Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8d7d5b42b5e3f5974a468940019d392f9b818a9e / . / private / access_vectors
blob: 898c884cdcd64bfa36db3cc8f065f21cd2daf5b1 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
156}
157
158class dir
159inherits file
160{
161 add_name
162 remove_name
163 reparent
164 search
165 rmdir
166 open
167 audit_access
168 execmod
169}
170
171class file
172inherits file
173{
174 execute_no_trans
175 entrypoint
176 execmod
177 open
178 audit_access
179}
180
181class lnk_file
182inherits file
183{
184 open
185 audit_access
186 execmod
187}
188
189class chr_file
190inherits file
191{
192 execute_no_trans
193 entrypoint
194 execmod
195 open
196 audit_access
197}
198
199class blk_file
200inherits file
201{
202 open
203 audit_access
204 execmod
205}
206
207class sock_file
208inherits file
209{
210 open
211 audit_access
212 execmod
213}
214
215class fifo_file
216inherits file
217{
218 open
219 audit_access
220 execmod
221}
222
223class fd
224{
225 use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]239 node_bind
240 name_connect
241}
242
243class udp_socket
244inherits socket
245{
246 node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252 node_bind
253}
254
255class node
256{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257 recvfrom
258 sendto
259}
260
261class netif
262{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]263 ingress
264 egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]280}
281
282class unix_dgram_socket
283inherits socket
284
Chenbo Feng08f92f92017-08-22 18:33:46 -0700[diff] [blame]285class bpf
286{
287 map_create
288 map_read
289 map_write
290 prog_load
291 prog_run
292}
293
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]294#
295# Define the access vector interpretation for process-related objects
296#
297
298class process
299{
300 fork
301 transition
302 sigchld # commonly granted from child to parent
303 sigkill # cannot be caught or ignored
304 sigstop # cannot be caught or ignored
305 signull # for kill(pid, 0)
306 signal # all other signals
307 ptrace
308 getsched
309 setsched
310 getsession
311 getpgid
312 setpgid
313 getcap
314 setcap
315 share
316 getattr
317 setexec
318 setfscreate
319 noatsecure
320 siginh
321 setrlimit
322 rlimitinh
323 dyntransition
324 setcurrent
325 execmem
326 execstack
327 execheap
328 setkeycreate
329 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]330 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]331}
332
333
334#
335# Define the access vector interpretation for ipc-related objects
336#
337
338class ipc
339inherits ipc
340
341class sem
342inherits ipc
343
344class msgq
345inherits ipc
346{
347 enqueue
348}
349
350class msg
351{
352 send
353 receive
354}
355
356class shm
357inherits ipc
358{
359 lock
360}
361
362
363#
364# Define the access vector interpretation for the security server.
365#
366
367class security
368{
369 compute_av
370 compute_create
371 compute_member
372 check_context
373 load_policy
374 compute_relabel
375 compute_user
376 setenforce # was avc_toggle in system class
377 setbool
378 setsecparam
379 setcheckreqprot
380 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]381 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]382}
383
384
385#
386# Define the access vector interpretation for system operations.
387#
388
389class system
390{
391 ipc_info
392 syslog_read
393 syslog_mod
394 syslog_console
395 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]396 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]397}
398
399#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]400# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]401#
402
403class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]404inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]405
406class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]407inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]408
409#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]410# Extended Netlink classes
411#
412class netlink_route_socket
413inherits socket
414{
415 nlmsg_read
416 nlmsg_write
417}
418
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]419class netlink_tcpdiag_socket
420inherits socket
421{
422 nlmsg_read
423 nlmsg_write
424}
425
426class netlink_nflog_socket
427inherits socket
428
429class netlink_xfrm_socket
430inherits socket
431{
432 nlmsg_read
433 nlmsg_write
434}
435
436class netlink_selinux_socket
437inherits socket
438
439class netlink_audit_socket
440inherits socket
441{
442 nlmsg_read
443 nlmsg_write
444 nlmsg_relay
445 nlmsg_readpriv
446 nlmsg_tty_audit
447}
448
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]449class netlink_dnrt_socket
450inherits socket
451
452# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]453# access to IPSec network data by association
454#
455class association
456{
457 sendto
458 recvfrom
459 setcontext
460 polmatch
461}
462
463# Updated Netlink class for KOBJECT_UEVENT family.
464class netlink_kobject_uevent_socket
465inherits socket
466
467class appletalk_socket
468inherits socket
469
470class packet
471{
472 send
473 recv
474 relabelto
475 flow_in # deprecated
476 flow_out # deprecated
477 forward_in
478 forward_out
479}
480
481class key
482{
483 view
484 read
485 write
486 search
487 link
488 setattr
489 create
490}
491
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]492class dccp_socket
493inherits socket
494{
495 node_bind
496 name_connect
497}
498
499class memprotect
500{
501 mmap_zero
502}
503
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]504# network peer labels
505class peer
506{
507 recv
508}
509
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]510class kernel_service
511{
512 use_as_override
513 create_files_as
514}
515
516class tun_socket
517inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]518{
519 attach_queue
520}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]521
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]522class binder
523{
524 impersonate
525 call
526 set_context_mgr
527 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]528}
529
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]530class netlink_iscsi_socket
531inherits socket
532
533class netlink_fib_lookup_socket
534inherits socket
535
536class netlink_connector_socket
537inherits socket
538
539class netlink_netfilter_socket
540inherits socket
541
542class netlink_generic_socket
543inherits socket
544
545class netlink_scsitransport_socket
546inherits socket
547
548class netlink_rdma_socket
549inherits socket
550
551class netlink_crypto_socket
552inherits socket
553
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]554#
555# Define the access vector interpretation for controlling capabilities
556# in user namespaces
557#
558
559class cap_userns
560inherits cap
561
562class cap2_userns
563inherits cap2
564
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]565
566#
567# Define the access vector interpretation for the new socket classes
568# enabled by the extended_socket_class policy capability.
569#
570
571#
572# The next two classes were previously mapped to rawip_socket and therefore
573# have the same definition as rawip_socket (until further permissions
574# are defined).
575#
576class sctp_socket
577inherits socket
578{
579 node_bind
580}
581
582class icmp_socket
583inherits socket
584{
585 node_bind
586}
587
588#
589# The remaining network socket classes were previously
590# mapped to the socket class and therefore have the
591# same definition as socket.
592#
593
594class ax25_socket
595inherits socket
596
597class ipx_socket
598inherits socket
599
600class netrom_socket
601inherits socket
602
603class atmpvc_socket
604inherits socket
605
606class x25_socket
607inherits socket
608
609class rose_socket
610inherits socket
611
612class decnet_socket
613inherits socket
614
615class atmsvc_socket
616inherits socket
617
618class rds_socket
619inherits socket
620
621class irda_socket
622inherits socket
623
624class pppox_socket
625inherits socket
626
627class llc_socket
628inherits socket
629
630class can_socket
631inherits socket
632
633class tipc_socket
634inherits socket
635
636class bluetooth_socket
637inherits socket
638
639class iucv_socket
640inherits socket
641
642class rxrpc_socket
643inherits socket
644
645class isdn_socket
646inherits socket
647
648class phonet_socket
649inherits socket
650
651class ieee802154_socket
652inherits socket
653
654class caif_socket
655inherits socket
656
657class alg_socket
658inherits socket
659
660class nfc_socket
661inherits socket
662
663class vsock_socket
664inherits socket
665
666class kcm_socket
667inherits socket
668
669class qipcrtr_socket
670inherits socket
671
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]672class smc_socket
673inherits socket
674
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]675class property_service
676{
677 set
678}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]679
680class service_manager
681{
682 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]683 find
684 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]685}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]686
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]687class hwservice_manager
688{
689 add
690 find
691 list
692}
693
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]694class keystore_key
695{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]696 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]697 get
698 insert
699 delete
700 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]701 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]702 reset
703 password
704 lock
705 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]706 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]707 sign
708 verify
709 grant
710 duplicate
711 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]712 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]713 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]714 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]715}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]716
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]717class drmservice {
718 consumeRights
719 setPlaybackStatus
720 openDecryptSession
721 closeDecryptSession
722 initializeDecryptUnit
723 decrypt
724 finalizeDecryptUnit
725 pread
726}