Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 747f58949b8dc4d048858089c9365ca8a18a6fd4 / . / private / access_vectors
blob: 9d82ac8ef7f0bf36a12af2dddccdd1b9d2b7685b [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
Stephen Smalleycd62a4a2020-01-14 14:27:45 -0500[diff] [blame]30 audit_access
31 open
32 execmod
33 watch
34 watch_mount
35 watch_sb
36 watch_with_perm
37 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48 ioctl
49 read
50 write
51 create
52 getattr
53 setattr
54 lock
55 relabelfrom
56 relabelto
57 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]58 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59# socket-specific
60 bind
61 connect
62 listen
63 accept
64 getopt
65 setopt
66 shutdown
67 recvfrom
68 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]69 name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78 create
79 destroy
80 getattr
81 setattr
82 read
83 write
84 associate
85 unix_read
86 unix_write
87}
88
89#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]90# Define a common for capability access vectors.
91#
92common cap
93{
94 # The capabilities are defined in include/linux/capability.h
95 # Capabilities >= 32 are defined in the cap2 common.
96 # Care should be taken to ensure that these are consistent with
97 # those definitions. (Order matters)
98
99 chown
100 dac_override
101 dac_read_search
102 fowner
103 fsetid
104 kill
105 setgid
106 setuid
107 setpcap
108 linux_immutable
109 net_bind_service
110 net_broadcast
111 net_admin
112 net_raw
113 ipc_lock
114 ipc_owner
115 sys_module
116 sys_rawio
117 sys_chroot
118 sys_ptrace
119 sys_pacct
120 sys_admin
121 sys_boot
122 sys_nice
123 sys_resource
124 sys_time
125 sys_tty_config
126 mknod
127 lease
128 audit_write
129 audit_control
130 setfcap
131}
132
133common cap2
134{
135 mac_override # unused by SELinux
Stephen Smalley87154602020-01-16 10:29:15 -0500[diff] [blame]136 mac_admin
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]137 syslog
138 wake_alarm
139 block_suspend
140 audit_read
Alistair Delva178f0ac2020-06-05 10:15:30 -0700[diff] [blame]141 perfmon
Thiébaud Weksteen747f5892024-07-16 17:33:26 +1000[diff] [blame^]142 starting_at_board_api(202504, `checkpoint_restore')
143 starting_at_board_api(202504, `bpf')
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]144}
145
146#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]147# Define the access vectors.
148#
149# class class_name [ inherits common_name ] { permission_name ... }
150
151
152#
153# Define the access vector interpretation for file-related objects.
154#
155
156class filesystem
157{
158 mount
159 remount
160 unmount
161 getattr
162 relabelfrom
163 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]164 associate
165 quotamod
166 quotaget
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]167 watch
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]168}
169
170class dir
171inherits file
172{
173 add_name
174 remove_name
175 reparent
176 search
177 rmdir
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]178}
179
180class file
181inherits file
182{
183 execute_no_trans
184 entrypoint
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]185}
186
Lokesh Gidra06edcd82021-03-11 11:32:47 -0800[diff] [blame]187class anon_inode
188inherits file
189
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]190class lnk_file
191inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]192
193class chr_file
194inherits file
195{
196 execute_no_trans
197 entrypoint
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]198}
199
200class blk_file
201inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]202
203class sock_file
204inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]205
206class fifo_file
207inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]208
209class fd
210{
211 use
212}
213
214
215#
216# Define the access vector interpretation for network-related objects.
217#
218
219class socket
220inherits socket
221
222class tcp_socket
223inherits socket
224{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]225 node_bind
226 name_connect
227}
228
229class udp_socket
230inherits socket
231{
232 node_bind
233}
234
235class rawip_socket
236inherits socket
237{
238 node_bind
239}
240
241class node
242{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]243 recvfrom
244 sendto
245}
246
247class netif
248{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]249 ingress
250 egress
251}
252
253class netlink_socket
254inherits socket
255
256class packet_socket
257inherits socket
258
259class key_socket
260inherits socket
261
262class unix_stream_socket
263inherits socket
264{
265 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]266}
267
268class unix_dgram_socket
269inherits socket
270
271#
272# Define the access vector interpretation for process-related objects
273#
274
275class process
276{
277 fork
278 transition
279 sigchld # commonly granted from child to parent
280 sigkill # cannot be caught or ignored
281 sigstop # cannot be caught or ignored
282 signull # for kill(pid, 0)
283 signal # all other signals
284 ptrace
285 getsched
286 setsched
287 getsession
288 getpgid
289 setpgid
290 getcap
291 setcap
292 share
293 getattr
294 setexec
295 setfscreate
296 noatsecure
297 siginh
298 setrlimit
299 rlimitinh
300 dyntransition
301 setcurrent
302 execmem
303 execstack
304 execheap
305 setkeycreate
306 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]307 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]308}
309
Nick Kralevich1b1d1332018-09-07 10:48:55 -0700[diff] [blame]310class process2
311{
312 nnp_transition
313 nosuid_transition
314}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]315
316#
317# Define the access vector interpretation for ipc-related objects
318#
319
320class ipc
321inherits ipc
322
323class sem
324inherits ipc
325
326class msgq
327inherits ipc
328{
329 enqueue
330}
331
332class msg
333{
334 send
335 receive
336}
337
338class shm
339inherits ipc
340{
341 lock
342}
343
344
345#
346# Define the access vector interpretation for the security server.
347#
348
349class security
350{
351 compute_av
352 compute_create
353 compute_member
354 check_context
355 load_policy
356 compute_relabel
357 compute_user
358 setenforce # was avc_toggle in system class
359 setbool
360 setsecparam
361 setcheckreqprot
362 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]363 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]364}
365
366
367#
368# Define the access vector interpretation for system operations.
369#
370
371class system
372{
373 ipc_info
374 syslog_read
375 syslog_mod
376 syslog_console
377 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]378 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]379}
380
381#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]382# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]383#
384
385class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]386inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]387
388class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]389inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]390
391#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]392# Extended Netlink classes
393#
394class netlink_route_socket
395inherits socket
396{
397 nlmsg_read
398 nlmsg_write
Jeff Vander Stoepfb69c8e2019-10-16 15:19:40 +0200[diff] [blame]399 nlmsg_readpriv
Bram Bonnéea5460a2021-05-12 14:19:24 +0200[diff] [blame]400 nlmsg_getneigh
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]401}
402
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]403class netlink_tcpdiag_socket
404inherits socket
405{
406 nlmsg_read
407 nlmsg_write
408}
409
410class netlink_nflog_socket
411inherits socket
412
413class netlink_xfrm_socket
414inherits socket
415{
416 nlmsg_read
417 nlmsg_write
418}
419
420class netlink_selinux_socket
421inherits socket
422
423class netlink_audit_socket
424inherits socket
425{
426 nlmsg_read
427 nlmsg_write
428 nlmsg_relay
429 nlmsg_readpriv
430 nlmsg_tty_audit
431}
432
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]433class netlink_dnrt_socket
434inherits socket
435
436# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]437# access to IPSec network data by association
438#
439class association
440{
441 sendto
442 recvfrom
443 setcontext
444 polmatch
445}
446
447# Updated Netlink class for KOBJECT_UEVENT family.
448class netlink_kobject_uevent_socket
449inherits socket
450
451class appletalk_socket
452inherits socket
453
454class packet
455{
456 send
457 recv
458 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]459 forward_in
460 forward_out
461}
462
463class key
464{
465 view
466 read
467 write
468 search
469 link
470 setattr
471 create
472}
473
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]474class dccp_socket
475inherits socket
476{
477 node_bind
478 name_connect
479}
480
481class memprotect
482{
483 mmap_zero
484}
485
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]486# network peer labels
487class peer
488{
489 recv
490}
491
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]492class kernel_service
493{
494 use_as_override
495 create_files_as
496}
497
498class tun_socket
499inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]500{
501 attach_queue
502}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]503
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]504class binder
505{
506 impersonate
507 call
508 set_context_mgr
509 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]510}
511
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]512class netlink_iscsi_socket
513inherits socket
514
515class netlink_fib_lookup_socket
516inherits socket
517
518class netlink_connector_socket
519inherits socket
520
521class netlink_netfilter_socket
522inherits socket
523
524class netlink_generic_socket
525inherits socket
526
527class netlink_scsitransport_socket
528inherits socket
529
530class netlink_rdma_socket
531inherits socket
532
533class netlink_crypto_socket
534inherits socket
535
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]536class infiniband_pkey
537{
538 access
539}
540
541class infiniband_endport
542{
543 manage_subnet
544}
545
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]546#
547# Define the access vector interpretation for controlling capabilities
548# in user namespaces
549#
550
551class cap_userns
552inherits cap
553
554class cap2_userns
555inherits cap2
556
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]557
558#
559# Define the access vector interpretation for the new socket classes
560# enabled by the extended_socket_class policy capability.
561#
562
563#
564# The next two classes were previously mapped to rawip_socket and therefore
565# have the same definition as rawip_socket (until further permissions
566# are defined).
567#
568class sctp_socket
569inherits socket
570{
571 node_bind
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]572 name_connect
573 association
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]574}
575
576class icmp_socket
577inherits socket
578{
579 node_bind
580}
581
582#
583# The remaining network socket classes were previously
584# mapped to the socket class and therefore have the
585# same definition as socket.
586#
587
588class ax25_socket
589inherits socket
590
591class ipx_socket
592inherits socket
593
594class netrom_socket
595inherits socket
596
597class atmpvc_socket
598inherits socket
599
600class x25_socket
601inherits socket
602
603class rose_socket
604inherits socket
605
606class decnet_socket
607inherits socket
608
609class atmsvc_socket
610inherits socket
611
612class rds_socket
613inherits socket
614
615class irda_socket
616inherits socket
617
618class pppox_socket
619inherits socket
620
621class llc_socket
622inherits socket
623
624class can_socket
625inherits socket
626
627class tipc_socket
628inherits socket
629
630class bluetooth_socket
631inherits socket
632
633class iucv_socket
634inherits socket
635
636class rxrpc_socket
637inherits socket
638
639class isdn_socket
640inherits socket
641
642class phonet_socket
643inherits socket
644
645class ieee802154_socket
646inherits socket
647
648class caif_socket
649inherits socket
650
651class alg_socket
652inherits socket
653
654class nfc_socket
655inherits socket
656
657class vsock_socket
658inherits socket
659
660class kcm_socket
661inherits socket
662
663class qipcrtr_socket
664inherits socket
665
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]666class smc_socket
667inherits socket
668
Thiébaud Weksteen6772c502024-05-15 13:12:40 +1000[diff] [blame]669class xdp_socket
670inherits socket
671
672class mctp_socket
673inherits socket
674
Nick Kralevichf5a1b1b2018-10-18 09:08:26 -0700[diff] [blame]675class bpf
676{
677 map_create
678 map_read
679 map_write
680 prog_load
681 prog_run
682}
683
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]684class property_service
685{
686 set
687}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]688
689class service_manager
690{
691 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]692 find
693 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]694}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]695
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]696class hwservice_manager
697{
698 add
699 find
700 list
701}
702
Eric Biggers92ca7b72024-03-14 21:53:21 +0000[diff] [blame]703class keystore_key # No longer used
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]704{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]705 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]706 get
707 insert
708 delete
709 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]710 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]711 reset
712 password
713 lock
714 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]715 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]716 sign
717 verify
718 grant
719 duplicate
720 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]721 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]722 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]723 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]724}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]725
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]726class keystore2
727{
728 add_auth
Hasini Gunasinghe685ca0c2021-01-27 01:01:45 +0000[diff] [blame]729 change_password
730 change_user
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]731 clear_ns
Hasini Gunasinghe685ca0c2021-01-27 01:01:45 +0000[diff] [blame]732 clear_uid
Seth Moore7e95d222021-12-14 07:57:07 -0800[diff] [blame]733 delete_all_keys
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]734 early_boot_ended
Seth Moore7e95d222021-12-14 07:57:07 -0800[diff] [blame]735 get_attestation_key
Hasini Gunasinghedb88d152020-12-03 21:40:53 +0000[diff] [blame]736 get_auth_token
James Willcox038f8592023-10-03 21:24:20 +0000[diff] [blame]737 get_last_auth_time
Eric Biggers92ca7b72024-03-14 21:53:21 +0000[diff] [blame]738 get_state # No longer used
Janis Danisevskis144c8222020-09-24 08:55:28 -0700[diff] [blame]739 list
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]740 lock
Hasini Gunasinghe4334d352021-06-10 15:05:49 +0000[diff] [blame]741 pull_metrics
Eric Biggers92ca7b72024-03-14 21:53:21 +0000[diff] [blame]742 report_off_body # No longer used
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]743 reset
744 unlock
745}
746
747class keystore2_key
748{
Satya Tangirala06533742021-03-08 09:48:42 -0800[diff] [blame]749 convert_storage_key_to_ephemeral
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]750 delete
751 gen_unique_id
752 get_info
753 grant
Janis Danisevskis24f3dce2020-07-25 13:08:15 -0700[diff] [blame]754 manage_blob
755 rebind
756 req_forced_op
757 update
758 use
759 use_dev_id
760}
761
Janis Danisevskis2b6c6062021-11-09 17:49:02 -0800[diff] [blame]762class diced
763{
764 demote
765 demote_self
766 derive
767 get_attestation_chain
768 use_seal
769 use_sign
770}
771
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]772class drmservice {
773 consumeRights
774 setPlaybackStatus
775 openDecryptSession
776 closeDecryptSession
777 initializeDecryptUnit
778 decrypt
779 finalizeDecryptUnit
780 pread
781}
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]782
Ryan Savitski80640c52020-01-08 17:30:26 +0000[diff] [blame]783class perf_event
784{
785 open
786 cpu
787 kernel
788 tracepoint
789 read
790 write
791}
Nick Kraleviche4686b42020-02-13 12:57:27 -0800[diff] [blame]792
793class lockdown
794{
795 integrity
796 confidentiality
797}
Gil Cukierman214294c2022-11-14 17:06:36 -0500[diff] [blame]798
799class io_uring
800{
801 override_creds
802 sqpoll
803 cmd
804}
Thiébaud Weksteen6772c502024-05-15 13:12:40 +1000[diff] [blame]805
806class user_namespace
807{
808 create
809}