Blame - private/access_vectors - android_system_sepolicy

blob: a02a2a80d51b75cefc3a1238fa13135808b04587 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	23	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	24	unlink
				25	link
				26	rename
				27	execute
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	28	quotaon
				29	mounton
Stephen Smalley	cd62a4a	2020-01-14 14:27:45 -0500	[diff] [blame]	30	audit_access
				31	open
				32	execmod
				33	watch
				34	watch_mount
				35	watch_sb
				36	watch_with_perm
				37	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	38	}
				39
				40
				41	#
				42	# Define a common prefix for socket access vectors.
				43	#
				44
				45	common socket
				46	{
				47	# inherited from file
				48	ioctl
				49	read
				50	write
				51	create
				52	getattr
				53	setattr
				54	lock
				55	relabelfrom
				56	relabelto
				57	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	58	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	59	# socket-specific
				60	bind
				61	connect
				62	listen
				63	accept
				64	getopt
				65	setopt
				66	shutdown
				67	recvfrom
				68	sendto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	69	name_bind
				70	}
				71
				72	#
				73	# Define a common prefix for ipc access vectors.
				74	#
				75
				76	common ipc
				77	{
				78	create
				79	destroy
				80	getattr
				81	setattr
				82	read
				83	write
				84	associate
				85	unix_read
				86	unix_write
				87	}
				88
				89	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	90	# Define a common for capability access vectors.
				91	#
				92	common cap
				93	{
				94	# The capabilities are defined in include/linux/capability.h
				95	# Capabilities >= 32 are defined in the cap2 common.
				96	# Care should be taken to ensure that these are consistent with
				97	# those definitions. (Order matters)
				98
				99	chown
				100	dac_override
				101	dac_read_search
				102	fowner
				103	fsetid
				104	kill
				105	setgid
				106	setuid
				107	setpcap
				108	linux_immutable
				109	net_bind_service
				110	net_broadcast
				111	net_admin
				112	net_raw
				113	ipc_lock
				114	ipc_owner
				115	sys_module
				116	sys_rawio
				117	sys_chroot
				118	sys_ptrace
				119	sys_pacct
				120	sys_admin
				121	sys_boot
				122	sys_nice
				123	sys_resource
				124	sys_time
				125	sys_tty_config
				126	mknod
				127	lease
				128	audit_write
				129	audit_control
				130	setfcap
				131	}
				132
				133	common cap2
				134	{
				135	mac_override # unused by SELinux
Stephen Smalley	8715460	2020-01-16 10:29:15 -0500	[diff] [blame]	136	mac_admin
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	137	syslog
				138	wake_alarm
				139	block_suspend
				140	audit_read
Alistair Delva	178f0ac	2020-06-05 10:15:30 -0700	[diff] [blame]	141	perfmon
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	142	}
				143
				144	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	145	# Define the access vectors.
				146	#
				147	# class class_name [ inherits common_name ] { permission_name ... }
				148
				149
				150	#
				151	# Define the access vector interpretation for file-related objects.
				152	#
				153
				154	class filesystem
				155	{
				156	mount
				157	remount
				158	unmount
				159	getattr
				160	relabelfrom
				161	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	162	associate
				163	quotamod
				164	quotaget
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	165	watch
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	166	}
				167
				168	class dir
				169	inherits file
				170	{
				171	add_name
				172	remove_name
				173	reparent
				174	search
				175	rmdir
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	176	}
				177
				178	class file
				179	inherits file
				180	{
				181	execute_no_trans
				182	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	183	}
				184
				185	class lnk_file
				186	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	187
				188	class chr_file
				189	inherits file
				190	{
				191	execute_no_trans
				192	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	193	}
				194
				195	class blk_file
				196	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	197
				198	class sock_file
				199	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	200
				201	class fifo_file
				202	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	203
				204	class fd
				205	{
				206	use
				207	}
				208
				209
				210	#
				211	# Define the access vector interpretation for network-related objects.
				212	#
				213
				214	class socket
				215	inherits socket
				216
				217	class tcp_socket
				218	inherits socket
				219	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	220	node_bind
				221	name_connect
				222	}
				223
				224	class udp_socket
				225	inherits socket
				226	{
				227	node_bind
				228	}
				229
				230	class rawip_socket
				231	inherits socket
				232	{
				233	node_bind
				234	}
				235
				236	class node
				237	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	238	recvfrom
				239	sendto
				240	}
				241
				242	class netif
				243	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	244	ingress
				245	egress
				246	}
				247
				248	class netlink_socket
				249	inherits socket
				250
				251	class packet_socket
				252	inherits socket
				253
				254	class key_socket
				255	inherits socket
				256
				257	class unix_stream_socket
				258	inherits socket
				259	{
				260	connectto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	261	}
				262
				263	class unix_dgram_socket
				264	inherits socket
				265
				266	#
				267	# Define the access vector interpretation for process-related objects
				268	#
				269
				270	class process
				271	{
				272	fork
				273	transition
				274	sigchld # commonly granted from child to parent
				275	sigkill # cannot be caught or ignored
				276	sigstop # cannot be caught or ignored
				277	signull # for kill(pid, 0)
				278	signal # all other signals
				279	ptrace
				280	getsched
				281	setsched
				282	getsession
				283	getpgid
				284	setpgid
				285	getcap
				286	setcap
				287	share
				288	getattr
				289	setexec
				290	setfscreate
				291	noatsecure
				292	siginh
				293	setrlimit
				294	rlimitinh
				295	dyntransition
				296	setcurrent
				297	execmem
				298	execstack
				299	execheap
				300	setkeycreate
				301	setsockcreate
Stephen Smalley	91a3eea	2017-05-17 12:12:12 -0400	[diff] [blame]	302	getrlimit
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	303	}
				304
Nick Kralevich	1b1d133	2018-09-07 10:48:55 -0700	[diff] [blame]	305	class process2
				306	{
				307	nnp_transition
				308	nosuid_transition
				309	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	310
				311	#
				312	# Define the access vector interpretation for ipc-related objects
				313	#
				314
				315	class ipc
				316	inherits ipc
				317
				318	class sem
				319	inherits ipc
				320
				321	class msgq
				322	inherits ipc
				323	{
				324	enqueue
				325	}
				326
				327	class msg
				328	{
				329	send
				330	receive
				331	}
				332
				333	class shm
				334	inherits ipc
				335	{
				336	lock
				337	}
				338
				339
				340	#
				341	# Define the access vector interpretation for the security server.
				342	#
				343
				344	class security
				345	{
				346	compute_av
				347	compute_create
				348	compute_member
				349	check_context
				350	load_policy
				351	compute_relabel
				352	compute_user
				353	setenforce # was avc_toggle in system class
				354	setbool
				355	setsecparam
				356	setcheckreqprot
				357	read_policy
Stephen Smalley	5099231	2017-07-10 14:45:15 -0400	[diff] [blame]	358	validate_trans
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	359	}
				360
				361
				362	#
				363	# Define the access vector interpretation for system operations.
				364	#
				365
				366	class system
				367	{
				368	ipc_info
				369	syslog_read
				370	syslog_mod
				371	syslog_console
				372	module_request
Jeff Vander Stoep	a16b058	2016-04-07 11:06:05 -0700	[diff] [blame]	373	module_load
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	374	}
				375
				376	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	377	# Define the access vector interpretation for controlling capabilities
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	378	#
				379
				380	class capability
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	381	inherits cap
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	382
				383	class capability2
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	384	inherits cap2
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	385
				386	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	387	# Extended Netlink classes
				388	#
				389	class netlink_route_socket
				390	inherits socket
				391	{
				392	nlmsg_read
				393	nlmsg_write
Jeff Vander Stoep	fb69c8e	2019-10-16 15:19:40 +0200	[diff] [blame]	394	nlmsg_readpriv
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	395	}
				396
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	397	class netlink_tcpdiag_socket
				398	inherits socket
				399	{
				400	nlmsg_read
				401	nlmsg_write
				402	}
				403
				404	class netlink_nflog_socket
				405	inherits socket
				406
				407	class netlink_xfrm_socket
				408	inherits socket
				409	{
				410	nlmsg_read
				411	nlmsg_write
				412	}
				413
				414	class netlink_selinux_socket
				415	inherits socket
				416
				417	class netlink_audit_socket
				418	inherits socket
				419	{
				420	nlmsg_read
				421	nlmsg_write
				422	nlmsg_relay
				423	nlmsg_readpriv
				424	nlmsg_tty_audit
				425	}
				426
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	427	class netlink_dnrt_socket
				428	inherits socket
				429
				430	# Define the access vector interpretation for controlling
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	431	# access to IPSec network data by association
				432	#
				433	class association
				434	{
				435	sendto
				436	recvfrom
				437	setcontext
				438	polmatch
				439	}
				440
				441	# Updated Netlink class for KOBJECT_UEVENT family.
				442	class netlink_kobject_uevent_socket
				443	inherits socket
				444
				445	class appletalk_socket
				446	inherits socket
				447
				448	class packet
				449	{
				450	send
				451	recv
				452	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	453	forward_in
				454	forward_out
				455	}
				456
				457	class key
				458	{
				459	view
				460	read
				461	write
				462	search
				463	link
				464	setattr
				465	create
				466	}
				467
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	468	class dccp_socket
				469	inherits socket
				470	{
				471	node_bind
				472	name_connect
				473	}
				474
				475	class memprotect
				476	{
				477	mmap_zero
				478	}
				479
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	480	# network peer labels
				481	class peer
				482	{
				483	recv
				484	}
				485
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	486	class kernel_service
				487	{
				488	use_as_override
				489	create_files_as
				490	}
				491
				492	class tun_socket
				493	inherits socket
Nick Kralevich	d7af45d	2014-06-06 16:51:11 -0700	[diff] [blame]	494	{
				495	attach_queue
				496	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	497
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	498	class binder
				499	{
				500	impersonate
				501	call
				502	set_context_mgr
				503	transfer
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	504	}
				505
Stephen Smalley	01d95c2	2015-05-21 16:17:26 -0400	[diff] [blame]	506	class netlink_iscsi_socket
				507	inherits socket
				508
				509	class netlink_fib_lookup_socket
				510	inherits socket
				511
				512	class netlink_connector_socket
				513	inherits socket
				514
				515	class netlink_netfilter_socket
				516	inherits socket
				517
				518	class netlink_generic_socket
				519	inherits socket
				520
				521	class netlink_scsitransport_socket
				522	inherits socket
				523
				524	class netlink_rdma_socket
				525	inherits socket
				526
				527	class netlink_crypto_socket
				528	inherits socket
				529
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	530	class infiniband_pkey
				531	{
				532	access
				533	}
				534
				535	class infiniband_endport
				536	{
				537	manage_subnet
				538	}
				539
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	540	#
				541	# Define the access vector interpretation for controlling capabilities
				542	# in user namespaces
				543	#
				544
				545	class cap_userns
				546	inherits cap
				547
				548	class cap2_userns
				549	inherits cap2
				550
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	551
				552	#
				553	# Define the access vector interpretation for the new socket classes
				554	# enabled by the extended_socket_class policy capability.
				555	#
				556
				557	#
				558	# The next two classes were previously mapped to rawip_socket and therefore
				559	# have the same definition as rawip_socket (until further permissions
				560	# are defined).
				561	#
				562	class sctp_socket
				563	inherits socket
				564	{
				565	node_bind
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	566	name_connect
				567	association
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	568	}
				569
				570	class icmp_socket
				571	inherits socket
				572	{
				573	node_bind
				574	}
				575
				576	#
				577	# The remaining network socket classes were previously
				578	# mapped to the socket class and therefore have the
				579	# same definition as socket.
				580	#
				581
				582	class ax25_socket
				583	inherits socket
				584
				585	class ipx_socket
				586	inherits socket
				587
				588	class netrom_socket
				589	inherits socket
				590
				591	class atmpvc_socket
				592	inherits socket
				593
				594	class x25_socket
				595	inherits socket
				596
				597	class rose_socket
				598	inherits socket
				599
				600	class decnet_socket
				601	inherits socket
				602
				603	class atmsvc_socket
				604	inherits socket
				605
				606	class rds_socket
				607	inherits socket
				608
				609	class irda_socket
				610	inherits socket
				611
				612	class pppox_socket
				613	inherits socket
				614
				615	class llc_socket
				616	inherits socket
				617
				618	class can_socket
				619	inherits socket
				620
				621	class tipc_socket
				622	inherits socket
				623
				624	class bluetooth_socket
				625	inherits socket
				626
				627	class iucv_socket
				628	inherits socket
				629
				630	class rxrpc_socket
				631	inherits socket
				632
				633	class isdn_socket
				634	inherits socket
				635
				636	class phonet_socket
				637	inherits socket
				638
				639	class ieee802154_socket
				640	inherits socket
				641
				642	class caif_socket
				643	inherits socket
				644
				645	class alg_socket
				646	inherits socket
				647
				648	class nfc_socket
				649	inherits socket
				650
				651	class vsock_socket
				652	inherits socket
				653
				654	class kcm_socket
				655	inherits socket
				656
				657	class qipcrtr_socket
				658	inherits socket
				659
Stephen Smalley	2be9799	2017-05-17 12:06:49 -0400	[diff] [blame]	660	class smc_socket
				661	inherits socket
				662
Nick Kralevich	f5a1b1b	2018-10-18 09:08:26 -0700	[diff] [blame]	663	class bpf
				664	{
				665	map_create
				666	map_read
				667	map_write
				668	prog_load
				669	prog_run
				670	}
				671
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	672	class property_service
				673	{
				674	set
				675	}
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	676
				677	class service_manager
				678	{
				679	add
Riley Spahn	b8511e0	2014-07-07 13:56:27 -0700	[diff] [blame]	680	find
				681	list
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	682	}
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	683
Martijn Coenen	bc6d88d	2017-04-06 09:24:41 -0700	[diff] [blame]	684	class hwservice_manager
				685	{
				686	add
				687	find
				688	list
				689	}
				690
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	691	class keystore_key
				692	{
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	693	get_state
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	694	get
				695	insert
				696	delete
				697	exist
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	698	list
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	699	reset
				700	password
				701	lock
				702	unlock
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	703	is_empty
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	704	sign
				705	verify
				706	grant
				707	duplicate
				708	clear_uid
Chad Brubaker	8927772	2015-03-31 13:03:06 -0700	[diff] [blame]	709	add_auth
Chad Brubaker	520bb81	2015-05-12 12:33:40 -0700	[diff] [blame]	710	user_changed
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	711	gen_unique_id
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	712	}
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	713
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	714	class keystore2
				715	{
				716	add_auth
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	717	change_password
				718	change_user
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	719	clear_ns
Hasini Gunasinghe	685ca0c	2021-01-27 01:01:45 +0000	[diff] [blame]	720	clear_uid
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	721	get_state
Janis Danisevskis	144c822	2020-09-24 08:55:28 -0700	[diff] [blame]	722	list
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	723	lock
				724	reset
				725	unlock
				726	}
				727
				728	class keystore2_key
				729	{
				730	delete
				731	gen_unique_id
				732	get_info
				733	grant
Janis Danisevskis	24f3dce	2020-07-25 13:08:15 -0700	[diff] [blame]	734	manage_blob
				735	rebind
				736	req_forced_op
				737	update
				738	use
				739	use_dev_id
				740	}
				741
Riley Spahn	70f75ce	2014-07-02 12:42:59 -0700	[diff] [blame]	742	class drmservice {
				743	consumeRights
				744	setPlaybackStatus
				745	openDecryptSession
				746	closeDecryptSession
				747	initializeDecryptUnit
				748	decrypt
				749	finalizeDecryptUnit
				750	pread
				751	}
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	752
				753	class xdp_socket
				754	inherits socket
Ryan Savitski	80640c5	2020-01-08 17:30:26 +0000	[diff] [blame]	755
				756	class perf_event
				757	{
				758	open
				759	cpu
				760	kernel
				761	tracepoint
				762	read
				763	write
				764	}
Nick Kralevich	e4686b4	2020-02-13 12:57:27 -0800	[diff] [blame]	765
				766	class lockdown
				767	{
				768	integrity
				769	confidentiality
				770	}