1b1b	2018-10-18 09:08:26 -0700	[diff] [blame]	666	class bpf
				667	{
				668	map_create
				669	map_read
				670	map_write
				671	prog_load
				672	prog_run
				673	}
				674
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	675	class property_service
				676	{
				677	set
				678	}
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	679
				680	class service_manager
				681	{
				682	add
Riley Spahn	b8511e0	2014-07-07 13:56:27 -0700	[diff] [blame]	683	find
				684	list
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	685	}
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	686
Martijn Coenen	bc6d88d	2017-04-06 09:24:41 -0700	[diff] [blame]	687	class hwservice_manager
				688	{
				689	add
				690	find
				691	list
				692	}
				693
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	694	class keystore_key
				695	{
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	696	get_state
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	697	get
				698	insert
				699	delete
				700	exist
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	701	list
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	702	reset
				703	password
				704	lock
				705	unlock
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	706	is_empty
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	707	sign
				708	verify
				709	grant
				710	duplicate
				711	clear_uid
Chad Brubaker	8927772	2015-03-31 13:03:06 -0700	[diff] [blame]	712	add_auth
Chad Brubaker	520bb81	2015-05-12 12:33:40 -0700	[diff] [blame]	713	user_changed
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	714	gen_unique_id
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	715	}
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	716
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	717	class keystore2
				718	{
				719	add_auth
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	720	change_password
				721	change_user
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	722	clear_ns
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	723	clear_uid
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	724	early_boot_ended
Hasini Gunasinghe	db88d15	2020-12-03 21:40:53 +0000	[diff] [blame]	725	get_auth_token
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	726	get_state
Janis Danisevskis	144c822	2020-09-24 08:55:28 -0700	[diff] [blame]	727	list
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	728	lock
Janis Danisevskis	7ca6b48	2021-03-23 19:01:06 -0700	[diff] [blame]	729	report_off_body
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	730	reset
				731	unlock
				732	}
				733
				734	class keystore2_key
				735	{
Satya Tangirala	0653374	2021-03-08 09:48:42 -0800	[diff] [blame]	736	convert_storage_key_to_ephemeral
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	737	delete
				738	gen_unique_id
				739	get_info
				740	grant
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	741	manage_blob
				742	rebind
				743	req_forced_op
				744	update
				745	use
				746	use_dev_id
				747	}
				748
Riley Spahn	70f75ce	2014-07-02 12:42:59 -0700	[diff] [blame]	749	class drmservice {
				750	consumeRights
				751	setPlaybackStatus
				752	openDecryptSession
				753	closeDecryptSession
				754	initializeDecryptUnit
				755	decrypt
				756	finalizeDecryptUnit
				757	pread
				758	}
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	759
				760	class xdp_socket
				761	inherits socket
Ryan Savitski	80640c5	2020-01-08 17:30:26 +0000	[diff] [blame]	762
				763	class perf_event
				764	{
				765	open
				766	cpu
				767	kernel
				768	tracepoint
				769	read
				770	write
				771	}
Nick Kralevich	e4686b4	2020-02-13 12:57:27 -0800	[diff] [blame]	772
				773	class lockdown
				774	{
				775	integrity
				776	confidentiality
				777	}