Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ede8b7e39d88b85938d595ef343eae6150687339 / . / private / access_vectors
blob: 275b9af99074d34659f49991c10acf41152af083 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]23 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]24 unlink
25 link
26 rename
27 execute
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
Stephen Smalley4397f082017-07-10 09:32:10 -0400[diff] [blame]50 map
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]51# socket-specific
52 bind
53 connect
54 listen
55 accept
56 getopt
57 setopt
58 shutdown
59 recvfrom
60 sendto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]61 name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70 create
71 destroy
72 getattr
73 setattr
74 read
75 write
76 associate
77 unix_read
78 unix_write
79}
80
81#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]82# Define a common for capability access vectors.
83#
84common cap
85{
86 # The capabilities are defined in include/linux/capability.h
87 # Capabilities >= 32 are defined in the cap2 common.
88 # Care should be taken to ensure that these are consistent with
89 # those definitions. (Order matters)
90
91 chown
92 dac_override
93 dac_read_search
94 fowner
95 fsetid
96 kill
97 setgid
98 setuid
99 setpcap
100 linux_immutable
101 net_bind_service
102 net_broadcast
103 net_admin
104 net_raw
105 ipc_lock
106 ipc_owner
107 sys_module
108 sys_rawio
109 sys_chroot
110 sys_ptrace
111 sys_pacct
112 sys_admin
113 sys_boot
114 sys_nice
115 sys_resource
116 sys_time
117 sys_tty_config
118 mknod
119 lease
120 audit_write
121 audit_control
122 setfcap
123}
124
125common cap2
126{
127 mac_override # unused by SELinux
128 mac_admin # unused by SELinux
129 syslog
130 wake_alarm
131 block_suspend
132 audit_read
133}
134
135#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147 mount
148 remount
149 unmount
150 getattr
151 relabelfrom
152 relabelto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]153 associate
154 quotamod
155 quotaget
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]156 watch
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]157}
158
159class dir
160inherits file
161{
162 add_name
163 remove_name
164 reparent
165 search
166 rmdir
167 open
168 audit_access
169 execmod
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]170 watch
171 watch_mount
172 watch_sb
173 watch_with_perm
174 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]175}
176
177class file
178inherits file
179{
180 execute_no_trans
181 entrypoint
182 execmod
183 open
184 audit_access
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]185 watch
186 watch_mount
187 watch_sb
188 watch_with_perm
189 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]190}
191
192class lnk_file
193inherits file
194{
195 open
196 audit_access
197 execmod
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]198 watch
199 watch_mount
200 watch_sb
201 watch_with_perm
202 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]203}
204
205class chr_file
206inherits file
207{
208 execute_no_trans
209 entrypoint
210 execmod
211 open
212 audit_access
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]213 watch
214 watch_mount
215 watch_sb
216 watch_with_perm
217 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]218}
219
220class blk_file
221inherits file
222{
223 open
224 audit_access
225 execmod
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]226 watch
227 watch_mount
228 watch_sb
229 watch_with_perm
230 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]231}
232
233class sock_file
234inherits file
235{
236 open
237 audit_access
238 execmod
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]239 watch
240 watch_mount
241 watch_sb
242 watch_with_perm
243 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]244}
245
246class fifo_file
247inherits file
248{
249 open
250 audit_access
251 execmod
Nick Kralevichdddbaaf2019-08-27 15:29:02 -0700[diff] [blame]252 watch
253 watch_mount
254 watch_sb
255 watch_with_perm
256 watch_reads
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]257}
258
259class fd
260{
261 use
262}
263
264
265#
266# Define the access vector interpretation for network-related objects.
267#
268
269class socket
270inherits socket
271
272class tcp_socket
273inherits socket
274{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]275 node_bind
276 name_connect
277}
278
279class udp_socket
280inherits socket
281{
282 node_bind
283}
284
285class rawip_socket
286inherits socket
287{
288 node_bind
289}
290
291class node
292{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]293 recvfrom
294 sendto
295}
296
297class netif
298{
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]299 ingress
300 egress
301}
302
303class netlink_socket
304inherits socket
305
306class packet_socket
307inherits socket
308
309class key_socket
310inherits socket
311
312class unix_stream_socket
313inherits socket
314{
315 connectto
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]316}
317
318class unix_dgram_socket
319inherits socket
320
321#
322# Define the access vector interpretation for process-related objects
323#
324
325class process
326{
327 fork
328 transition
329 sigchld # commonly granted from child to parent
330 sigkill # cannot be caught or ignored
331 sigstop # cannot be caught or ignored
332 signull # for kill(pid, 0)
333 signal # all other signals
334 ptrace
335 getsched
336 setsched
337 getsession
338 getpgid
339 setpgid
340 getcap
341 setcap
342 share
343 getattr
344 setexec
345 setfscreate
346 noatsecure
347 siginh
348 setrlimit
349 rlimitinh
350 dyntransition
351 setcurrent
352 execmem
353 execstack
354 execheap
355 setkeycreate
356 setsockcreate
Stephen Smalley91a3eea2017-05-17 12:12:12 -0400[diff] [blame]357 getrlimit
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]358}
359
Nick Kralevich1b1d1332018-09-07 10:48:55 -0700[diff] [blame]360class process2
361{
362 nnp_transition
363 nosuid_transition
364}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]365
366#
367# Define the access vector interpretation for ipc-related objects
368#
369
370class ipc
371inherits ipc
372
373class sem
374inherits ipc
375
376class msgq
377inherits ipc
378{
379 enqueue
380}
381
382class msg
383{
384 send
385 receive
386}
387
388class shm
389inherits ipc
390{
391 lock
392}
393
394
395#
396# Define the access vector interpretation for the security server.
397#
398
399class security
400{
401 compute_av
402 compute_create
403 compute_member
404 check_context
405 load_policy
406 compute_relabel
407 compute_user
408 setenforce # was avc_toggle in system class
409 setbool
410 setsecparam
411 setcheckreqprot
412 read_policy
Stephen Smalley50992312017-07-10 14:45:15 -0400[diff] [blame]413 validate_trans
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]414}
415
416
417#
418# Define the access vector interpretation for system operations.
419#
420
421class system
422{
423 ipc_info
424 syslog_read
425 syslog_mod
426 syslog_console
427 module_request
Jeff Vander Stoepa16b0582016-04-07 11:06:05 -0700[diff] [blame]428 module_load
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]429}
430
431#
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]432# Define the access vector interpretation for controlling capabilities
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]433#
434
435class capability
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]436inherits cap
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]437
438class capability2
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]439inherits cap2
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]440
441#
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]442# Extended Netlink classes
443#
444class netlink_route_socket
445inherits socket
446{
447 nlmsg_read
448 nlmsg_write
449}
450
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]451class netlink_tcpdiag_socket
452inherits socket
453{
454 nlmsg_read
455 nlmsg_write
456}
457
458class netlink_nflog_socket
459inherits socket
460
461class netlink_xfrm_socket
462inherits socket
463{
464 nlmsg_read
465 nlmsg_write
466}
467
468class netlink_selinux_socket
469inherits socket
470
471class netlink_audit_socket
472inherits socket
473{
474 nlmsg_read
475 nlmsg_write
476 nlmsg_relay
477 nlmsg_readpriv
478 nlmsg_tty_audit
479}
480
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]481class netlink_dnrt_socket
482inherits socket
483
484# Define the access vector interpretation for controlling
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]485# access to IPSec network data by association
486#
487class association
488{
489 sendto
490 recvfrom
491 setcontext
492 polmatch
493}
494
495# Updated Netlink class for KOBJECT_UEVENT family.
496class netlink_kobject_uevent_socket
497inherits socket
498
499class appletalk_socket
500inherits socket
501
502class packet
503{
504 send
505 recv
506 relabelto
507 flow_in # deprecated
508 flow_out # deprecated
509 forward_in
510 forward_out
511}
512
513class key
514{
515 view
516 read
517 write
518 search
519 link
520 setattr
521 create
522}
523
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]524class dccp_socket
525inherits socket
526{
527 node_bind
528 name_connect
529}
530
531class memprotect
532{
533 mmap_zero
534}
535
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]536# network peer labels
537class peer
538{
539 recv
540}
541
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]542class kernel_service
543{
544 use_as_override
545 create_files_as
546}
547
548class tun_socket
549inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700[diff] [blame]550{
551 attach_queue
552}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]553
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]554class binder
555{
556 impersonate
557 call
558 set_context_mgr
559 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]560}
561
Stephen Smalley01d95c22015-05-21 16:17:26 -0400[diff] [blame]562class netlink_iscsi_socket
563inherits socket
564
565class netlink_fib_lookup_socket
566inherits socket
567
568class netlink_connector_socket
569inherits socket
570
571class netlink_netfilter_socket
572inherits socket
573
574class netlink_generic_socket
575inherits socket
576
577class netlink_scsitransport_socket
578inherits socket
579
580class netlink_rdma_socket
581inherits socket
582
583class netlink_crypto_socket
584inherits socket
585
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]586class infiniband_pkey
587{
588 access
589}
590
591class infiniband_endport
592{
593 manage_subnet
594}
595
Stephen Smalley8a003602016-04-27 09:42:57 -0400[diff] [blame]596#
597# Define the access vector interpretation for controlling capabilities
598# in user namespaces
599#
600
601class cap_userns
602inherits cap
603
604class cap2_userns
605inherits cap2
606
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]607
608#
609# Define the access vector interpretation for the new socket classes
610# enabled by the extended_socket_class policy capability.
611#
612
613#
614# The next two classes were previously mapped to rawip_socket and therefore
615# have the same definition as rawip_socket (until further permissions
616# are defined).
617#
618class sctp_socket
619inherits socket
620{
621 node_bind
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]622 name_connect
623 association
Stephen Smalley431bdd92016-12-08 13:35:27 -0500[diff] [blame]624}
625
626class icmp_socket
627inherits socket
628{
629 node_bind
630}
631
632#
633# The remaining network socket classes were previously
634# mapped to the socket class and therefore have the
635# same definition as socket.
636#
637
638class ax25_socket
639inherits socket
640
641class ipx_socket
642inherits socket
643
644class netrom_socket
645inherits socket
646
647class atmpvc_socket
648inherits socket
649
650class x25_socket
651inherits socket
652
653class rose_socket
654inherits socket
655
656class decnet_socket
657inherits socket
658
659class atmsvc_socket
660inherits socket
661
662class rds_socket
663inherits socket
664
665class irda_socket
666inherits socket
667
668class pppox_socket
669inherits socket
670
671class llc_socket
672inherits socket
673
674class can_socket
675inherits socket
676
677class tipc_socket
678inherits socket
679
680class bluetooth_socket
681inherits socket
682
683class iucv_socket
684inherits socket
685
686class rxrpc_socket
687inherits socket
688
689class isdn_socket
690inherits socket
691
692class phonet_socket
693inherits socket
694
695class ieee802154_socket
696inherits socket
697
698class caif_socket
699inherits socket
700
701class alg_socket
702inherits socket
703
704class nfc_socket
705inherits socket
706
707class vsock_socket
708inherits socket
709
710class kcm_socket
711inherits socket
712
713class qipcrtr_socket
714inherits socket
715
Stephen Smalley2be97992017-05-17 12:06:49 -0400[diff] [blame]716class smc_socket
717inherits socket
718
Nick Kralevichf5a1b1b2018-10-18 09:08:26 -0700[diff] [blame]719class bpf
720{
721 map_create
722 map_read
723 map_write
724 prog_load
725 prog_run
726}
727
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]728class property_service
729{
730 set
731}
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]732
733class service_manager
734{
735 add
Riley Spahnb8511e02014-07-07 13:56:27 -0700[diff] [blame]736 find
737 list
Riley Spahnf90c41f2014-06-05 15:52:02 -0700[diff] [blame]738}
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]739
Martijn Coenenbc6d88d2017-04-06 09:24:41 -0700[diff] [blame]740class hwservice_manager
741{
742 add
743 find
744 list
745}
746
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]747class keystore_key
748{
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]749 get_state
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]750 get
751 insert
752 delete
753 exist
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]754 list
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]755 reset
756 password
757 lock
758 unlock
Chad Brubakercbc8f792015-05-13 14:39:48 -0700[diff] [blame]759 is_empty
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]760 sign
761 verify
762 grant
763 duplicate
764 clear_uid
Chad Brubaker89277722015-03-31 13:03:06 -0700[diff] [blame]765 add_auth
Chad Brubaker520bb812015-05-12 12:33:40 -0700[diff] [blame]766 user_changed
Shawn Willdena0c7f012017-04-11 09:41:25 -0600[diff] [blame]767 gen_unique_id
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]768}
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]769
Riley Spahn70f75ce2014-07-02 12:42:59 -0700[diff] [blame]770class drmservice {
771 consumeRights
772 setPlaybackStatus
773 openDecryptSession
774 closeDecryptSession
775 initializeDecryptUnit
776 decrypt
777 finalizeDecryptUnit
778 pread
779}
Nick Kralevichea1775d2018-11-01 19:39:44 -0700[diff] [blame]780
781class xdp_socket
782inherits socket