Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a16b05892a9e9ed949c2cf22147e206e5c0b296e / . / access_vectors
blob: 26286b238a62e9eaa0ac7673b710c40b982e18e5 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
27 swapon
28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
50# socket-specific
51 bind
52 connect
53 listen
54 accept
55 getopt
56 setopt
57 shutdown
58 recvfrom
59 sendto
60 recv_msg
61 send_msg
62 name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71 create
72 destroy
73 getattr
74 setattr
75 read
76 write
77 associate
78 unix_read
79 unix_write
80}
81
82#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]83# Define the access vectors.
84#
85# class class_name [ inherits common_name ] { permission_name ... }
86
87
88#
89# Define the access vector interpretation for file-related objects.
90#
91
92class filesystem
93{
94 mount
95 remount
96 unmount
97 getattr
98 relabelfrom
99 relabelto
100 transition
101 associate
102 quotamod
103 quotaget
104}
105
106class dir
107inherits file
108{
109 add_name
110 remove_name
111 reparent
112 search
113 rmdir
114 open
115 audit_access
116 execmod
117}
118
119class file
120inherits file
121{
122 execute_no_trans
123 entrypoint
124 execmod
125 open
126 audit_access
127}
128
129class lnk_file
130inherits file
131{
132 open
133 audit_access
134 execmod
135}
136
137class chr_file
138inherits file
139{
140 execute_no_trans
141 entrypoint
142 execmod
143 open
144 audit_access
145}
146
147class blk_file
148inherits file
149{
150 open
151 audit_access
152 execmod
153}
154
155class sock_file
156inherits file
157{
158 open
159 audit_access
160 execmod
161}
162
163class fifo_file
164inherits file
165{
166 open
167 audit_access
168 execmod
169}
170
171class fd
172{
173 use
174}
175
176
177#
178# Define the access vector interpretation for network-related objects.
179#
180
181class socket
182inherits socket
183
184class tcp_socket
185inherits socket
186{
187 connectto
188 newconn
189 acceptfrom
190 node_bind
191 name_connect
192}
193
194class udp_socket
195inherits socket
196{
197 node_bind
198}
199
200class rawip_socket
201inherits socket
202{
203 node_bind
204}
205
206class node
207{
208 tcp_recv
209 tcp_send
210 udp_recv
211 udp_send
212 rawip_recv
213 rawip_send
214 enforce_dest
215 dccp_recv
216 dccp_send
217 recvfrom
218 sendto
219}
220
221class netif
222{
223 tcp_recv
224 tcp_send
225 udp_recv
226 udp_send
227 rawip_recv
228 rawip_send
229 dccp_recv
230 dccp_send
231 ingress
232 egress
233}
234
235class netlink_socket
236inherits socket
237
238class packet_socket
239inherits socket
240
241class key_socket
242inherits socket
243
244class unix_stream_socket
245inherits socket
246{
247 connectto
248 newconn
249 acceptfrom
250}
251
252class unix_dgram_socket
253inherits socket
254
255#
256# Define the access vector interpretation for process-related objects
257#
258
259class process
260{
261 fork
262 transition
263 sigchld # commonly granted from child to parent
264 sigkill # cannot be caught or ignored
265 sigstop # cannot be caught or ignored
266 signull # for kill(pid, 0)
267 signal # all other signals
268 ptrace
269 getsched
270 setsched
271 getsession
272 getpgid
273 setpgid
274 getcap
275 setcap
276 share
277 getattr
278 setexec
279 setfscreate
280 noatsecure
281 siginh
282 setrlimit
283 rlimitinh
284 dyntransition
285 setcurrent
286 execmem
287 execstack
288 execheap
289 setkeycreate
290 setsockcreate
291}
292
293
294#
295# Define the access vector interpretation for ipc-related objects
296#
297
298class ipc
299inherits ipc
300
301class sem
302inherits ipc
303
304class msgq
305inherits ipc
306{
307 enqueue
308}
309
310class msg
311{
312 send
313 receive
314}
315
316class shm
317inherits ipc
318{
319 lock
320}
321
322
323#
324# Define the access vector interpretation for the security server.
325#
326
327class security
328{
329 compute_av
330 compute_create
331 compute_member
332 check_context
333 load_policy
334 compute_relabel
335 compute_user
336 setenforce # was avc_toggle in system class
337 setbool
338 setsecparam
339 setcheckreqprot
340 read_policy
341}
342
343
344#
345# Define the access vector interpretation for system operations.
346#
347
348class system
349{
350 ipc_info
351 syslog_read
352 syslog_mod
353 syslog_console
354 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame^]355 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]356}
357
358#
359# Define the access vector interpretation for controling capabilies
360#
361
362class capability
363{
364 # The capabilities are defined in include/linux/capability.h
365 # Capabilities >= 32 are defined in the capability2 class.
366 # Care should be taken to ensure that these are consistent with
367 # those definitions. (Order matters)
368
369 chown
370 dac_override
371 dac_read_search
372 fowner
373 fsetid
374 kill
375 setgid
376 setuid
377 setpcap
378 linux_immutable
379 net_bind_service
380 net_broadcast
381 net_admin
382 net_raw
383 ipc_lock
384 ipc_owner
385 sys_module
386 sys_rawio
387 sys_chroot
388 sys_ptrace
389 sys_pacct
390 sys_admin
391 sys_boot
392 sys_nice
393 sys_resource
394 sys_time
395 sys_tty_config
396 mknod
397 lease
398 audit_write
399 audit_control
400 setfcap
401}
402
403class capability2
404{
405 mac_override # unused by SELinux
406 mac_admin # unused by SELinux
407 syslog
Stephen Smalleya1ce2fa2012-08-10 09:23:21 -0400[diff] [blame]408 wake_alarm
409 block_suspend
Woojung Min3198cb52015-10-01 15:49:32 +0900[diff] [blame]410 audit_read
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]411}
412
413#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]414# Extended Netlink classes
415#
416class netlink_route_socket
417inherits socket
418{
419 nlmsg_read
420 nlmsg_write
421}
422
423class netlink_firewall_socket
424inherits socket
425{
426 nlmsg_read
427 nlmsg_write
428}
429
430class netlink_tcpdiag_socket
431inherits socket
432{
433 nlmsg_read
434 nlmsg_write
435}
436
437class netlink_nflog_socket
438inherits socket
439
440class netlink_xfrm_socket
441inherits socket
442{
443 nlmsg_read
444 nlmsg_write
445}
446
447class netlink_selinux_socket
448inherits socket
449
450class netlink_audit_socket
451inherits socket
452{
453 nlmsg_read
454 nlmsg_write
455 nlmsg_relay
456 nlmsg_readpriv
457 nlmsg_tty_audit
458}
459
460class netlink_ip6fw_socket
461inherits socket
462{
463 nlmsg_read
464 nlmsg_write
465}
466
467class netlink_dnrt_socket
468inherits socket
469
470# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]471# access to IPSec network data by association
472#
473class association
474{
475 sendto
476 recvfrom
477 setcontext
478 polmatch
479}
480
481# Updated Netlink class for KOBJECT_UEVENT family.
482class netlink_kobject_uevent_socket
483inherits socket
484
485class appletalk_socket
486inherits socket
487
488class packet
489{
490 send
491 recv
492 relabelto
493 flow_in # deprecated
494 flow_out # deprecated
495 forward_in
496 forward_out
497}
498
499class key
500{
501 view
502 read
503 write
504 search
505 link
506 setattr
507 create
508}
509
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]510class dccp_socket
511inherits socket
512{
513 node_bind
514 name_connect
515}
516
517class memprotect
518{
519 mmap_zero
520}
521
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]522# network peer labels
523class peer
524{
525 recv
526}
527
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]528class kernel_service
529{
530 use_as_override
531 create_files_as
532}
533
534class tun_socket
535inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]536{
537 attach_queue
538}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]539
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]540class binder
541{
542 impersonate
543 call
544 set_context_mgr
545 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]546}
547
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]548class netlink_iscsi_socket
549inherits socket
550
551class netlink_fib_lookup_socket
552inherits socket
553
554class netlink_connector_socket
555inherits socket
556
557class netlink_netfilter_socket
558inherits socket
559
560class netlink_generic_socket
561inherits socket
562
563class netlink_scsitransport_socket
564inherits socket
565
566class netlink_rdma_socket
567inherits socket
568
569class netlink_crypto_socket
570inherits socket
571
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]572class property_service
573{
574 set
575}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]576
577class service_manager
578{
579 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]580 find
581 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]582}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]583
584class keystore_key
585{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]586 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]587 get
588 insert
589 delete
590 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]591 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]592 reset
593 password
594 lock
595 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]596 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]597 sign
598 verify
599 grant
600 duplicate
601 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]602 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]603 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]604}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]605
606class debuggerd
607{
608 dump_tombstone
609 dump_backtrace
610}
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]611
612class drmservice {
613 consumeRights
614 setPlaybackStatus
615 openDecryptSession
616 closeDecryptSession
617 initializeDecryptUnit
618 decrypt
619 finalizeDecryptUnit
620 pread
621}