Blame - private/access_vectors - android_system_sepolicy

blob: 8c6aa68b67bce3b2ad786a16fa0903bd619ddbc5 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	23	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	24	unlink
				25	link
				26	rename
				27	execute
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	28	quotaon
				29	mounton
				30	}
				31
				32
				33	#
				34	# Define a common prefix for socket access vectors.
				35	#
				36
				37	common socket
				38	{
				39	# inherited from file
				40	ioctl
				41	read
				42	write
				43	create
				44	getattr
				45	setattr
				46	lock
				47	relabelfrom
				48	relabelto
				49	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	50	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	51	# socket-specific
				52	bind
				53	connect
				54	listen
				55	accept
				56	getopt
				57	setopt
				58	shutdown
				59	recvfrom
				60	sendto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	61	name_bind
				62	}
				63
				64	#
				65	# Define a common prefix for ipc access vectors.
				66	#
				67
				68	common ipc
				69	{
				70	create
				71	destroy
				72	getattr
				73	setattr
				74	read
				75	write
				76	associate
				77	unix_read
				78	unix_write
				79	}
				80
				81	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	82	# Define a common for capability access vectors.
				83	#
				84	common cap
				85	{
				86	# The capabilities are defined in include/linux/capability.h
				87	# Capabilities >= 32 are defined in the cap2 common.
				88	# Care should be taken to ensure that these are consistent with
				89	# those definitions. (Order matters)
				90
				91	chown
				92	dac_override
				93	dac_read_search
				94	fowner
				95	fsetid
				96	kill
				97	setgid
				98	setuid
				99	setpcap
				100	linux_immutable
				101	net_bind_service
				102	net_broadcast
				103	net_admin
				104	net_raw
				105	ipc_lock
				106	ipc_owner
				107	sys_module
				108	sys_rawio
				109	sys_chroot
				110	sys_ptrace
				111	sys_pacct
				112	sys_admin
				113	sys_boot
				114	sys_nice
				115	sys_resource
				116	sys_time
				117	sys_tty_config
				118	mknod
				119	lease
				120	audit_write
				121	audit_control
				122	setfcap
				123	}
				124
				125	common cap2
				126	{
				127	mac_override # unused by SELinux
				128	mac_admin # unused by SELinux
				129	syslog
				130	wake_alarm
				131	block_suspend
				132	audit_read
				133	}
				134
				135	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	136	# Define the access vectors.
				137	#
				138	# class class_name [ inherits common_name ] { permission_name ... }
				139
				140
				141	#
				142	# Define the access vector interpretation for file-related objects.
				143	#
				144
				145	class filesystem
				146	{
				147	mount
				148	remount
				149	unmount
				150	getattr
				151	relabelfrom
				152	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	153	associate
				154	quotamod
				155	quotaget
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	156	watch
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	157	}
				158
				159	class dir
				160	inherits file
				161	{
				162	add_name
				163	remove_name
				164	reparent
				165	search
				166	rmdir
				167	open
				168	audit_access
				169	execmod
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	170	watch
				171	watch_mount
				172	watch_sb
				173	watch_with_perm
				174	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	175	}
				176
				177	class file
				178	inherits file
				179	{
				180	execute_no_trans
				181	entrypoint
				182	execmod
				183	open
				184	audit_access
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	185	watch
				186	watch_mount
				187	watch_sb
				188	watch_with_perm
				189	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	190	}
				191
				192	class lnk_file
				193	inherits file
				194	{
				195	open
				196	audit_access
				197	execmod
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	198	watch
				199	watch_mount
				200	watch_sb
				201	watch_with_perm
				202	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	203	}
				204
				205	class chr_file
				206	inherits file
				207	{
				208	execute_no_trans
				209	entrypoint
				210	execmod
				211	open
				212	audit_access
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	213	watch
				214	watch_mount
				215	watch_sb
				216	watch_with_perm
				217	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	218	}
				219
				220	class blk_file
				221	inherits file
				222	{
				223	open
				224	audit_access
				225	execmod
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	226	watch
				227	watch_mount
				228	watch_sb
				229	watch_with_perm
				230	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	231	}
				232
				233	class sock_file
				234	inherits file
				235	{
				236	open
				237	audit_access
				238	execmod
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	239	watch
				240	watch_mount
				241	watch_sb
				242	watch_with_perm
				243	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	244	}
				245
				246	class fifo_file
				247	inherits file
				248	{
				249	open
				250	audit_access
				251	execmod
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	252	watch
				253	watch_mount
				254	watch_sb
				255	watch_with_perm
				256	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	257	}
				258
				259	class fd
				260	{
				261	use
				262	}
				263
				264
				265	#
				266	# Define the access vector interpretation for network-related objects.
				267	#
				268
				269	class socket
				270	inherits socket
				271
				272	class tcp_socket
				273	inherits socket
				274	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	275	node_bind
				276	name_connect
				277	}
				278
				279	class udp_socket
				280	inherits socket
				281	{
				282	node_bind
				283	}
				284
				285	class rawip_socket
				286	inherits socket
				287	{
				288	node_bind
				289	}
				290
				291	class node
				292	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	293	recvfrom
				294	sendto
				295	}
				296
				297	class netif
				298	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	299	ingress
				300	egress
				301	}
				302
				303	class netlink_socket
				304	inherits socket
				305
				306	class packet_socket
				307	inherits socket
				308
				309	class key_socket
				310	inherits socket
				311
				312	class unix_stream_socket
				313	inherits socket
				314	{
				315	connectto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	316	}
				317
				318	class unix_dgram_socket
				319	inherits socket
				320
				321	#
				322	# Define the access vector interpretation for process-related objects
				323	#
				324
				325	class process
				326	{
				327	fork
				328	transition
				329	sigchld # commonly granted from child to parent
				330	sigkill # cannot be caught or ignored
				331	sigstop # cannot be caught or ignored
				332	signull # for kill(pid, 0)
				333	signal # all other signals
				334	ptrace
				335	getsched
				336	setsched
				337	getsession
				338	getpgid
				339	setpgid
				340	getcap
				341	setcap
				342	share
				343	getattr
				344	setexec
				345	setfscreate
				346	noatsecure
				347	siginh
				348	setrlimit
				349	rlimitinh
				350	dyntransition
				351	setcurrent
				352	execmem
				353	execstack
				354	execheap
				355	setkeycreate
				356	setsockcreate
Stephen Smalley	91a3eea	2017-05-17 12:12:12 -0400	[diff] [blame]	357	getrlimit
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	358	}
				359
Nick Kralevich	1b1d133	2018-09-07 10:48:55 -0700	[diff] [blame]	360	class process2
				361	{
				362	nnp_transition
				363	nosuid_transition
				364	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	365
				366	#
				367	# Define the access vector interpretation for ipc-related objects
				368	#
				369
				370	class ipc
				371	inherits ipc
				372
				373	class sem
				374	inherits ipc
				375
				376	class msgq
				377	inherits ipc
				378	{
				379	enqueue
				380	}
				381
				382	class msg
				383	{
				384	send
				385	receive
				386	}
				387
				388	class shm
				389	inherits ipc
				390	{
				391	lock
				392	}
				393
				394
				395	#
				396	# Define the access vector interpretation for the security server.
				397	#
				398
				399	class security
				400	{
				401	compute_av
				402	compute_create
				403	compute_member
				404	check_context
				405	load_policy
				406	compute_relabel
				407	compute_user
				408	setenforce # was avc_toggle in system class
				409	setbool
				410	setsecparam
				411	setcheckreqprot
				412	read_policy
Stephen Smalley	5099231	2017-07-10 14:45:15 -0400	[diff] [blame]	413	validate_trans
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	414	}
				415
				416
				417	#
				418	# Define the access vector interpretation for system operations.
				419	#
				420
				421	class system
				422	{
				423	ipc_info
				424	syslog_read
				425	syslog_mod
				426	syslog_console
				427	module_request
Jeff Vander Stoep	a16b058	2016-04-07 11:06:05 -0700	[diff] [blame]	428	module_load
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	429	}
				430
				431	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	432	# Define the access vector interpretation for controlling capabilities
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	433	#
				434
				435	class capability
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	436	inherits cap
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	437
				438	class capability2
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	439	inherits cap2
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	440
				441	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	442	# Extended Netlink classes
				443	#
				444	class netlink_route_socket
				445	inherits socket
				446	{
				447	nlmsg_read
				448	nlmsg_write
Jeff Vander Stoep	fb69c8e	2019-10-16 15:19:40 +0200	[diff] [blame]	449	nlmsg_readpriv
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	450	}
				451
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	452	class netlink_tcpdiag_socket
				453	inherits socket
				454	{
				455	nlmsg_read
				456	nlmsg_write
				457	}
				458
				459	class netlink_nflog_socket
				460	inherits socket
				461
				462	class netlink_xfrm_socket
				463	inherits socket
				464	{
				465	nlmsg_read
				466	nlmsg_write
				467	}
				468
				469	class netlink_selinux_socket
				470	inherits socket
				471
				472	class netlink_audit_socket
				473	inherits socket
				474	{
				475	nlmsg_read
				476	nlmsg_write
				477	nlmsg_relay
				478	nlmsg_readpriv
				479	nlmsg_tty_audit
				480	}
				481
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	482	class netlink_dnrt_socket
				483	inherits socket
				484
				485	# Define the access vector interpretation for controlling
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	486	# access to IPSec network data by association
				487	#
				488	class association
				489	{
				490	sendto
				491	recvfrom
				492	setcontext
				493	polmatch
				494	}
				495
				496	# Updated Netlink class for KOBJECT_UEVENT family.
				497	class netlink_kobject_uevent_socket
				498	inherits socket
				499
				500	class appletalk_socket
				501	inherits socket
				502
				503	class packet
				504	{
				505	send
				506	recv
				507	relabelto
				508	flow_in # deprecated
				509	flow_out # deprecated
				510	forward_in
				511	forward_out
				512	}
				513
				514	class key
				515	{
				516	view
				517	read
				518	write
				519	search
				520	link
				521	setattr
				522	create
				523	}
				524
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	525	class dccp_socket
				526	inherits socket
				527	{
				528	node_bind
				529	name_connect
				530	}
				531
				532	class memprotect
				533	{
				534	mmap_zero
				535	}
				536
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	537	# network peer labels
				538	class peer
				539	{
				540	recv
				541	}
				542
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	543	class kernel_service
				544	{
				545	use_as_override
				546	create_files_as
				547	}
				548
				549	class tun_socket
				550	inherits socket
Nick Kralevich	d7af45d	2014-06-06 16:51:11 -0700	[diff] [blame]	551	{
				552	attach_queue
				553	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	554
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	555	class binder
				556	{
				557	impersonate
				558	call
				559	set_context_mgr
				560	transfer
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	561	}
				562
Stephen Smalley	01d95c2	2015-05-21 16:17:26 -0400	[diff] [blame]	563	class netlink_iscsi_socket
				564	inherits socket
				565
				566	class netlink_fib_lookup_socket
				567	inherits socket
				568
				569	class netlink_connector_socket
				570	inherits socket
				571
				572	class netlink_netfilter_socket
				573	inherits socket
				574
				575	class netlink_generic_socket
				576	inherits socket
				577
				578	class netlink_scsitransport_socket
				579	inherits socket
				580
				581	class netlink_rdma_socket
				582	inherits socket
				583
				584	class netlink_crypto_socket
				585	inherits socket
				586
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	587	class infiniband_pkey
				588	{
				589	access
				590	}
				591
				592	class infiniband_endport
				593	{
				594	manage_subnet
				595	}
				596
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	597	#
				598	# Define the access vector interpretation for controlling capabilities
				599	# in user namespaces
				600	#
				601
				602	class cap_userns
				603	inherits cap
				604
				605	class cap2_userns
				606	inherits cap2
				607
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	608
				609	#
				610	# Define the access vector interpretation for the new socket classes
				611	# enabled by the extended_socket_class policy capability.
				612	#
				613
				614	#
				615	# The next two classes were previously mapped to rawip_socket and therefore
				616	# have the same definition as rawip_socket (until further permissions
				617	# are defined).
				618	#
				619	class sctp_socket
				620	inherits socket
				621	{
				622	node_bind
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	623	name_connect
				624	association
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	625	}
				626
				627	class icmp_socket
				628	inherits socket
				629	{
				630	node_bind
				631	}
				632
				633	#
				634	# The remaining network socket classes were previously
				635	# mapped to the socket class and therefore have the
				636	# same definition as socket.
				637	#
				638
				639	class ax25_socket
				640	inherits socket
				641
				642	class ipx_socket
				643	inherits socket
				644
				645	class netrom_socket
				646	inherits socket
				647
				648	class atmpvc_socket
				649	inherits socket
				650
				651	class x25_socket
				652	inherits socket
				653
				654	class rose_socket
				655	inherits socket
				656
				657	class decnet_socket
				658	inherits socket
				659
				660	class atmsvc_socket
				661	inherits socket
				662
				663	class rds_socket
				664	inherits socket
				665
				666	class irda_socket
				667	inherits socket
				668
				669	class pppox_socket
				670	inherits socket
				671
				672	class llc_socket
				673	inherits socket
				674
				675	class can_socket
				676	inherits socket
				677
				678	class tipc_socket
				679	inherits socket
				680
				681	class bluetooth_socket
				682	inherits socket
				683
				684	class iucv_socket
				685	inherits socket
				686
				687	class rxrpc_socket
				688	inherits socket
				689
				690	class isdn_socket
				691	inherits socket
				692
				693	class phonet_socket
				694	inherits socket
				695
				696	class ieee802154_socket
				697	inherits socket
				698
				699	class caif_socket
				700	inherits socket
				701
				702	class alg_socket
				703	inherits socket
				704
				705	class nfc_socket
				706	inherits socket
				707
				708	class vsock_socket
				709	inherits socket
				710
				711	class kcm_socket
				712	inherits socket
				713
				714	class qipcrtr_socket
				715	inherits socket
				716
Stephen Smalley	2be9799	2017-05-17 12:06:49 -0400	[diff] [blame]	717	class smc_socket
				718	inherits socket
				719
Nick Kralevich	f5a1b1b	2018-10-18 09:08:26 -0700	[diff] [blame]	720	class bpf
				721	{
				722	map_create
				723	map_read
				724	map_write
				725	prog_load
				726	prog_run
				727	}
				728
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	729	class property_service
				730	{
				731	set
				732	}
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	733
				734	class service_manager
				735	{
				736	add
Riley Spahn	b8511e0	2014-07-07 13:56:27 -0700	[diff] [blame]	737	find
				738	list
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	739	}
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	740
Martijn Coenen	bc6d88d	2017-04-06 09:24:41 -0700	[diff] [blame]	741	class hwservice_manager
				742	{
				743	add
				744	find
				745	list
				746	}
				747
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	748	class keystore_key
				749	{
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	750	get_state
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	751	get
				752	insert
				753	delete
				754	exist
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	755	list
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	756	reset
				757	password
				758	lock
				759	unlock
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	760	is_empty
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	761	sign
				762	verify
				763	grant
				764	duplicate
				765	clear_uid
Chad Brubaker	8927772	2015-03-31 13:03:06 -0700	[diff] [blame]	766	add_auth
Chad Brubaker	520bb81	2015-05-12 12:33:40 -0700	[diff] [blame]	767	user_changed
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	768	gen_unique_id
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	769	}
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	770
Riley Spahn	70f75ce	2014-07-02 12:42:59 -0700	[diff] [blame]	771	class drmservice {
				772	consumeRights
				773	setPlaybackStatus
				774	openDecryptSession
				775	closeDecryptSession
				776	initializeDecryptUnit
				777	decrypt
				778	finalizeDecryptUnit
				779	pread
				780	}
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	781
				782	class xdp_socket
				783	inherits socket
Ryan Savitski	80640c5	2020-01-08 17:30:26 +0000	[diff] [blame]	784
				785	class perf_event
				786	{
				787	open
				788	cpu
				789	kernel
				790	tracepoint
				791	read
				792	write
				793	}