Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c4055f0d04f731e44b7ca4b11197855a2d1158dd / . / private / access_vectors
blob: c4f13bb2c7673f6897a7041e6ae99af01c1b4ae4 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]27 quotaon
28 mounton
29}
30
31
32#
33# Define a common prefix for socket access vectors.
34#
35
36common socket
37{
38# inherited from file
39 ioctl
40 read
41 write
42 create
43 getattr
44 setattr
45 lock
46 relabelfrom
47 relabelto
48 append
49# socket-specific
50 bind
51 connect
52 listen
53 accept
54 getopt
55 setopt
56 shutdown
57 recvfrom
58 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59 name_bind
60}
61
62#
63# Define a common prefix for ipc access vectors.
64#
65
66common ipc
67{
68 create
69 destroy
70 getattr
71 setattr
72 read
73 write
74 associate
75 unix_read
76 unix_write
77}
78
79#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]80# Define a common for capability access vectors.
81#
82common cap
83{
84 # The capabilities are defined in include/linux/capability.h
85 # Capabilities >= 32 are defined in the cap2 common.
86 # Care should be taken to ensure that these are consistent with
87 # those definitions. (Order matters)
88
89 chown
90 dac_override
91 dac_read_search
92 fowner
93 fsetid
94 kill
95 setgid
96 setuid
97 setpcap
98 linux_immutable
99 net_bind_service
100 net_broadcast
101 net_admin
102 net_raw
103 ipc_lock
104 ipc_owner
105 sys_module
106 sys_rawio
107 sys_chroot
108 sys_ptrace
109 sys_pacct
110 sys_admin
111 sys_boot
112 sys_nice
113 sys_resource
114 sys_time
115 sys_tty_config
116 mknod
117 lease
118 audit_write
119 audit_control
120 setfcap
121}
122
123common cap2
124{
125 mac_override # unused by SELinux
126 mac_admin # unused by SELinux
127 syslog
128 wake_alarm
129 block_suspend
130 audit_read
131}
132
133#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]134# Define the access vectors.
135#
136# class class_name [ inherits common_name ] { permission_name ... }
137
138
139#
140# Define the access vector interpretation for file-related objects.
141#
142
143class filesystem
144{
145 mount
146 remount
147 unmount
148 getattr
149 relabelfrom
150 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]151 associate
152 quotamod
153 quotaget
154}
155
156class dir
157inherits file
158{
159 add_name
160 remove_name
161 reparent
162 search
163 rmdir
164 open
165 audit_access
166 execmod
167}
168
169class file
170inherits file
171{
172 execute_no_trans
173 entrypoint
174 execmod
175 open
176 audit_access
177}
178
179class lnk_file
180inherits file
181{
182 open
183 audit_access
184 execmod
185}
186
187class chr_file
188inherits file
189{
190 execute_no_trans
191 entrypoint
192 execmod
193 open
194 audit_access
195}
196
197class blk_file
198inherits file
199{
200 open
201 audit_access
202 execmod
203}
204
205class sock_file
206inherits file
207{
208 open
209 audit_access
210 execmod
211}
212
213class fifo_file
214inherits file
215{
216 open
217 audit_access
218 execmod
219}
220
221class fd
222{
223 use
224}
225
226
227#
228# Define the access vector interpretation for network-related objects.
229#
230
231class socket
232inherits socket
233
234class tcp_socket
235inherits socket
236{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]237 node_bind
238 name_connect
239}
240
241class udp_socket
242inherits socket
243{
244 node_bind
245}
246
247class rawip_socket
248inherits socket
249{
250 node_bind
251}
252
253class node
254{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]255 recvfrom
256 sendto
257}
258
259class netif
260{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]261 ingress
262 egress
263}
264
265class netlink_socket
266inherits socket
267
268class packet_socket
269inherits socket
270
271class key_socket
272inherits socket
273
274class unix_stream_socket
275inherits socket
276{
277 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]278}
279
280class unix_dgram_socket
281inherits socket
282
283#
284# Define the access vector interpretation for process-related objects
285#
286
287class process
288{
289 fork
290 transition
291 sigchld # commonly granted from child to parent
292 sigkill # cannot be caught or ignored
293 sigstop # cannot be caught or ignored
294 signull # for kill(pid, 0)
295 signal # all other signals
296 ptrace
297 getsched
298 setsched
299 getsession
300 getpgid
301 setpgid
302 getcap
303 setcap
304 share
305 getattr
306 setexec
307 setfscreate
308 noatsecure
309 siginh
310 setrlimit
311 rlimitinh
312 dyntransition
313 setcurrent
314 execmem
315 execstack
316 execheap
317 setkeycreate
318 setsockcreate
319}
320
321
322#
323# Define the access vector interpretation for ipc-related objects
324#
325
326class ipc
327inherits ipc
328
329class sem
330inherits ipc
331
332class msgq
333inherits ipc
334{
335 enqueue
336}
337
338class msg
339{
340 send
341 receive
342}
343
344class shm
345inherits ipc
346{
347 lock
348}
349
350
351#
352# Define the access vector interpretation for the security server.
353#
354
355class security
356{
357 compute_av
358 compute_create
359 compute_member
360 check_context
361 load_policy
362 compute_relabel
363 compute_user
364 setenforce # was avc_toggle in system class
365 setbool
366 setsecparam
367 setcheckreqprot
368 read_policy
369}
370
371
372#
373# Define the access vector interpretation for system operations.
374#
375
376class system
377{
378 ipc_info
379 syslog_read
380 syslog_mod
381 syslog_console
382 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]383 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]384}
385
386#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]387# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]388#
389
390class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]391inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]392
393class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]394inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]395
396#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]397# Extended Netlink classes
398#
399class netlink_route_socket
400inherits socket
401{
402 nlmsg_read
403 nlmsg_write
404}
405
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]406class netlink_tcpdiag_socket
407inherits socket
408{
409 nlmsg_read
410 nlmsg_write
411}
412
413class netlink_nflog_socket
414inherits socket
415
416class netlink_xfrm_socket
417inherits socket
418{
419 nlmsg_read
420 nlmsg_write
421}
422
423class netlink_selinux_socket
424inherits socket
425
426class netlink_audit_socket
427inherits socket
428{
429 nlmsg_read
430 nlmsg_write
431 nlmsg_relay
432 nlmsg_readpriv
433 nlmsg_tty_audit
434}
435
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]436class netlink_dnrt_socket
437inherits socket
438
439# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]440# access to IPSec network data by association
441#
442class association
443{
444 sendto
445 recvfrom
446 setcontext
447 polmatch
448}
449
450# Updated Netlink class for KOBJECT_UEVENT family.
451class netlink_kobject_uevent_socket
452inherits socket
453
454class appletalk_socket
455inherits socket
456
457class packet
458{
459 send
460 recv
461 relabelto
462 flow_in # deprecated
463 flow_out # deprecated
464 forward_in
465 forward_out
466}
467
468class key
469{
470 view
471 read
472 write
473 search
474 link
475 setattr
476 create
477}
478
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]479class dccp_socket
480inherits socket
481{
482 node_bind
483 name_connect
484}
485
486class memprotect
487{
488 mmap_zero
489}
490
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]491# network peer labels
492class peer
493{
494 recv
495}
496
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]497class kernel_service
498{
499 use_as_override
500 create_files_as
501}
502
503class tun_socket
504inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]505{
506 attach_queue
507}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]508
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]509class binder
510{
511 impersonate
512 call
513 set_context_mgr
514 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]515}
516
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]517class netlink_iscsi_socket
518inherits socket
519
520class netlink_fib_lookup_socket
521inherits socket
522
523class netlink_connector_socket
524inherits socket
525
526class netlink_netfilter_socket
527inherits socket
528
529class netlink_generic_socket
530inherits socket
531
532class netlink_scsitransport_socket
533inherits socket
534
535class netlink_rdma_socket
536inherits socket
537
538class netlink_crypto_socket
539inherits socket
540
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]541#
542# Define the access vector interpretation for controlling capabilities
543# in user namespaces
544#
545
546class cap_userns
547inherits cap
548
549class cap2_userns
550inherits cap2
551
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]552
553#
554# Define the access vector interpretation for the new socket classes
555# enabled by the extended_socket_class policy capability.
556#
557
558#
559# The next two classes were previously mapped to rawip_socket and therefore
560# have the same definition as rawip_socket (until further permissions
561# are defined).
562#
563class sctp_socket
564inherits socket
565{
566 node_bind
567}
568
569class icmp_socket
570inherits socket
571{
572 node_bind
573}
574
575#
576# The remaining network socket classes were previously
577# mapped to the socket class and therefore have the
578# same definition as socket.
579#
580
581class ax25_socket
582inherits socket
583
584class ipx_socket
585inherits socket
586
587class netrom_socket
588inherits socket
589
590class atmpvc_socket
591inherits socket
592
593class x25_socket
594inherits socket
595
596class rose_socket
597inherits socket
598
599class decnet_socket
600inherits socket
601
602class atmsvc_socket
603inherits socket
604
605class rds_socket
606inherits socket
607
608class irda_socket
609inherits socket
610
611class pppox_socket
612inherits socket
613
614class llc_socket
615inherits socket
616
617class can_socket
618inherits socket
619
620class tipc_socket
621inherits socket
622
623class bluetooth_socket
624inherits socket
625
626class iucv_socket
627inherits socket
628
629class rxrpc_socket
630inherits socket
631
632class isdn_socket
633inherits socket
634
635class phonet_socket
636inherits socket
637
638class ieee802154_socket
639inherits socket
640
641class caif_socket
642inherits socket
643
644class alg_socket
645inherits socket
646
647class nfc_socket
648inherits socket
649
650class vsock_socket
651inherits socket
652
653class kcm_socket
654inherits socket
655
656class qipcrtr_socket
657inherits socket
658
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]659class property_service
660{
661 set
662}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]663
664class service_manager
665{
666 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]667 find
668 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]669}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]670
671class keystore_key
672{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]673 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]674 get
675 insert
676 delete
677 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]678 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]679 reset
680 password
681 lock
682 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]683 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]684 sign
685 verify
686 grant
687 duplicate
688 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]689 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]690 user_changed
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]691}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]692
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]693class drmservice {
694 consumeRights
695 setPlaybackStatus
696 openDecryptSession
697 closeDecryptSession
698 initializeDecryptUnit
699 decrypt
700 finalizeDecryptUnit
701 pread
702}