Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5152fc884f8437040f3c5f4b112dc7b36af8cad8 / . / private / access_vectors
blob: 59e6d3213575a63a164474608bd4d6e071b41797 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
156}
157
158class dir
159inherits file
160{
161 add_name
162 remove_name
163 reparent
164 search
165 rmdir
166 open
167 audit_access
168 execmod
169}
170
171class file
172inherits file
173{
174 execute_no_trans
175 entrypoint
176 execmod
177 open
178 audit_access
179}
180
181class lnk_file
182inherits file
183{
184 open
185 audit_access
186 execmod
187}
188
189class chr_file
190inherits file
191{
192 execute_no_trans
193 entrypoint
194 execmod
195 open
196 audit_access
197}
198
199class blk_file
200inherits file
201{
202 open
203 audit_access
204 execmod
205}
206
207class sock_file
208inherits file
209{
210 open
211 audit_access
212 execmod
213}
214
215class fifo_file
216inherits file
217{
218 open
219 audit_access
220 execmod
221}
222
223class fd
224{
225 use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]239 node_bind
240 name_connect
241}
242
243class udp_socket
244inherits socket
245{
246 node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252 node_bind
253}
254
255class node
256{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257 recvfrom
258 sendto
259}
260
261class netif
262{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]263 ingress
264 egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]280}
281
282class unix_dgram_socket
283inherits socket
284
285#
286# Define the access vector interpretation for process-related objects
287#
288
289class process
290{
291 fork
292 transition
293 sigchld # commonly granted from child to parent
294 sigkill # cannot be caught or ignored
295 sigstop # cannot be caught or ignored
296 signull # for kill(pid, 0)
297 signal # all other signals
298 ptrace
299 getsched
300 setsched
301 getsession
302 getpgid
303 setpgid
304 getcap
305 setcap
306 share
307 getattr
308 setexec
309 setfscreate
310 noatsecure
311 siginh
312 setrlimit
313 rlimitinh
314 dyntransition
315 setcurrent
316 execmem
317 execstack
318 execheap
319 setkeycreate
320 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]321 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]322}
323
Nick Kralevich1b1d1332018-09-07 10:48:55 -0700[diff] [blame]324class process2
325{
326 nnp_transition
327 nosuid_transition
328}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]329
330#
331# Define the access vector interpretation for ipc-related objects
332#
333
334class ipc
335inherits ipc
336
337class sem
338inherits ipc
339
340class msgq
341inherits ipc
342{
343 enqueue
344}
345
346class msg
347{
348 send
349 receive
350}
351
352class shm
353inherits ipc
354{
355 lock
356}
357
358
359#
360# Define the access vector interpretation for the security server.
361#
362
363class security
364{
365 compute_av
366 compute_create
367 compute_member
368 check_context
369 load_policy
370 compute_relabel
371 compute_user
372 setenforce # was avc_toggle in system class
373 setbool
374 setsecparam
375 setcheckreqprot
376 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]377 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]378}
379
380
381#
382# Define the access vector interpretation for system operations.
383#
384
385class system
386{
387 ipc_info
388 syslog_read
389 syslog_mod
390 syslog_console
391 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]392 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]393}
394
395#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]396# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]397#
398
399class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]400inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]401
402class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]403inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]404
405#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]406# Extended Netlink classes
407#
408class netlink_route_socket
409inherits socket
410{
411 nlmsg_read
412 nlmsg_write
413}
414
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]415class netlink_tcpdiag_socket
416inherits socket
417{
418 nlmsg_read
419 nlmsg_write
420}
421
422class netlink_nflog_socket
423inherits socket
424
425class netlink_xfrm_socket
426inherits socket
427{
428 nlmsg_read
429 nlmsg_write
430}
431
432class netlink_selinux_socket
433inherits socket
434
435class netlink_audit_socket
436inherits socket
437{
438 nlmsg_read
439 nlmsg_write
440 nlmsg_relay
441 nlmsg_readpriv
442 nlmsg_tty_audit
443}
444
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]445class netlink_dnrt_socket
446inherits socket
447
448# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]449# access to IPSec network data by association
450#
451class association
452{
453 sendto
454 recvfrom
455 setcontext
456 polmatch
457}
458
459# Updated Netlink class for KOBJECT_UEVENT family.
460class netlink_kobject_uevent_socket
461inherits socket
462
463class appletalk_socket
464inherits socket
465
466class packet
467{
468 send
469 recv
470 relabelto
471 flow_in # deprecated
472 flow_out # deprecated
473 forward_in
474 forward_out
475}
476
477class key
478{
479 view
480 read
481 write
482 search
483 link
484 setattr
485 create
486}
487
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]488class dccp_socket
489inherits socket
490{
491 node_bind
492 name_connect
493}
494
495class memprotect
496{
497 mmap_zero
498}
499
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]500# network peer labels
501class peer
502{
503 recv
504}
505
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]506class kernel_service
507{
508 use_as_override
509 create_files_as
510}
511
512class tun_socket
513inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]514{
515 attach_queue
516}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]517
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]518class binder
519{
520 impersonate
521 call
522 set_context_mgr
523 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]524}
525
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]526class netlink_iscsi_socket
527inherits socket
528
529class netlink_fib_lookup_socket
530inherits socket
531
532class netlink_connector_socket
533inherits socket
534
535class netlink_netfilter_socket
536inherits socket
537
538class netlink_generic_socket
539inherits socket
540
541class netlink_scsitransport_socket
542inherits socket
543
544class netlink_rdma_socket
545inherits socket
546
547class netlink_crypto_socket
548inherits socket
549
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]550#
551# Define the access vector interpretation for controlling capabilities
552# in user namespaces
553#
554
555class cap_userns
556inherits cap
557
558class cap2_userns
559inherits cap2
560
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]561
562#
563# Define the access vector interpretation for the new socket classes
564# enabled by the extended_socket_class policy capability.
565#
566
567#
568# The next two classes were previously mapped to rawip_socket and therefore
569# have the same definition as rawip_socket (until further permissions
570# are defined).
571#
572class sctp_socket
573inherits socket
574{
575 node_bind
576}
577
578class icmp_socket
579inherits socket
580{
581 node_bind
582}
583
584#
585# The remaining network socket classes were previously
586# mapped to the socket class and therefore have the
587# same definition as socket.
588#
589
590class ax25_socket
591inherits socket
592
593class ipx_socket
594inherits socket
595
596class netrom_socket
597inherits socket
598
599class atmpvc_socket
600inherits socket
601
602class x25_socket
603inherits socket
604
605class rose_socket
606inherits socket
607
608class decnet_socket
609inherits socket
610
611class atmsvc_socket
612inherits socket
613
614class rds_socket
615inherits socket
616
617class irda_socket
618inherits socket
619
620class pppox_socket
621inherits socket
622
623class llc_socket
624inherits socket
625
626class can_socket
627inherits socket
628
629class tipc_socket
630inherits socket
631
632class bluetooth_socket
633inherits socket
634
635class iucv_socket
636inherits socket
637
638class rxrpc_socket
639inherits socket
640
641class isdn_socket
642inherits socket
643
644class phonet_socket
645inherits socket
646
647class ieee802154_socket
648inherits socket
649
650class caif_socket
651inherits socket
652
653class alg_socket
654inherits socket
655
656class nfc_socket
657inherits socket
658
659class vsock_socket
660inherits socket
661
662class kcm_socket
663inherits socket
664
665class qipcrtr_socket
666inherits socket
667
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]668class smc_socket
669inherits socket
670
Nick Kralevichf5a1b1b2018-10-18 09:08:26 -0700[diff] [blame]671class bpf
672{
673 map_create
674 map_read
675 map_write
676 prog_load
677 prog_run
678}
679
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]680class property_service
681{
682 set
683}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]684
685class service_manager
686{
687 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]688 find
689 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]690}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]691
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]692class hwservice_manager
693{
694 add
695 find
696 list
697}
698
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]699class keystore_key
700{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]701 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]702 get
703 insert
704 delete
705 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]706 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]707 reset
708 password
709 lock
710 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]711 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]712 sign
713 verify
714 grant
715 duplicate
716 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]717 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]718 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]719 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]720}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]721
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]722class drmservice {
723 consumeRights
724 setPlaybackStatus
725 openDecryptSession
726 closeDecryptSession
727 initializeDecryptUnit
728 decrypt
729 finalizeDecryptUnit
730 pread
731}