Blame - private/access_vectors - android_system_sepolicy

blob: 6edcd1f57f29cf12c1db9ded79f77fd5c6401067 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	23	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	24	unlink
				25	link
				26	rename
				27	execute
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	28	quotaon
				29	mounton
Stephen Smalley	cd62a4a	2020-01-14 14:27:45 -0500	[diff] [blame]	30	audit_access
				31	open
				32	execmod
				33	watch
				34	watch_mount
				35	watch_sb
				36	watch_with_perm
				37	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	38	}
				39
				40
				41	#
				42	# Define a common prefix for socket access vectors.
				43	#
				44
				45	common socket
				46	{
				47	# inherited from file
				48	ioctl
				49	read
				50	write
				51	create
				52	getattr
				53	setattr
				54	lock
				55	relabelfrom
				56	relabelto
				57	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	58	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	59	# socket-specific
				60	bind
				61	connect
				62	listen
				63	accept
				64	getopt
				65	setopt
				66	shutdown
				67	recvfrom
				68	sendto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	69	name_bind
				70	}
				71
				72	#
				73	# Define a common prefix for ipc access vectors.
				74	#
				75
				76	common ipc
				77	{
				78	create
				79	destroy
				80	getattr
				81	setattr
				82	read
				83	write
				84	associate
				85	unix_read
				86	unix_write
				87	}
				88
				89	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	90	# Define a common for capability access vectors.
				91	#
				92	common cap
				93	{
				94	# The capabilities are defined in include/linux/capability.h
				95	# Capabilities >= 32 are defined in the cap2 common.
				96	# Care should be taken to ensure that these are consistent with
				97	# those definitions. (Order matters)
				98
				99	chown
				100	dac_override
				101	dac_read_search
				102	fowner
				103	fsetid
				104	kill
				105	setgid
				106	setuid
				107	setpcap
				108	linux_immutable
				109	net_bind_service
				110	net_broadcast
				111	net_admin
				112	net_raw
				113	ipc_lock
				114	ipc_owner
				115	sys_module
				116	sys_rawio
				117	sys_chroot
				118	sys_ptrace
				119	sys_pacct
				120	sys_admin
				121	sys_boot
				122	sys_nice
				123	sys_resource
				124	sys_time
				125	sys_tty_config
				126	mknod
				127	lease
				128	audit_write
				129	audit_control
				130	setfcap
				131	}
				132
				133	common cap2
				134	{
				135	mac_override # unused by SELinux
Stephen Smalley	8715460	2020-01-16 10:29:15 -0500	[diff] [blame]	136	mac_admin
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	137	syslog
				138	wake_alarm
				139	block_suspend
				140	audit_read
Alistair Delva	178f0ac	2020-06-05 10:15:30 -0700	[diff] [blame]	141	perfmon
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	142	}
				143
				144	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	145	# Define the access vectors.
				146	#
				147	# class class_name [ inherits common_name ] { permission_name ... }
				148
				149
				150	#
				151	# Define the access vector interpretation for file-related objects.
				152	#
				153
				154	class filesystem
				155	{
				156	mount
				157	remount
				158	unmount
				159	getattr
				160	relabelfrom
				161	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	162	associate
				163	quotamod
				164	quotaget
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	165	watch
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	166	}
				167
				168	class dir
				169	inherits file
				170	{
				171	add_name
				172	remove_name
				173	reparent
				174	search
				175	rmdir
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	176	}
				177
				178	class file
				179	inherits file
				180	{
				181	execute_no_trans
				182	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	183	}
				184
Lokesh Gidra	06edcd8	2021-03-11 11:32:47 -0800	[diff] [blame]	185	class anon_inode
				186	inherits file
				187
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	188	class lnk_file
				189	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	190
				191	class chr_file
				192	inherits file
				193	{
				194	execute_no_trans
				195	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	196	}
				197
				198	class blk_file
				199	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	200
				201	class sock_file
				202	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	203
				204	class fifo_file
				205	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	206
				207	class fd
				208	{
				209	use
				210	}
				211
				212
				213	#
				214	# Define the access vector interpretation for network-related objects.
				215	#
				216
				217	class socket
				218	inherits socket
				219
				220	class tcp_socket
				221	inherits socket
				222	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	223	node_bind
				224	name_connect
				225	}
				226
				227	class udp_socket
				228	inherits socket
				229	{
				230	node_bind
				231	}
				232
				233	class rawip_socket
				234	inherits socket
				235	{
				236	node_bind
				237	}
				238
				239	class node
				240	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	241	recvfrom
				242	sendto
				243	}
				244
				245	class netif
				246	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	247	ingress
				248	egress
				249	}
				250
				251	class netlink_socket
				252	inherits socket
				253
				254	class packet_socket
				255	inherits socket
				256
				257	class key_socket
				258	inherits socket
				259
				260	class unix_stream_socket
				261	inherits socket
				262	{
				263	connectto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	264	}
				265
				266	class unix_dgram_socket
				267	inherits socket
				268
				269	#
				270	# Define the access vector interpretation for process-related objects
				271	#
				272
				273	class process
				274	{
				275	fork
				276	transition
				277	sigchld # commonly granted from child to parent
				278	sigkill # cannot be caught or ignored
				279	sigstop # cannot be caught or ignored
				280	signull # for kill(pid, 0)
				281	signal # all other signals
				282	ptrace
				283	getsched
				284	setsched
				285	getsession
				286	getpgid
				287	setpgid
				288	getcap
				289	setcap
				290	share
				291	getattr
				292	setexec
				293	setfscreate
				294	noatsecure
				295	siginh
				296	setrlimit
				297	rlimitinh
				298	dyntransition
				299	setcurrent
				300	execmem
				301	execstack
				302	execheap
				303	setkeycreate
				304	setsockcreate
Stephen Smalley	91a3eea	2017-05-17 12:12:12 -0400	[diff] [blame]	305	getrlimit
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	306	}
				307
Nick Kralevich	1b1d133	2018-09-07 10:48:55 -0700	[diff] [blame]	308	class process2
				309	{
				310	nnp_transition
				311	nosuid_transition
				312	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	313
				314	#
				315	# Define the access vector interpretation for ipc-related objects
				316	#
				317
				318	class ipc
				319	inherits ipc
				320
				321	class sem
				322	inherits ipc
				323
				324	class msgq
				325	inherits ipc
				326	{
				327	enqueue
				328	}
				329
				330	class msg
				331	{
				332	send
				333	receive
				334	}
				335
				336	class shm
				337	inherits ipc
				338	{
				339	lock
				340	}
				341
				342
				343	#
				344	# Define the access vector interpretation for the security server.
				345	#
				346
				347	class security
				348	{
				349	compute_av
				350	compute_create
				351	compute_member
				352	check_context
				353	load_policy
				354	compute_relabel
				355	compute_user
				356	setenforce # was avc_toggle in system class
				357	setbool
				358	setsecparam
				359	setcheckreqprot
				360	read_policy
Stephen Smalley	5099231	2017-07-10 14:45:15 -0400	[diff] [blame]	361	validate_trans
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	362	}
				363
				364
				365	#
				366	# Define the access vector interpretation for system operations.
				367	#
				368
				369	class system
				370	{
				371	ipc_info
				372	syslog_read
				373	syslog_mod
				374	syslog_console
				375	module_request
Jeff Vander Stoep	a16b058	2016-04-07 11:06:05 -0700	[diff] [blame]	376	module_load
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	377	}
				378
				379	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	380	# Define the access vector interpretation for controlling capabilities
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	381	#
				382
				383	class capability
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	384	inherits cap
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	385
				386	class capability2
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	387	inherits cap2
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	388
				389	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	390	# Extended Netlink classes
				391	#
				392	class netlink_route_socket
				393	inherits socket
				394	{
				395	nlmsg_read
				396	nlmsg_write
Jeff Vander Stoep	fb69c8e	2019-10-16 15:19:40 +0200	[diff] [blame]	397	nlmsg_readpriv
Bram Bonné	ea5460a	2021-05-12 14:19:24 +0200	[diff] [blame]	398	nlmsg_getneigh
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	399	}
				400
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	401	class netlink_tcpdiag_socket
				402	inherits socket
				403	{
				404	nlmsg_read
				405	nlmsg_write
				406	}
				407
				408	class netlink_nflog_socket
				409	inherits socket
				410
				411	class netlink_xfrm_socket
				412	inherits socket
				413	{
				414	nlmsg_read
				415	nlmsg_write
				416	}
				417
				418	class netlink_selinux_socket
				419	inherits socket
				420
				421	class netlink_audit_socket
				422	inherits socket
				423	{
				424	nlmsg_read
				425	nlmsg_write
				426	nlmsg_relay
				427	nlmsg_readpriv
				428	nlmsg_tty_audit
				429	}
				430
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	431	class netlink_dnrt_socket
				432	inherits socket
				433
				434	# Define the access vector interpretation for controlling
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	435	# access to IPSec network data by association
				436	#
				437	class association
				438	{
				439	sendto
				440	recvfrom
				441	setcontext
				442	polmatch
				443	}
				444
				445	# Updated Netlink class for KOBJECT_UEVENT family.
				446	class netlink_kobject_uevent_socket
				447	inherits socket
				448
				449	class appletalk_socket
				450	inherits socket
				451
				452	class packet
				453	{
				454	send
				455	recv
				456	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	457	forward_in
				458	forward_out
				459	}
				460
				461	class key
				462	{
				463	view
				464	read
				465	write
				466	search
				467	link
				468	setattr
				469	create
				470	}
				471
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	472	class dccp_socket
				473	inherits socket
				474	{
				475	node_bind
				476	name_connect
				477	}
				478
				479	class memprotect
				480	{
				481	mmap_zero
				482	}
				483
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	484	# network peer labels
				485	class peer
				486	{
				487	recv
				488	}
				489
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	490	class kernel_service
				491	{
				492	use_as_override
				493	create_files_as
				494	}
				495
				496	class tun_socket
				497	inherits socket
Nick Kralevich	d7af45d	2014-06-06 16:51:11 -0700	[diff] [blame]	498	{
				499	attach_queue
				500	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	501
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	502	class binder
				503	{
				504	impersonate
				505	call
				506	set_context_mgr
				507	transfer
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	508	}
				509
Stephen Smalley	01d95c2	2015-05-21 16:17:26 -0400	[diff] [blame]	510	class netlink_iscsi_socket
				511	inherits socket
				512
				513	class netlink_fib_lookup_socket
				514	inherits socket
				515
				516	class netlink_connector_socket
				517	inherits socket
				518
				519	class netlink_netfilter_socket
				520	inherits socket
				521
				522	class netlink_generic_socket
				523	inherits socket
				524
				525	class netlink_scsitransport_socket
				526	inherits socket
				527
				528	class netlink_rdma_socket
				529	inherits socket
				530
				531	class netlink_crypto_socket
				532	inherits socket
				533
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	534	class infiniband_pkey
				535	{
				536	access
				537	}
				538
				539	class infiniband_endport
				540	{
				541	manage_subnet
				542	}
				543
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	544	#
				545	# Define the access vector interpretation for controlling capabilities
				546	# in user namespaces
				547	#
				548
				549	class cap_userns
				550	inherits cap
				551
				552	class cap2_userns
				553	inherits cap2
				554
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	555
				556	#
				557	# Define the access vector interpretation for the new socket classes
				558	# enabled by the extended_socket_class policy capability.
				559	#
				560
				561	#
				562	# The next two classes were previously mapped to rawip_socket and therefore
				563	# have the same definition as rawip_socket (until further permissions
				564	# are defined).
				565	#
				566	class sctp_socket
				567	inherits socket
				568	{
				569	node_bind
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	570	name_connect
				571	association
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	572	}
				573
				574	class icmp_socket
				575	inherits socket
				576	{
				577	node_bind
				578	}
				579
				580	#
				581	# The remaining network socket classes were previously
				582	# mapped to the socket class and therefore have the
				583	# same definition as socket.
				584	#
				585
				586	class ax25_socket
				587	inherits socket
				588
				589	class ipx_socket
				590	inherits socket
				591
				592	class netrom_socket
				593	inherits socket
				594
				595	class atmpvc_socket
				596	inherits socket
				597
				598	class x25_socket
				599	inherits socket
				600
				601	class rose_socket
				602	inherits socket
				603
				604	class decnet_socket
				605	inherits socket
				606
				607	class atmsvc_socket
				608	inherits socket
				609
				610	class rds_socket
				611	inherits socket
				612
				613	class irda_socket
				614	inherits socket
				615
				616	class pppox_socket
				617	inherits socket
				618
				619	class llc_socket
				620	inherits socket
				621
				622	class can_socket
				623	inherits socket
				624
				625	class tipc_socket
				626	inherits socket
				627
				628	class bluetooth_socket
				629	inherits socket
				630
				631	class iucv_socket
				632	inherits socket
				633
				634	class rxrpc_socket
				635	inherits socket
				636
				637	class isdn_socket
				638	inherits socket
				639
				640	class phonet_socket
				641	inherits socket
				642
				643	class ieee802154_socket
				644	inherits socket
				645
				646	class caif_socket
				647	inherits socket
				648
				649	class alg_socket
				650	inherits socket
				651
				652	class nfc_socket
				653	inherits socket
				654
				655	class vsock_socket
				656	inherits socket
				657
				658	class kcm_socket
				659	inherits socket
				660
				661	class qipcrtr_socket
				662	inherits socket
				663
Stephen Smalley	2be9799	2017-05-17 12:06:49 -0400	[diff] [blame]	664	class smc_socket
				665	inherits socket
				666
Nick Kralevich	f5a1b1b	2018-10-18 09:08:26 -0700	[diff] [blame]	667	class bpf
				668	{
				669	map_create
				670	map_read
				671	map_write
				672	prog_load
				673	prog_run
				674	}
				675
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	676	class property_service
				677	{
				678	set
				679	}
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	680
				681	class service_manager
				682	{
				683	add
Riley Spahn	b8511e0	2014-07-07 13:56:27 -0700	[diff] [blame]	684	find
				685	list
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	686	}
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	687
Martijn Coenen	bc6d88d	2017-04-06 09:24:41 -0700	[diff] [blame]	688	class hwservice_manager
				689	{
				690	add
				691	find
				692	list
				693	}
				694
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	695	class keystore_key
				696	{
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	697	get_state
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	698	get
				699	insert
				700	delete
				701	exist
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	702	list
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	703	reset
				704	password
				705	lock
				706	unlock
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	707	is_empty
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	708	sign
				709	verify
				710	grant
				711	duplicate
				712	clear_uid
Chad Brubaker	8927772	2015-03-31 13:03:06 -0700	[diff] [blame]	713	add_auth
Chad Brubaker	520bb81	2015-05-12 12:33:40 -0700	[diff] [blame]	714	user_changed
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	715	gen_unique_id
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	716	}
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	717
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	718	class keystore2
				719	{
				720	add_auth
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	721	change_password
				722	change_user
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	723	clear_ns
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	724	clear_uid
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	725	early_boot_ended
Hasini Gunasinghe	db88d15	2020-12-03 21:40:53 +0000	[diff] [blame]	726	get_auth_token
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	727	get_state
Janis Danisevskis	144c822	2020-09-24 08:55:28 -0700	[diff] [blame]	728	list
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	729	lock
Hasini Gunasinghe	4334d35	2021-06-10 15:05:49 +0000	[diff] [blame]	730	pull_metrics
Janis Danisevskis	7ca6b48	2021-03-23 19:01:06 -0700	[diff] [blame]	731	report_off_body
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	732	reset
				733	unlock
Paul Crowley	bf29c3a	2021-08-06 15:11:53 -0700	[diff] [blame^]	734	delete_all_keys
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	735	}
				736
				737	class keystore2_key
				738	{
Satya Tangirala	0653374	2021-03-08 09:48:42 -0800	[diff] [blame]	739	convert_storage_key_to_ephemeral
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	740	delete
				741	gen_unique_id
				742	get_info
				743	grant
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	744	manage_blob
				745	rebind
				746	req_forced_op
				747	update
				748	use
				749	use_dev_id
				750	}
				751
Riley Spahn	70f75ce	2014-07-02 12:42:59 -0700	[diff] [blame]	752	class drmservice {
				753	consumeRights
				754	setPlaybackStatus
				755	openDecryptSession
				756	closeDecryptSession
				757	initializeDecryptUnit
				758	decrypt
				759	finalizeDecryptUnit
				760	pread
				761	}
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	762
				763	class xdp_socket
				764	inherits socket
Ryan Savitski	80640c5	2020-01-08 17:30:26 +0000	[diff] [blame]	765
				766	class perf_event
				767	{
				768	open
				769	cpu
				770	kernel
				771	tracepoint
				772	read
				773	write
				774	}
Nick Kralevich	e4686b4	2020-02-13 12:57:27 -0800	[diff] [blame]	775
				776	class lockdown
				777	{
				778	integrity
				779	confidentiality
				780	}