Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d9b78b4c8403845f61765b698a6e23688441199a / . / private / access_vectors
blob: aa0109cf466c582d8986c0ab7c890fecbc0d417b [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
Stephen Smalleycd62a4a2020-01-14 14:27:45 -0500[diff] [blame]30 audit_access
31 open
32 execmod
33 watch
34 watch_mount
35 watch_sb
36 watch_with_perm
37 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48 ioctl
49 read
50 write
51 create
52 getattr
53 setattr
54 lock
55 relabelfrom
56 relabelto
57 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]58 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59# socket-specific
60 bind
61 connect
62 listen
63 accept
64 getopt
65 setopt
66 shutdown
67 recvfrom
68 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]69 name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78 create
79 destroy
80 getattr
81 setattr
82 read
83 write
84 associate
85 unix_read
86 unix_write
87}
88
89#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]90# Define a common for capability access vectors.
91#
92common cap
93{
94 # The capabilities are defined in include/linux/capability.h
95 # Capabilities >= 32 are defined in the cap2 common.
96 # Care should be taken to ensure that these are consistent with
97 # those definitions. (Order matters)
98
99 chown
100 dac_override
101 dac_read_search
102 fowner
103 fsetid
104 kill
105 setgid
106 setuid
107 setpcap
108 linux_immutable
109 net_bind_service
110 net_broadcast
111 net_admin
112 net_raw
113 ipc_lock
114 ipc_owner
115 sys_module
116 sys_rawio
117 sys_chroot
118 sys_ptrace
119 sys_pacct
120 sys_admin
121 sys_boot
122 sys_nice
123 sys_resource
124 sys_time
125 sys_tty_config
126 mknod
127 lease
128 audit_write
129 audit_control
130 setfcap
131}
132
133common cap2
134{
135 mac_override # unused by SELinux
Stephen Smalley87154602020-01-16 10:29:15 -0500[diff] [blame]136 mac_admin
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]137 syslog
138 wake_alarm
139 block_suspend
140 audit_read
141}
142
143#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]144# Define the access vectors.
145#
146# class class_name [ inherits common_name ] { permission_name ... }
147
148
149#
150# Define the access vector interpretation for file-related objects.
151#
152
153class filesystem
154{
155 mount
156 remount
157 unmount
158 getattr
159 relabelfrom
160 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]161 associate
162 quotamod
163 quotaget
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]164 watch
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]165}
166
167class dir
168inherits file
169{
170 add_name
171 remove_name
172 reparent
173 search
174 rmdir
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]175}
176
177class file
178inherits file
179{
180 execute_no_trans
181 entrypoint
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]182}
183
184class lnk_file
185inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]186
187class chr_file
188inherits file
189{
190 execute_no_trans
191 entrypoint
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]192}
193
194class blk_file
195inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]196
197class sock_file
198inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]199
200class fifo_file
201inherits file
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]202
203class fd
204{
205 use
206}
207
208
209#
210# Define the access vector interpretation for network-related objects.
211#
212
213class socket
214inherits socket
215
216class tcp_socket
217inherits socket
218{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]219 node_bind
220 name_connect
221}
222
223class udp_socket
224inherits socket
225{
226 node_bind
227}
228
229class rawip_socket
230inherits socket
231{
232 node_bind
233}
234
235class node
236{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]237 recvfrom
238 sendto
239}
240
241class netif
242{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]243 ingress
244 egress
245}
246
247class netlink_socket
248inherits socket
249
250class packet_socket
251inherits socket
252
253class key_socket
254inherits socket
255
256class unix_stream_socket
257inherits socket
258{
259 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]260}
261
262class unix_dgram_socket
263inherits socket
264
265#
266# Define the access vector interpretation for process-related objects
267#
268
269class process
270{
271 fork
272 transition
273 sigchld # commonly granted from child to parent
274 sigkill # cannot be caught or ignored
275 sigstop # cannot be caught or ignored
276 signull # for kill(pid, 0)
277 signal # all other signals
278 ptrace
279 getsched
280 setsched
281 getsession
282 getpgid
283 setpgid
284 getcap
285 setcap
286 share
287 getattr
288 setexec
289 setfscreate
290 noatsecure
291 siginh
292 setrlimit
293 rlimitinh
294 dyntransition
295 setcurrent
296 execmem
297 execstack
298 execheap
299 setkeycreate
300 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]301 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]302}
303
Nick Kralevich1b1d1332018-09-07 10:48:55 -0700[diff] [blame]304class process2
305{
306 nnp_transition
307 nosuid_transition
308}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]309
310#
311# Define the access vector interpretation for ipc-related objects
312#
313
314class ipc
315inherits ipc
316
317class sem
318inherits ipc
319
320class msgq
321inherits ipc
322{
323 enqueue
324}
325
326class msg
327{
328 send
329 receive
330}
331
332class shm
333inherits ipc
334{
335 lock
336}
337
338
339#
340# Define the access vector interpretation for the security server.
341#
342
343class security
344{
345 compute_av
346 compute_create
347 compute_member
348 check_context
349 load_policy
350 compute_relabel
351 compute_user
352 setenforce # was avc_toggle in system class
353 setbool
354 setsecparam
355 setcheckreqprot
356 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]357 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]358}
359
360
361#
362# Define the access vector interpretation for system operations.
363#
364
365class system
366{
367 ipc_info
368 syslog_read
369 syslog_mod
370 syslog_console
371 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]372 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]373}
374
375#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]376# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]377#
378
379class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]380inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]381
382class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]383inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]384
385#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]386# Extended Netlink classes
387#
388class netlink_route_socket
389inherits socket
390{
391 nlmsg_read
392 nlmsg_write
Jeff Vander Stoepfb69c8e2019-10-16 15:19:40 +0200[diff] [blame]393 nlmsg_readpriv
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]394}
395
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]396class netlink_tcpdiag_socket
397inherits socket
398{
399 nlmsg_read
400 nlmsg_write
401}
402
403class netlink_nflog_socket
404inherits socket
405
406class netlink_xfrm_socket
407inherits socket
408{
409 nlmsg_read
410 nlmsg_write
411}
412
413class netlink_selinux_socket
414inherits socket
415
416class netlink_audit_socket
417inherits socket
418{
419 nlmsg_read
420 nlmsg_write
421 nlmsg_relay
422 nlmsg_readpriv
423 nlmsg_tty_audit
424}
425
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]426class netlink_dnrt_socket
427inherits socket
428
429# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]430# access to IPSec network data by association
431#
432class association
433{
434 sendto
435 recvfrom
436 setcontext
437 polmatch
438}
439
440# Updated Netlink class for KOBJECT_UEVENT family.
441class netlink_kobject_uevent_socket
442inherits socket
443
444class appletalk_socket
445inherits socket
446
447class packet
448{
449 send
450 recv
451 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]452 forward_in
453 forward_out
454}
455
456class key
457{
458 view
459 read
460 write
461 search
462 link
463 setattr
464 create
465}
466
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]467class dccp_socket
468inherits socket
469{
470 node_bind
471 name_connect
472}
473
474class memprotect
475{
476 mmap_zero
477}
478
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]479# network peer labels
480class peer
481{
482 recv
483}
484
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]485class kernel_service
486{
487 use_as_override
488 create_files_as
489}
490
491class tun_socket
492inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]493{
494 attach_queue
495}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]496
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]497class binder
498{
499 impersonate
500 call
501 set_context_mgr
502 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]503}
504
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]505class netlink_iscsi_socket
506inherits socket
507
508class netlink_fib_lookup_socket
509inherits socket
510
511class netlink_connector_socket
512inherits socket
513
514class netlink_netfilter_socket
515inherits socket
516
517class netlink_generic_socket
518inherits socket
519
520class netlink_scsitransport_socket
521inherits socket
522
523class netlink_rdma_socket
524inherits socket
525
526class netlink_crypto_socket
527inherits socket
528
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]529class infiniband_pkey
530{
531 access
532}
533
534class infiniband_endport
535{
536 manage_subnet
537}
538
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]539#
540# Define the access vector interpretation for controlling capabilities
541# in user namespaces
542#
543
544class cap_userns
545inherits cap
546
547class cap2_userns
548inherits cap2
549
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]550
551#
552# Define the access vector interpretation for the new socket classes
553# enabled by the extended_socket_class policy capability.
554#
555
556#
557# The next two classes were previously mapped to rawip_socket and therefore
558# have the same definition as rawip_socket (until further permissions
559# are defined).
560#
561class sctp_socket
562inherits socket
563{
564 node_bind
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]565 name_connect
566 association
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]567}
568
569class icmp_socket
570inherits socket
571{
572 node_bind
573}
574
575#
576# The remaining network socket classes were previously
577# mapped to the socket class and therefore have the
578# same definition as socket.
579#
580
581class ax25_socket
582inherits socket
583
584class ipx_socket
585inherits socket
586
587class netrom_socket
588inherits socket
589
590class atmpvc_socket
591inherits socket
592
593class x25_socket
594inherits socket
595
596class rose_socket
597inherits socket
598
599class decnet_socket
600inherits socket
601
602class atmsvc_socket
603inherits socket
604
605class rds_socket
606inherits socket
607
608class irda_socket
609inherits socket
610
611class pppox_socket
612inherits socket
613
614class llc_socket
615inherits socket
616
617class can_socket
618inherits socket
619
620class tipc_socket
621inherits socket
622
623class bluetooth_socket
624inherits socket
625
626class iucv_socket
627inherits socket
628
629class rxrpc_socket
630inherits socket
631
632class isdn_socket
633inherits socket
634
635class phonet_socket
636inherits socket
637
638class ieee802154_socket
639inherits socket
640
641class caif_socket
642inherits socket
643
644class alg_socket
645inherits socket
646
647class nfc_socket
648inherits socket
649
650class vsock_socket
651inherits socket
652
653class kcm_socket
654inherits socket
655
656class qipcrtr_socket
657inherits socket
658
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]659class smc_socket
660inherits socket
661
Nick Kralevichf5a1b1b2018-10-18 09:08:26 -0700[diff] [blame]662class bpf
663{
664 map_create
665 map_read
666 map_write
667 prog_load
668 prog_run
669}
670
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]671class property_service
672{
673 set
674}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]675
676class service_manager
677{
678 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]679 find
680 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]681}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]682
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]683class hwservice_manager
684{
685 add
686 find
687 list
688}
689
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]690class keystore_key
691{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]692 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]693 get
694 insert
695 delete
696 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]697 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]698 reset
699 password
700 lock
701 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]702 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]703 sign
704 verify
705 grant
706 duplicate
707 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]708 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]709 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]710 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]711}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]712
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]713class drmservice {
714 consumeRights
715 setPlaybackStatus
716 openDecryptSession
717 closeDecryptSession
718 initializeDecryptUnit
719 decrypt
720 finalizeDecryptUnit
721 pread
722}
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]723
724class xdp_socket
725inherits socket
Ryan Savitski80640c52020-01-08 17:30:26 +0000[diff] [blame]726
727class perf_event
728{
729 open
730 cpu
731 kernel
732 tracepoint
733 read
734 write
735}