Blame - private/access_vectors - android_system_sepolicy

blob: cd1ad12fab9f92f2d2d08f62a7d169c914e2245a [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	23	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	24	unlink
				25	link
				26	rename
				27	execute
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	28	quotaon
				29	mounton
Stephen Smalley	cd62a4a	2020-01-14 14:27:45 -0500	[diff] [blame^]	30	audit_access
				31	open
				32	execmod
				33	watch
				34	watch_mount
				35	watch_sb
				36	watch_with_perm
				37	watch_reads
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	38	}
				39
				40
				41	#
				42	# Define a common prefix for socket access vectors.
				43	#
				44
				45	common socket
				46	{
				47	# inherited from file
				48	ioctl
				49	read
				50	write
				51	create
				52	getattr
				53	setattr
				54	lock
				55	relabelfrom
				56	relabelto
				57	append
Stephen Smalley	4397f08	2017-07-10 09:32:10 -0400	[diff] [blame]	58	map
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	59	# socket-specific
				60	bind
				61	connect
				62	listen
				63	accept
				64	getopt
				65	setopt
				66	shutdown
				67	recvfrom
				68	sendto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	69	name_bind
				70	}
				71
				72	#
				73	# Define a common prefix for ipc access vectors.
				74	#
				75
				76	common ipc
				77	{
				78	create
				79	destroy
				80	getattr
				81	setattr
				82	read
				83	write
				84	associate
				85	unix_read
				86	unix_write
				87	}
				88
				89	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	90	# Define a common for capability access vectors.
				91	#
				92	common cap
				93	{
				94	# The capabilities are defined in include/linux/capability.h
				95	# Capabilities >= 32 are defined in the cap2 common.
				96	# Care should be taken to ensure that these are consistent with
				97	# those definitions. (Order matters)
				98
				99	chown
				100	dac_override
				101	dac_read_search
				102	fowner
				103	fsetid
				104	kill
				105	setgid
				106	setuid
				107	setpcap
				108	linux_immutable
				109	net_bind_service
				110	net_broadcast
				111	net_admin
				112	net_raw
				113	ipc_lock
				114	ipc_owner
				115	sys_module
				116	sys_rawio
				117	sys_chroot
				118	sys_ptrace
				119	sys_pacct
				120	sys_admin
				121	sys_boot
				122	sys_nice
				123	sys_resource
				124	sys_time
				125	sys_tty_config
				126	mknod
				127	lease
				128	audit_write
				129	audit_control
				130	setfcap
				131	}
				132
				133	common cap2
				134	{
				135	mac_override # unused by SELinux
				136	mac_admin # unused by SELinux
				137	syslog
				138	wake_alarm
				139	block_suspend
				140	audit_read
				141	}
				142
				143	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	144	# Define the access vectors.
				145	#
				146	# class class_name [ inherits common_name ] { permission_name ... }
				147
				148
				149	#
				150	# Define the access vector interpretation for file-related objects.
				151	#
				152
				153	class filesystem
				154	{
				155	mount
				156	remount
				157	unmount
				158	getattr
				159	relabelfrom
				160	relabelto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	161	associate
				162	quotamod
				163	quotaget
Nick Kralevich	dddbaaf	2019-08-27 15:29:02 -0700	[diff] [blame]	164	watch
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	165	}
				166
				167	class dir
				168	inherits file
				169	{
				170	add_name
				171	remove_name
				172	reparent
				173	search
				174	rmdir
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	175	}
				176
				177	class file
				178	inherits file
				179	{
				180	execute_no_trans
				181	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	182	}
				183
				184	class lnk_file
				185	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	186
				187	class chr_file
				188	inherits file
				189	{
				190	execute_no_trans
				191	entrypoint
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	192	}
				193
				194	class blk_file
				195	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	196
				197	class sock_file
				198	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	199
				200	class fifo_file
				201	inherits file
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	202
				203	class fd
				204	{
				205	use
				206	}
				207
				208
				209	#
				210	# Define the access vector interpretation for network-related objects.
				211	#
				212
				213	class socket
				214	inherits socket
				215
				216	class tcp_socket
				217	inherits socket
				218	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	219	node_bind
				220	name_connect
				221	}
				222
				223	class udp_socket
				224	inherits socket
				225	{
				226	node_bind
				227	}
				228
				229	class rawip_socket
				230	inherits socket
				231	{
				232	node_bind
				233	}
				234
				235	class node
				236	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	237	recvfrom
				238	sendto
				239	}
				240
				241	class netif
				242	{
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	243	ingress
				244	egress
				245	}
				246
				247	class netlink_socket
				248	inherits socket
				249
				250	class packet_socket
				251	inherits socket
				252
				253	class key_socket
				254	inherits socket
				255
				256	class unix_stream_socket
				257	inherits socket
				258	{
				259	connectto
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	260	}
				261
				262	class unix_dgram_socket
				263	inherits socket
				264
				265	#
				266	# Define the access vector interpretation for process-related objects
				267	#
				268
				269	class process
				270	{
				271	fork
				272	transition
				273	sigchld # commonly granted from child to parent
				274	sigkill # cannot be caught or ignored
				275	sigstop # cannot be caught or ignored
				276	signull # for kill(pid, 0)
				277	signal # all other signals
				278	ptrace
				279	getsched
				280	setsched
				281	getsession
				282	getpgid
				283	setpgid
				284	getcap
				285	setcap
				286	share
				287	getattr
				288	setexec
				289	setfscreate
				290	noatsecure
				291	siginh
				292	setrlimit
				293	rlimitinh
				294	dyntransition
				295	setcurrent
				296	execmem
				297	execstack
				298	execheap
				299	setkeycreate
				300	setsockcreate
Stephen Smalley	91a3eea	2017-05-17 12:12:12 -0400	[diff] [blame]	301	getrlimit
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	302	}
				303
Nick Kralevich	1b1d133	2018-09-07 10:48:55 -0700	[diff] [blame]	304	class process2
				305	{
				306	nnp_transition
				307	nosuid_transition
				308	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	309
				310	#
				311	# Define the access vector interpretation for ipc-related objects
				312	#
				313
				314	class ipc
				315	inherits ipc
				316
				317	class sem
				318	inherits ipc
				319
				320	class msgq
				321	inherits ipc
				322	{
				323	enqueue
				324	}
				325
				326	class msg
				327	{
				328	send
				329	receive
				330	}
				331
				332	class shm
				333	inherits ipc
				334	{
				335	lock
				336	}
				337
				338
				339	#
				340	# Define the access vector interpretation for the security server.
				341	#
				342
				343	class security
				344	{
				345	compute_av
				346	compute_create
				347	compute_member
				348	check_context
				349	load_policy
				350	compute_relabel
				351	compute_user
				352	setenforce # was avc_toggle in system class
				353	setbool
				354	setsecparam
				355	setcheckreqprot
				356	read_policy
Stephen Smalley	5099231	2017-07-10 14:45:15 -0400	[diff] [blame]	357	validate_trans
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	358	}
				359
				360
				361	#
				362	# Define the access vector interpretation for system operations.
				363	#
				364
				365	class system
				366	{
				367	ipc_info
				368	syslog_read
				369	syslog_mod
				370	syslog_console
				371	module_request
Jeff Vander Stoep	a16b058	2016-04-07 11:06:05 -0700	[diff] [blame]	372	module_load
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	373	}
				374
				375	#
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	376	# Define the access vector interpretation for controlling capabilities
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	377	#
				378
				379	class capability
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	380	inherits cap
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	381
				382	class capability2
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	383	inherits cap2
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	384
				385	#
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	386	# Extended Netlink classes
				387	#
				388	class netlink_route_socket
				389	inherits socket
				390	{
				391	nlmsg_read
				392	nlmsg_write
Jeff Vander Stoep	fb69c8e	2019-10-16 15:19:40 +0200	[diff] [blame]	393	nlmsg_readpriv
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	394	}
				395
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	396	class netlink_tcpdiag_socket
				397	inherits socket
				398	{
				399	nlmsg_read
				400	nlmsg_write
				401	}
				402
				403	class netlink_nflog_socket
				404	inherits socket
				405
				406	class netlink_xfrm_socket
				407	inherits socket
				408	{
				409	nlmsg_read
				410	nlmsg_write
				411	}
				412
				413	class netlink_selinux_socket
				414	inherits socket
				415
				416	class netlink_audit_socket
				417	inherits socket
				418	{
				419	nlmsg_read
				420	nlmsg_write
				421	nlmsg_relay
				422	nlmsg_readpriv
				423	nlmsg_tty_audit
				424	}
				425
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	426	class netlink_dnrt_socket
				427	inherits socket
				428
				429	# Define the access vector interpretation for controlling
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	430	# access to IPSec network data by association
				431	#
				432	class association
				433	{
				434	sendto
				435	recvfrom
				436	setcontext
				437	polmatch
				438	}
				439
				440	# Updated Netlink class for KOBJECT_UEVENT family.
				441	class netlink_kobject_uevent_socket
				442	inherits socket
				443
				444	class appletalk_socket
				445	inherits socket
				446
				447	class packet
				448	{
				449	send
				450	recv
				451	relabelto
				452	flow_in # deprecated
				453	flow_out # deprecated
				454	forward_in
				455	forward_out
				456	}
				457
				458	class key
				459	{
				460	view
				461	read
				462	write
				463	search
				464	link
				465	setattr
				466	create
				467	}
				468
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	469	class dccp_socket
				470	inherits socket
				471	{
				472	node_bind
				473	name_connect
				474	}
				475
				476	class memprotect
				477	{
				478	mmap_zero
				479	}
				480
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	481	# network peer labels
				482	class peer
				483	{
				484	recv
				485	}
				486
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	487	class kernel_service
				488	{
				489	use_as_override
				490	create_files_as
				491	}
				492
				493	class tun_socket
				494	inherits socket
Nick Kralevich	d7af45d	2014-06-06 16:51:11 -0700	[diff] [blame]	495	{
				496	attach_queue
				497	}
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	498
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	499	class binder
				500	{
				501	impersonate
				502	call
				503	set_context_mgr
				504	transfer
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	505	}
				506
Stephen Smalley	01d95c2	2015-05-21 16:17:26 -0400	[diff] [blame]	507	class netlink_iscsi_socket
				508	inherits socket
				509
				510	class netlink_fib_lookup_socket
				511	inherits socket
				512
				513	class netlink_connector_socket
				514	inherits socket
				515
				516	class netlink_netfilter_socket
				517	inherits socket
				518
				519	class netlink_generic_socket
				520	inherits socket
				521
				522	class netlink_scsitransport_socket
				523	inherits socket
				524
				525	class netlink_rdma_socket
				526	inherits socket
				527
				528	class netlink_crypto_socket
				529	inherits socket
				530
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	531	class infiniband_pkey
				532	{
				533	access
				534	}
				535
				536	class infiniband_endport
				537	{
				538	manage_subnet
				539	}
				540
Stephen Smalley	8a00360	2016-04-27 09:42:57 -0400	[diff] [blame]	541	#
				542	# Define the access vector interpretation for controlling capabilities
				543	# in user namespaces
				544	#
				545
				546	class cap_userns
				547	inherits cap
				548
				549	class cap2_userns
				550	inherits cap2
				551
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	552
				553	#
				554	# Define the access vector interpretation for the new socket classes
				555	# enabled by the extended_socket_class policy capability.
				556	#
				557
				558	#
				559	# The next two classes were previously mapped to rawip_socket and therefore
				560	# have the same definition as rawip_socket (until further permissions
				561	# are defined).
				562	#
				563	class sctp_socket
				564	inherits socket
				565	{
				566	node_bind
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	567	name_connect
				568	association
Stephen Smalley	431bdd9	2016-12-08 13:35:27 -0500	[diff] [blame]	569	}
				570
				571	class icmp_socket
				572	inherits socket
				573	{
				574	node_bind
				575	}
				576
				577	#
				578	# The remaining network socket classes were previously
				579	# mapped to the socket class and therefore have the
				580	# same definition as socket.
				581	#
				582
				583	class ax25_socket
				584	inherits socket
				585
				586	class ipx_socket
				587	inherits socket
				588
				589	class netrom_socket
				590	inherits socket
				591
				592	class atmpvc_socket
				593	inherits socket
				594
				595	class x25_socket
				596	inherits socket
				597
				598	class rose_socket
				599	inherits socket
				600
				601	class decnet_socket
				602	inherits socket
				603
				604	class atmsvc_socket
				605	inherits socket
				606
				607	class rds_socket
				608	inherits socket
				609
				610	class irda_socket
				611	inherits socket
				612
				613	class pppox_socket
				614	inherits socket
				615
				616	class llc_socket
				617	inherits socket
				618
				619	class can_socket
				620	inherits socket
				621
				622	class tipc_socket
				623	inherits socket
				624
				625	class bluetooth_socket
				626	inherits socket
				627
				628	class iucv_socket
				629	inherits socket
				630
				631	class rxrpc_socket
				632	inherits socket
				633
				634	class isdn_socket
				635	inherits socket
				636
				637	class phonet_socket
				638	inherits socket
				639
				640	class ieee802154_socket
				641	inherits socket
				642
				643	class caif_socket
				644	inherits socket
				645
				646	class alg_socket
				647	inherits socket
				648
				649	class nfc_socket
				650	inherits socket
				651
				652	class vsock_socket
				653	inherits socket
				654
				655	class kcm_socket
				656	inherits socket
				657
				658	class qipcrtr_socket
				659	inherits socket
				660
Stephen Smalley	2be9799	2017-05-17 12:06:49 -0400	[diff] [blame]	661	class smc_socket
				662	inherits socket
				663
Nick Kralevich	f5a1b1b	2018-10-18 09:08:26 -0700	[diff] [blame]	664	class bpf
				665	{
				666	map_create
				667	map_read
				668	map_write
				669	prog_load
				670	prog_run
				671	}
				672
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	673	class property_service
				674	{
				675	set
				676	}
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	677
				678	class service_manager
				679	{
				680	add
Riley Spahn	b8511e0	2014-07-07 13:56:27 -0700	[diff] [blame]	681	find
				682	list
Riley Spahn	f90c41f	2014-06-05 15:52:02 -0700	[diff] [blame]	683	}
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	684
Martijn Coenen	bc6d88d	2017-04-06 09:24:41 -0700	[diff] [blame]	685	class hwservice_manager
				686	{
				687	add
				688	find
				689	list
				690	}
				691
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	692	class keystore_key
				693	{
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	694	get_state
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	695	get
				696	insert
				697	delete
				698	exist
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	699	list
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	700	reset
				701	password
				702	lock
				703	unlock
Chad Brubaker	cbc8f79	2015-05-13 14:39:48 -0700	[diff] [blame]	704	is_empty
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	705	sign
				706	verify
				707	grant
				708	duplicate
				709	clear_uid
Chad Brubaker	8927772	2015-03-31 13:03:06 -0700	[diff] [blame]	710	add_auth
Chad Brubaker	520bb81	2015-05-12 12:33:40 -0700	[diff] [blame]	711	user_changed
Shawn Willden	a0c7f01	2017-04-11 09:41:25 -0600	[diff] [blame]	712	gen_unique_id
Riley Spahn	1196d2a	2014-06-17 14:58:52 -0700	[diff] [blame]	713	}
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	714
Riley Spahn	70f75ce	2014-07-02 12:42:59 -0700	[diff] [blame]	715	class drmservice {
				716	consumeRights
				717	setPlaybackStatus
				718	openDecryptSession
				719	closeDecryptSession
				720	initializeDecryptUnit
				721	decrypt
				722	finalizeDecryptUnit
				723	pread
				724	}
Nick Kralevich	ea1775d	2018-11-01 19:39:44 -0700	[diff] [blame]	725
				726	class xdp_socket
				727	inherits socket
Ryan Savitski	80640c5	2020-01-08 17:30:26 +0000	[diff] [blame]	728
				729	class perf_event
				730	{
				731	open
				732	cpu
				733	kernel
				734	tracepoint
				735	read
				736	write
				737	}