Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 770214abda856659d00874467ea0bcb250ac848f / . / private / access_vectors
blob: e45d0b2afeac662bba6bc7f1fd94b0fab54591a2 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
156}
157
158class dir
159inherits file
160{
161 add_name
162 remove_name
163 reparent
164 search
165 rmdir
166 open
167 audit_access
168 execmod
169}
170
171class file
172inherits file
173{
174 execute_no_trans
175 entrypoint
176 execmod
177 open
178 audit_access
179}
180
181class lnk_file
182inherits file
183{
184 open
185 audit_access
186 execmod
187}
188
189class chr_file
190inherits file
191{
192 execute_no_trans
193 entrypoint
194 execmod
195 open
196 audit_access
197}
198
199class blk_file
200inherits file
201{
202 open
203 audit_access
204 execmod
205}
206
207class sock_file
208inherits file
209{
210 open
211 audit_access
212 execmod
213}
214
215class fifo_file
216inherits file
217{
218 open
219 audit_access
220 execmod
221}
222
223class fd
224{
225 use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]239 node_bind
240 name_connect
241}
242
243class udp_socket
244inherits socket
245{
246 node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252 node_bind
253}
254
255class node
256{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257 recvfrom
258 sendto
259}
260
261class netif
262{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]263 ingress
264 egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]280}
281
282class unix_dgram_socket
283inherits socket
284
285#
286# Define the access vector interpretation for process-related objects
287#
288
289class process
290{
291 fork
292 transition
293 sigchld # commonly granted from child to parent
294 sigkill # cannot be caught or ignored
295 sigstop # cannot be caught or ignored
296 signull # for kill(pid, 0)
297 signal # all other signals
298 ptrace
299 getsched
300 setsched
301 getsession
302 getpgid
303 setpgid
304 getcap
305 setcap
306 share
307 getattr
308 setexec
309 setfscreate
310 noatsecure
311 siginh
312 setrlimit
313 rlimitinh
314 dyntransition
315 setcurrent
316 execmem
317 execstack
318 execheap
319 setkeycreate
320 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]321 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]322}
323
324
325#
326# Define the access vector interpretation for ipc-related objects
327#
328
329class ipc
330inherits ipc
331
332class sem
333inherits ipc
334
335class msgq
336inherits ipc
337{
338 enqueue
339}
340
341class msg
342{
343 send
344 receive
345}
346
347class shm
348inherits ipc
349{
350 lock
351}
352
353
354#
355# Define the access vector interpretation for the security server.
356#
357
358class security
359{
360 compute_av
361 compute_create
362 compute_member
363 check_context
364 load_policy
365 compute_relabel
366 compute_user
367 setenforce # was avc_toggle in system class
368 setbool
369 setsecparam
370 setcheckreqprot
371 read_policy
372}
373
374
375#
376# Define the access vector interpretation for system operations.
377#
378
379class system
380{
381 ipc_info
382 syslog_read
383 syslog_mod
384 syslog_console
385 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]386 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]387}
388
389#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]390# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]391#
392
393class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]394inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]395
396class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]397inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]398
399#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]400# Extended Netlink classes
401#
402class netlink_route_socket
403inherits socket
404{
405 nlmsg_read
406 nlmsg_write
407}
408
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]409class netlink_tcpdiag_socket
410inherits socket
411{
412 nlmsg_read
413 nlmsg_write
414}
415
416class netlink_nflog_socket
417inherits socket
418
419class netlink_xfrm_socket
420inherits socket
421{
422 nlmsg_read
423 nlmsg_write
424}
425
426class netlink_selinux_socket
427inherits socket
428
429class netlink_audit_socket
430inherits socket
431{
432 nlmsg_read
433 nlmsg_write
434 nlmsg_relay
435 nlmsg_readpriv
436 nlmsg_tty_audit
437}
438
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]439class netlink_dnrt_socket
440inherits socket
441
442# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]443# access to IPSec network data by association
444#
445class association
446{
447 sendto
448 recvfrom
449 setcontext
450 polmatch
451}
452
453# Updated Netlink class for KOBJECT_UEVENT family.
454class netlink_kobject_uevent_socket
455inherits socket
456
457class appletalk_socket
458inherits socket
459
460class packet
461{
462 send
463 recv
464 relabelto
465 flow_in # deprecated
466 flow_out # deprecated
467 forward_in
468 forward_out
469}
470
471class key
472{
473 view
474 read
475 write
476 search
477 link
478 setattr
479 create
480}
481
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]482class dccp_socket
483inherits socket
484{
485 node_bind
486 name_connect
487}
488
489class memprotect
490{
491 mmap_zero
492}
493
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]494# network peer labels
495class peer
496{
497 recv
498}
499
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]500class kernel_service
501{
502 use_as_override
503 create_files_as
504}
505
506class tun_socket
507inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]508{
509 attach_queue
510}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]511
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]512class binder
513{
514 impersonate
515 call
516 set_context_mgr
517 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]518}
519
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]520class netlink_iscsi_socket
521inherits socket
522
523class netlink_fib_lookup_socket
524inherits socket
525
526class netlink_connector_socket
527inherits socket
528
529class netlink_netfilter_socket
530inherits socket
531
532class netlink_generic_socket
533inherits socket
534
535class netlink_scsitransport_socket
536inherits socket
537
538class netlink_rdma_socket
539inherits socket
540
541class netlink_crypto_socket
542inherits socket
543
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]544#
545# Define the access vector interpretation for controlling capabilities
546# in user namespaces
547#
548
549class cap_userns
550inherits cap
551
552class cap2_userns
553inherits cap2
554
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]555
556#
557# Define the access vector interpretation for the new socket classes
558# enabled by the extended_socket_class policy capability.
559#
560
561#
562# The next two classes were previously mapped to rawip_socket and therefore
563# have the same definition as rawip_socket (until further permissions
564# are defined).
565#
566class sctp_socket
567inherits socket
568{
569 node_bind
570}
571
572class icmp_socket
573inherits socket
574{
575 node_bind
576}
577
578#
579# The remaining network socket classes were previously
580# mapped to the socket class and therefore have the
581# same definition as socket.
582#
583
584class ax25_socket
585inherits socket
586
587class ipx_socket
588inherits socket
589
590class netrom_socket
591inherits socket
592
593class atmpvc_socket
594inherits socket
595
596class x25_socket
597inherits socket
598
599class rose_socket
600inherits socket
601
602class decnet_socket
603inherits socket
604
605class atmsvc_socket
606inherits socket
607
608class rds_socket
609inherits socket
610
611class irda_socket
612inherits socket
613
614class pppox_socket
615inherits socket
616
617class llc_socket
618inherits socket
619
620class can_socket
621inherits socket
622
623class tipc_socket
624inherits socket
625
626class bluetooth_socket
627inherits socket
628
629class iucv_socket
630inherits socket
631
632class rxrpc_socket
633inherits socket
634
635class isdn_socket
636inherits socket
637
638class phonet_socket
639inherits socket
640
641class ieee802154_socket
642inherits socket
643
644class caif_socket
645inherits socket
646
647class alg_socket
648inherits socket
649
650class nfc_socket
651inherits socket
652
653class vsock_socket
654inherits socket
655
656class kcm_socket
657inherits socket
658
659class qipcrtr_socket
660inherits socket
661
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]662class smc_socket
663inherits socket
664
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]665class property_service
666{
667 set
668}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]669
670class service_manager
671{
672 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]673 find
674 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]675}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]676
677class keystore_key
678{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]679 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]680 get
681 insert
682 delete
683 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]684 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]685 reset
686 password
687 lock
688 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]689 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]690 sign
691 verify
692 grant
693 duplicate
694 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]695 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]696 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]697}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]698
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]699class drmservice {
700 consumeRights
701 setPlaybackStatus
702 openDecryptSession
703 closeDecryptSession
704 initializeDecryptUnit
705 decrypt
706 finalizeDecryptUnit
707 pread
708}