Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5470aefbe81949304afa0884e2bd2fae10a94621 / . / private / access_vectors
blob: efd4924b5ca1b40988bc8f843f6ab0bba29e55f8 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]27 quotaon
28 mounton
29}
30
31
32#
33# Define a common prefix for socket access vectors.
34#
35
36common socket
37{
38# inherited from file
39 ioctl
40 read
41 write
42 create
43 getattr
44 setattr
45 lock
46 relabelfrom
47 relabelto
48 append
49# socket-specific
50 bind
51 connect
52 listen
53 accept
54 getopt
55 setopt
56 shutdown
57 recvfrom
58 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59 name_bind
60}
61
62#
63# Define a common prefix for ipc access vectors.
64#
65
66common ipc
67{
68 create
69 destroy
70 getattr
71 setattr
72 read
73 write
74 associate
75 unix_read
76 unix_write
77}
78
79#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]80# Define the access vectors.
81#
82# class class_name [ inherits common_name ] { permission_name ... }
83
84
85#
86# Define the access vector interpretation for file-related objects.
87#
88
89class filesystem
90{
91 mount
92 remount
93 unmount
94 getattr
95 relabelfrom
96 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]97 associate
98 quotamod
99 quotaget
100}
101
102class dir
103inherits file
104{
105 add_name
106 remove_name
107 reparent
108 search
109 rmdir
110 open
111 audit_access
112 execmod
113}
114
115class file
116inherits file
117{
118 execute_no_trans
119 entrypoint
120 execmod
121 open
122 audit_access
123}
124
125class lnk_file
126inherits file
127{
128 open
129 audit_access
130 execmod
131}
132
133class chr_file
134inherits file
135{
136 execute_no_trans
137 entrypoint
138 execmod
139 open
140 audit_access
141}
142
143class blk_file
144inherits file
145{
146 open
147 audit_access
148 execmod
149}
150
151class sock_file
152inherits file
153{
154 open
155 audit_access
156 execmod
157}
158
159class fifo_file
160inherits file
161{
162 open
163 audit_access
164 execmod
165}
166
167class fd
168{
169 use
170}
171
172
173#
174# Define the access vector interpretation for network-related objects.
175#
176
177class socket
178inherits socket
179
180class tcp_socket
181inherits socket
182{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]183 node_bind
184 name_connect
185}
186
187class udp_socket
188inherits socket
189{
190 node_bind
191}
192
193class rawip_socket
194inherits socket
195{
196 node_bind
197}
198
199class node
200{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]201 recvfrom
202 sendto
203}
204
205class netif
206{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]207 ingress
208 egress
209}
210
211class netlink_socket
212inherits socket
213
214class packet_socket
215inherits socket
216
217class key_socket
218inherits socket
219
220class unix_stream_socket
221inherits socket
222{
223 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]224}
225
226class unix_dgram_socket
227inherits socket
228
229#
230# Define the access vector interpretation for process-related objects
231#
232
233class process
234{
235 fork
236 transition
237 sigchld # commonly granted from child to parent
238 sigkill # cannot be caught or ignored
239 sigstop # cannot be caught or ignored
240 signull # for kill(pid, 0)
241 signal # all other signals
242 ptrace
243 getsched
244 setsched
245 getsession
246 getpgid
247 setpgid
248 getcap
249 setcap
250 share
251 getattr
252 setexec
253 setfscreate
254 noatsecure
255 siginh
256 setrlimit
257 rlimitinh
258 dyntransition
259 setcurrent
260 execmem
261 execstack
262 execheap
263 setkeycreate
264 setsockcreate
265}
266
267
268#
269# Define the access vector interpretation for ipc-related objects
270#
271
272class ipc
273inherits ipc
274
275class sem
276inherits ipc
277
278class msgq
279inherits ipc
280{
281 enqueue
282}
283
284class msg
285{
286 send
287 receive
288}
289
290class shm
291inherits ipc
292{
293 lock
294}
295
296
297#
298# Define the access vector interpretation for the security server.
299#
300
301class security
302{
303 compute_av
304 compute_create
305 compute_member
306 check_context
307 load_policy
308 compute_relabel
309 compute_user
310 setenforce # was avc_toggle in system class
311 setbool
312 setsecparam
313 setcheckreqprot
314 read_policy
315}
316
317
318#
319# Define the access vector interpretation for system operations.
320#
321
322class system
323{
324 ipc_info
325 syslog_read
326 syslog_mod
327 syslog_console
328 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]329 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]330}
331
332#
333# Define the access vector interpretation for controling capabilies
334#
335
336class capability
337{
338 # The capabilities are defined in include/linux/capability.h
339 # Capabilities >= 32 are defined in the capability2 class.
340 # Care should be taken to ensure that these are consistent with
341 # those definitions. (Order matters)
342
343 chown
344 dac_override
345 dac_read_search
346 fowner
347 fsetid
348 kill
349 setgid
350 setuid
351 setpcap
352 linux_immutable
353 net_bind_service
354 net_broadcast
355 net_admin
356 net_raw
357 ipc_lock
358 ipc_owner
359 sys_module
360 sys_rawio
361 sys_chroot
362 sys_ptrace
363 sys_pacct
364 sys_admin
365 sys_boot
366 sys_nice
367 sys_resource
368 sys_time
369 sys_tty_config
370 mknod
371 lease
372 audit_write
373 audit_control
374 setfcap
375}
376
377class capability2
378{
379 mac_override # unused by SELinux
380 mac_admin # unused by SELinux
381 syslog
Stephen Smalleya1ce2fa2012-08-10 09:23:21 -0400[diff] [blame]382 wake_alarm
383 block_suspend
Woojung Min3198cb52015-10-01 15:49:32 +0900[diff] [blame]384 audit_read
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]385}
386
387#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]388# Extended Netlink classes
389#
390class netlink_route_socket
391inherits socket
392{
393 nlmsg_read
394 nlmsg_write
395}
396
397class netlink_firewall_socket
398inherits socket
399{
400 nlmsg_read
401 nlmsg_write
402}
403
404class netlink_tcpdiag_socket
405inherits socket
406{
407 nlmsg_read
408 nlmsg_write
409}
410
411class netlink_nflog_socket
412inherits socket
413
414class netlink_xfrm_socket
415inherits socket
416{
417 nlmsg_read
418 nlmsg_write
419}
420
421class netlink_selinux_socket
422inherits socket
423
424class netlink_audit_socket
425inherits socket
426{
427 nlmsg_read
428 nlmsg_write
429 nlmsg_relay
430 nlmsg_readpriv
431 nlmsg_tty_audit
432}
433
434class netlink_ip6fw_socket
435inherits socket
436{
437 nlmsg_read
438 nlmsg_write
439}
440
441class netlink_dnrt_socket
442inherits socket
443
444# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]445# access to IPSec network data by association
446#
447class association
448{
449 sendto
450 recvfrom
451 setcontext
452 polmatch
453}
454
455# Updated Netlink class for KOBJECT_UEVENT family.
456class netlink_kobject_uevent_socket
457inherits socket
458
459class appletalk_socket
460inherits socket
461
462class packet
463{
464 send
465 recv
466 relabelto
467 flow_in # deprecated
468 flow_out # deprecated
469 forward_in
470 forward_out
471}
472
473class key
474{
475 view
476 read
477 write
478 search
479 link
480 setattr
481 create
482}
483
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]484class dccp_socket
485inherits socket
486{
487 node_bind
488 name_connect
489}
490
491class memprotect
492{
493 mmap_zero
494}
495
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]496# network peer labels
497class peer
498{
499 recv
500}
501
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]502class kernel_service
503{
504 use_as_override
505 create_files_as
506}
507
508class tun_socket
509inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]510{
511 attach_queue
512}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]513
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]514class binder
515{
516 impersonate
517 call
518 set_context_mgr
519 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]520}
521
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]522class netlink_iscsi_socket
523inherits socket
524
525class netlink_fib_lookup_socket
526inherits socket
527
528class netlink_connector_socket
529inherits socket
530
531class netlink_netfilter_socket
532inherits socket
533
534class netlink_generic_socket
535inherits socket
536
537class netlink_scsitransport_socket
538inherits socket
539
540class netlink_rdma_socket
541inherits socket
542
543class netlink_crypto_socket
544inherits socket
545
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]546class property_service
547{
548 set
549}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]550
551class service_manager
552{
553 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]554 find
555 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]556}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]557
558class keystore_key
559{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]560 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]561 get
562 insert
563 delete
564 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]565 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]566 reset
567 password
568 lock
569 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]570 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]571 sign
572 verify
573 grant
574 duplicate
575 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]576 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]577 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]578}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]579
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]580class drmservice {
581 consumeRights
582 setPlaybackStatus
583 openDecryptSession
584 closeDecryptSession
585 initializeDecryptUnit
586 decrypt
587 finalizeDecryptUnit
588 pread
589}