1 ##################################### 2 # domain_trans(olddomain, type, newdomain) 3 # Allow a transition from olddomain to newdomain 4 # upon executing a file labeled with type. 5 # This only allows the transition; it does not 6 # cause it to occur automatically - use domain_auto_trans 7 # if that is what you want. 8 # 9 define(`domain_trans', ` 10 # Old domain may exec the file and transition to the new domain. 11 allow $1 $2:file { getattr open read execute }; 12 allow $1 $3:process transition; 13 # New domain is entered by executing the file. 14 allow $3 $2:file { entrypoint read execute }; 15 # New domain can send SIGCHLD to its caller. 16 allow $3 $1:process sigchld; 17 # Enable AT_SECURE, i.e. libc secure mode. 18 dontaudit $1 $3:process noatsecure; 19 # XXX dontaudit candidate but requires further study. 20 allow $1 $3:process { siginh rlimitinh }; 21 ') 22 23 ##################################### 24 # domain_auto_trans(olddomain, type, newdomain) 25 # Automatically transition from olddomain to newdomain 26 # upon executing a file labeled with type. 27 # 28 define(`domain_auto_trans', ` 29 # Allow the necessary permissions. 30 domain_trans($1,$2,$3) 31 # Make the transition occur by default. 32 type_transition $1 $2:process $3; 33 ') 34 35 ##################################### 36 # file_type_trans(domain, dir_type, file_type) 37 # Allow domain to create a file labeled file_type in a 38 # directory labeled dir_type. 39 # This only allows the transition; it does not 40 # cause it to occur automatically - use file_type_auto_trans 41 # if that is what you want. 42 # 43 define(`file_type_trans', ` 44 # Allow the domain to add entries to the directory. 45 allow $1 $2:dir ra_dir_perms; 46 # Allow the domain to create the file. 47 allow $1 $3:notdevfile_class_set create_file_perms; 48 allow $1 $3:dir create_dir_perms; 49 ') 50 51 ##################################### 52 # file_type_auto_trans(domain, dir_type, file_type) 53 # Automatically label new files with file_type when 54 # they are created by domain in directories labeled dir_type. 55 # 56 define(`file_type_auto_trans', ` 57 # Allow the necessary permissions. 58 file_type_trans($1, $2, $3) 59 # Make the transition occur by default. 60 type_transition $1 $2:dir $3; 61 type_transition $1 $2:notdevfile_class_set $3; 62 ') 63 64 ##################################### 65 # r_dir_file(domain, type) 66 # Allow the specified domain to read directories, files 67 # and symbolic links of the specified type. 68 define(`r_dir_file', ` 69 allow $1 $2:dir r_dir_perms; 70 allow $1 $2:{ file lnk_file } r_file_perms; 71 ') 72 73 ##################################### 74 # unconfined_domain(domain) 75 # Allow the specified domain to do anything. 76 # 77 define(`unconfined_domain', ` 78 typeattribute $1 mlstrustedsubject; 79 typeattribute $1 unconfineddomain; 80 ') 81 82 ##################################### 83 # tmpfs_domain(domain) 84 # Define and allow access to a unique type for 85 # this domain when creating tmpfs / shmem / ashmem files. 86 define(`tmpfs_domain', ` 87 type $1_tmpfs, file_type; 88 type_transition $1 tmpfs:file $1_tmpfs; 89 # Map with PROT_EXEC. 90 allow $1 $1_tmpfs:file { read execute execmod }; 91 ') 92 93 ##################################### 94 # init_daemon_domain(domain) 95 # Set up a transition from init to the daemon domain 96 # upon executing its binary. 97 define(`init_daemon_domain', ` 98 domain_auto_trans(init, $1_exec, $1) 99 tmpfs_domain($1) 100 ') 101 102 ##################################### 103 # app_domain(domain) 104 # Allow a base set of permissions required for all apps. 105 define(`app_domain', ` 106 typeattribute $1 appdomain; 107 # Label ashmem objects with our own unique type. 108 tmpfs_domain($1) 109 ') 110 111 ##################################### 112 # net_domain(domain) 113 # Allow a base set of permissions required for network access. 114 define(`net_domain', ` 115 typeattribute $1 netdomain; 116 ') 117 118 ##################################### 119 # bluetooth_domain(domain) 120 # Allow a base set of permissions required for bluetooth access. 121 define(`bluetooth_domain', ` 122 typeattribute $1 bluetoothdomain; 123 ') 124 125 ##################################### 126 # unix_socket_connect(clientdomain, socket, serverdomain) 127 # Allow a local socket connection from clientdomain via 128 # socket to serverdomain. 129 define(`unix_socket_connect', ` 130 allow $1 $2_socket:sock_file write; 131 allow $1 $3:unix_stream_socket connectto; 132 ') 133 134 ##################################### 135 # unix_socket_send(clientdomain, socket, serverdomain) 136 # Allow a local socket send from clientdomain via 137 # socket to serverdomain. 138 define(`unix_socket_send', ` 139 allow $1 $2_socket:sock_file write; 140 allow $1 $3:unix_dgram_socket sendto; 141 ') 142 143 ##################################### 144 # binder_use(domain) 145 # Allow domain to use Binder IPC. 146 define(`binder_use', ` 147 # Get Binder references from the servicemanager. 148 allow $1 servicemanager:binder call; 149 # Transfer and receive own Binder references. 150 allow $1 self:binder { transfer receive }; 151 # Map /dev/ashmem with PROT_EXEC. 152 allow $1 ashmem_device:chr_file execute; 153 # rw access to /dev/binder and /dev/ashmem is presently granted to 154 # all domains in domain.te. 155 ') 156 157 ##################################### 158 # binder_call(clientdomain, serverdomain) 159 # Allow clientdomain to perform binder IPC to serverdomain. 160 define(`binder_call', ` 161 # First we receive a Binder ref to the server, then we call it. 162 allow $1 $2:binder { receive call }; 163 # Receive and use open files from the server. 164 allow $1 $2:fd use; 165 ') 166 167 ##################################### 168 # binder_transfer(clientdomain, serverdomain) 169 # Allow clientdomain to transfer Binder references created by serverdomain. 170 define(`binder_transfer', ` 171 allow $1 $2:binder transfer; 172 ') 173 174 ##################################### 175 # binder_service(domain) 176 # Mark a domain as being a Binder service domain. 177 # Used to allow binder IPC to the various system services. 178 define(`binder_service', ` 179 typeattribute $1 binderservicedomain; 180 ') 181 182 ##################################### 183 # selinux_check_access(domain) 184 # Allow domain to check SELinux permissions via selinuxfs. 185 define(`selinux_check_access', ` 186 allow $1 selinuxfs:dir r_dir_perms; 187 allow $1 selinuxfs:file rw_file_perms; 188 allow $1 kernel:security compute_av; 189 allow $1 self:netlink_selinux_socket *; 190 ') 191 192 ##################################### 193 # selinux_check_context(domain) 194 # Allow domain to check SELinux contexts via selinuxfs. 195 define(`selinux_check_context', ` 196 allow $1 selinuxfs:dir r_dir_perms; 197 allow $1 selinuxfs:file rw_file_perms; 198 allow $1 kernel:security check_context; 199 ') 200 201 ##################################### 202 # selinux_getenforce(domain) 203 # Allow domain to check whether SELinux is enforcing. 204 define(`selinux_getenforce', ` 205 allow $1 selinuxfs:dir r_dir_perms; 206 allow $1 selinuxfs:file r_file_perms; 207 ') 208 209 ##################################### 210 # selinux_setenforce(domain) 211 # Allow domain to set SELinux to enforcing. 212 define(`selinux_setenforce', ` 213 allow $1 selinuxfs:dir r_dir_perms; 214 allow $1 selinuxfs:file rw_file_perms; 215 allow $1 kernel:security setenforce; 216 ') 217 218 ##################################### 219 # selinux_setbool(domain) 220 # Allow domain to set SELinux booleans. 221 define(`selinux_setbool', ` 222 allow $1 selinuxfs:dir r_dir_perms; 223 allow $1 selinuxfs:file rw_file_perms; 224 allow $1 kernel:security setbool; 225 ') 226
