Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 90ae4f6b9304feadbe6fa635ce483d8b05208c8d / . / private / access_vectors
blob: ad4624d31365a6647d9571d952265c88c474acc1 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]27 quotaon
28 mounton
29}
30
31
32#
33# Define a common prefix for socket access vectors.
34#
35
36common socket
37{
38# inherited from file
39 ioctl
40 read
41 write
42 create
43 getattr
44 setattr
45 lock
46 relabelfrom
47 relabelto
48 append
49# socket-specific
50 bind
51 connect
52 listen
53 accept
54 getopt
55 setopt
56 shutdown
57 recvfrom
58 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59 name_bind
60}
61
62#
63# Define a common prefix for ipc access vectors.
64#
65
66common ipc
67{
68 create
69 destroy
70 getattr
71 setattr
72 read
73 write
74 associate
75 unix_read
76 unix_write
77}
78
79#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]80# Define a common for capability access vectors.
81#
82common cap
83{
84 # The capabilities are defined in include/linux/capability.h
85 # Capabilities >= 32 are defined in the cap2 common.
86 # Care should be taken to ensure that these are consistent with
87 # those definitions. (Order matters)
88
89 chown
90 dac_override
91 dac_read_search
92 fowner
93 fsetid
94 kill
95 setgid
96 setuid
97 setpcap
98 linux_immutable
99 net_bind_service
100 net_broadcast
101 net_admin
102 net_raw
103 ipc_lock
104 ipc_owner
105 sys_module
106 sys_rawio
107 sys_chroot
108 sys_ptrace
109 sys_pacct
110 sys_admin
111 sys_boot
112 sys_nice
113 sys_resource
114 sys_time
115 sys_tty_config
116 mknod
117 lease
118 audit_write
119 audit_control
120 setfcap
121}
122
123common cap2
124{
125 mac_override # unused by SELinux
126 mac_admin # unused by SELinux
127 syslog
128 wake_alarm
129 block_suspend
130 audit_read
131}
132
133#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]134# Define the access vectors.
135#
136# class class_name [ inherits common_name ] { permission_name ... }
137
138
139#
140# Define the access vector interpretation for file-related objects.
141#
142
143class filesystem
144{
145 mount
146 remount
147 unmount
148 getattr
149 relabelfrom
150 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]151 associate
152 quotamod
153 quotaget
154}
155
156class dir
157inherits file
158{
159 add_name
160 remove_name
161 reparent
162 search
163 rmdir
164 open
165 audit_access
166 execmod
167}
168
169class file
170inherits file
171{
172 execute_no_trans
173 entrypoint
174 execmod
175 open
176 audit_access
177}
178
179class lnk_file
180inherits file
181{
182 open
183 audit_access
184 execmod
185}
186
187class chr_file
188inherits file
189{
190 execute_no_trans
191 entrypoint
192 execmod
193 open
194 audit_access
195}
196
197class blk_file
198inherits file
199{
200 open
201 audit_access
202 execmod
203}
204
205class sock_file
206inherits file
207{
208 open
209 audit_access
210 execmod
211}
212
213class fifo_file
214inherits file
215{
216 open
217 audit_access
218 execmod
219}
220
221class fd
222{
223 use
224}
225
226
227#
228# Define the access vector interpretation for network-related objects.
229#
230
231class socket
232inherits socket
233
234class tcp_socket
235inherits socket
236{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]237 node_bind
238 name_connect
239}
240
241class udp_socket
242inherits socket
243{
244 node_bind
245}
246
247class rawip_socket
248inherits socket
249{
250 node_bind
251}
252
253class node
254{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]255 recvfrom
256 sendto
257}
258
259class netif
260{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]261 ingress
262 egress
263}
264
265class netlink_socket
266inherits socket
267
268class packet_socket
269inherits socket
270
271class key_socket
272inherits socket
273
274class unix_stream_socket
275inherits socket
276{
277 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]278}
279
280class unix_dgram_socket
281inherits socket
282
283#
284# Define the access vector interpretation for process-related objects
285#
286
287class process
288{
289 fork
290 transition
291 sigchld # commonly granted from child to parent
292 sigkill # cannot be caught or ignored
293 sigstop # cannot be caught or ignored
294 signull # for kill(pid, 0)
295 signal # all other signals
296 ptrace
297 getsched
298 setsched
299 getsession
300 getpgid
301 setpgid
302 getcap
303 setcap
304 share
305 getattr
306 setexec
307 setfscreate
308 noatsecure
309 siginh
310 setrlimit
311 rlimitinh
312 dyntransition
313 setcurrent
314 execmem
315 execstack
316 execheap
317 setkeycreate
318 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]319 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]320}
321
322
323#
324# Define the access vector interpretation for ipc-related objects
325#
326
327class ipc
328inherits ipc
329
330class sem
331inherits ipc
332
333class msgq
334inherits ipc
335{
336 enqueue
337}
338
339class msg
340{
341 send
342 receive
343}
344
345class shm
346inherits ipc
347{
348 lock
349}
350
351
352#
353# Define the access vector interpretation for the security server.
354#
355
356class security
357{
358 compute_av
359 compute_create
360 compute_member
361 check_context
362 load_policy
363 compute_relabel
364 compute_user
365 setenforce # was avc_toggle in system class
366 setbool
367 setsecparam
368 setcheckreqprot
369 read_policy
370}
371
372
373#
374# Define the access vector interpretation for system operations.
375#
376
377class system
378{
379 ipc_info
380 syslog_read
381 syslog_mod
382 syslog_console
383 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]384 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]385}
386
387#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]388# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]389#
390
391class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]392inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]393
394class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]395inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]396
397#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]398# Extended Netlink classes
399#
400class netlink_route_socket
401inherits socket
402{
403 nlmsg_read
404 nlmsg_write
405}
406
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]407class netlink_tcpdiag_socket
408inherits socket
409{
410 nlmsg_read
411 nlmsg_write
412}
413
414class netlink_nflog_socket
415inherits socket
416
417class netlink_xfrm_socket
418inherits socket
419{
420 nlmsg_read
421 nlmsg_write
422}
423
424class netlink_selinux_socket
425inherits socket
426
427class netlink_audit_socket
428inherits socket
429{
430 nlmsg_read
431 nlmsg_write
432 nlmsg_relay
433 nlmsg_readpriv
434 nlmsg_tty_audit
435}
436
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]437class netlink_dnrt_socket
438inherits socket
439
440# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]441# access to IPSec network data by association
442#
443class association
444{
445 sendto
446 recvfrom
447 setcontext
448 polmatch
449}
450
451# Updated Netlink class for KOBJECT_UEVENT family.
452class netlink_kobject_uevent_socket
453inherits socket
454
455class appletalk_socket
456inherits socket
457
458class packet
459{
460 send
461 recv
462 relabelto
463 flow_in # deprecated
464 flow_out # deprecated
465 forward_in
466 forward_out
467}
468
469class key
470{
471 view
472 read
473 write
474 search
475 link
476 setattr
477 create
478}
479
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]480class dccp_socket
481inherits socket
482{
483 node_bind
484 name_connect
485}
486
487class memprotect
488{
489 mmap_zero
490}
491
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]492# network peer labels
493class peer
494{
495 recv
496}
497
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]498class kernel_service
499{
500 use_as_override
501 create_files_as
502}
503
504class tun_socket
505inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]506{
507 attach_queue
508}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]509
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]510class binder
511{
512 impersonate
513 call
514 set_context_mgr
515 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]516}
517
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]518class netlink_iscsi_socket
519inherits socket
520
521class netlink_fib_lookup_socket
522inherits socket
523
524class netlink_connector_socket
525inherits socket
526
527class netlink_netfilter_socket
528inherits socket
529
530class netlink_generic_socket
531inherits socket
532
533class netlink_scsitransport_socket
534inherits socket
535
536class netlink_rdma_socket
537inherits socket
538
539class netlink_crypto_socket
540inherits socket
541
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]542#
543# Define the access vector interpretation for controlling capabilities
544# in user namespaces
545#
546
547class cap_userns
548inherits cap
549
550class cap2_userns
551inherits cap2
552
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]553
554#
555# Define the access vector interpretation for the new socket classes
556# enabled by the extended_socket_class policy capability.
557#
558
559#
560# The next two classes were previously mapped to rawip_socket and therefore
561# have the same definition as rawip_socket (until further permissions
562# are defined).
563#
564class sctp_socket
565inherits socket
566{
567 node_bind
568}
569
570class icmp_socket
571inherits socket
572{
573 node_bind
574}
575
576#
577# The remaining network socket classes were previously
578# mapped to the socket class and therefore have the
579# same definition as socket.
580#
581
582class ax25_socket
583inherits socket
584
585class ipx_socket
586inherits socket
587
588class netrom_socket
589inherits socket
590
591class atmpvc_socket
592inherits socket
593
594class x25_socket
595inherits socket
596
597class rose_socket
598inherits socket
599
600class decnet_socket
601inherits socket
602
603class atmsvc_socket
604inherits socket
605
606class rds_socket
607inherits socket
608
609class irda_socket
610inherits socket
611
612class pppox_socket
613inherits socket
614
615class llc_socket
616inherits socket
617
618class can_socket
619inherits socket
620
621class tipc_socket
622inherits socket
623
624class bluetooth_socket
625inherits socket
626
627class iucv_socket
628inherits socket
629
630class rxrpc_socket
631inherits socket
632
633class isdn_socket
634inherits socket
635
636class phonet_socket
637inherits socket
638
639class ieee802154_socket
640inherits socket
641
642class caif_socket
643inherits socket
644
645class alg_socket
646inherits socket
647
648class nfc_socket
649inherits socket
650
651class vsock_socket
652inherits socket
653
654class kcm_socket
655inherits socket
656
657class qipcrtr_socket
658inherits socket
659
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]660class smc_socket
661inherits socket
662
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]663class property_service
664{
665 set
666}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]667
668class service_manager
669{
670 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]671 find
672 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]673}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]674
675class keystore_key
676{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]677 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]678 get
679 insert
680 delete
681 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]682 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]683 reset
684 password
685 lock
686 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]687 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]688 sign
689 verify
690 grant
691 duplicate
692 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]693 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]694 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]695}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]696
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]697class drmservice {
698 consumeRights
699 setPlaybackStatus
700 openDecryptSession
701 closeDecryptSession
702 initializeDecryptUnit
703 decrypt
704 finalizeDecryptUnit
705 pread
706}