1 ##################################### 2 # domain_trans(olddomain, type, newdomain) 3 # Allow a transition from olddomain to newdomain 4 # upon executing a file labeled with type. 5 # This only allows the transition; it does not 6 # cause it to occur automatically - use domain_auto_trans 7 # if that is what you want. 8 # 9 define(`domain_trans', ` 10 # Old domain may exec the file and transition to the new domain. 11 allow $1 $2:file { getattr open read execute }; 12 allow $1 $3:process transition; 13 # New domain is entered by executing the file. 14 allow $3 $2:file { entrypoint read execute }; 15 # New domain can send SIGCHLD to its caller. 16 allow $3 $1:process sigchld; 17 # Enable AT_SECURE, i.e. libc secure mode. 18 dontaudit $1 $3:process noatsecure; 19 # XXX dontaudit candidate but requires further study. 20 allow $1 $3:process { siginh rlimitinh }; 21 ') 22 23 ##################################### 24 # domain_auto_trans(olddomain, type, newdomain) 25 # Automatically transition from olddomain to newdomain 26 # upon executing a file labeled with type. 27 # 28 define(`domain_auto_trans', ` 29 # Allow the necessary permissions. 30 domain_trans($1,$2,$3) 31 # Make the transition occur by default. 32 type_transition $1 $2:process $3; 33 ') 34 35 ##################################### 36 # file_type_trans(domain, dir_type, file_type) 37 # Allow domain to create a file labeled file_type in a 38 # directory labeled dir_type. 39 # This only allows the transition; it does not 40 # cause it to occur automatically - use file_type_auto_trans 41 # if that is what you want. 42 # 43 define(`file_type_trans', ` 44 # Allow the domain to add entries to the directory. 45 allow $1 $2:dir ra_dir_perms; 46 # Allow the domain to create the file. 47 allow $1 $3:notdevfile_class_set create_file_perms; 48 allow $1 $3:dir create_dir_perms; 49 ') 50 51 ##################################### 52 # file_type_auto_trans(domain, dir_type, file_type) 53 # Automatically label new files with file_type when 54 # they are created by domain in directories labeled dir_type. 55 # 56 define(`file_type_auto_trans', ` 57 # Allow the necessary permissions. 58 file_type_trans($1, $2, $3) 59 # Make the transition occur by default. 60 type_transition $1 $2:dir $3; 61 type_transition $1 $2:notdevfile_class_set $3; 62 ') 63 64 ##################################### 65 # r_dir_file(domain, type) 66 # Allow the specified domain to read directories, files 67 # and symbolic links of the specified type. 68 define(`r_dir_file', ` 69 allow $1 $2:dir r_dir_perms; 70 allow $1 $2:{ file lnk_file } r_file_perms; 71 ') 72 73 ##################################### 74 # unconfined_domain(domain) 75 # Allow the specified domain to do anything. 76 # 77 define(`unconfined_domain', ` 78 typeattribute $1 mlstrustedsubject; 79 typeattribute $1 unconfineddomain; 80 ') 81 82 ##################################### 83 # tmpfs_domain(domain) 84 # Define and allow access to a unique type for 85 # this domain when creating tmpfs / shmem / ashmem files. 86 define(`tmpfs_domain', ` 87 type $1_tmpfs, file_type; 88 type_transition $1 tmpfs:file $1_tmpfs; 89 # Map with PROT_EXEC. 90 allow $1 $1_tmpfs:file { read execute execmod }; 91 ') 92 93 ##################################### 94 # init_daemon_domain(domain) 95 # Set up a transition from init to the daemon domain 96 # upon executing its binary. 97 define(`init_daemon_domain', ` 98 domain_auto_trans(init, $1_exec, $1) 99 tmpfs_domain($1) 100 ') 101 102 ##################################### 103 # app_domain(domain) 104 # Allow a base set of permissions required for all apps. 105 define(`app_domain', ` 106 typeattribute $1 appdomain; 107 # Label ashmem objects with our own unique type. 108 tmpfs_domain($1) 109 ') 110 111 ##################################### 112 # platform_app_domain(domain) 113 # Allow permissions specific to platform apps. 114 define(`platform_app_domain', ` 115 typeattribute $1 platformappdomain; 116 typeattribute $1 mlstrustedsubject; 117 ') 118 119 ##################################### 120 # net_domain(domain) 121 # Allow a base set of permissions required for network access. 122 define(`net_domain', ` 123 typeattribute $1 netdomain; 124 ') 125 126 ##################################### 127 # bluetooth_domain(domain) 128 # Allow a base set of permissions required for bluetooth access. 129 define(`bluetooth_domain', ` 130 typeattribute $1 bluetoothdomain; 131 ') 132 133 ##################################### 134 # unix_socket_connect(clientdomain, socket, serverdomain) 135 # Allow a local socket connection from clientdomain via 136 # socket to serverdomain. 137 define(`unix_socket_connect', ` 138 allow $1 $2_socket:sock_file write; 139 allow $1 $3:unix_stream_socket connectto; 140 ') 141 142 ##################################### 143 # unix_socket_send(clientdomain, socket, serverdomain) 144 # Allow a local socket send from clientdomain via 145 # socket to serverdomain. 146 define(`unix_socket_send', ` 147 allow $1 $2_socket:sock_file write; 148 allow $1 $3:unix_dgram_socket sendto; 149 ') 150 151 ##################################### 152 # binder_use(domain) 153 # Allow domain to use Binder IPC. 154 define(`binder_use', ` 155 # Get Binder references from the servicemanager. 156 allow $1 servicemanager:binder call; 157 # Transfer and receive own Binder references. 158 allow $1 self:binder { transfer receive }; 159 # Map /dev/ashmem with PROT_EXEC. 160 allow $1 ashmem_device:chr_file execute; 161 # rw access to /dev/binder and /dev/ashmem is presently granted to 162 # all domains in domain.te. 163 ') 164 165 ##################################### 166 # binder_call(clientdomain, serverdomain) 167 # Allow clientdomain to perform binder IPC to serverdomain. 168 define(`binder_call', ` 169 # First we receive a Binder ref to the server, then we call it. 170 allow $1 $2:binder { receive call }; 171 # Receive and use open files from the server. 172 allow $1 $2:fd use; 173 ') 174 175 ##################################### 176 # binder_transfer(clientdomain, serverdomain) 177 # Allow clientdomain to transfer Binder references created by serverdomain. 178 define(`binder_transfer', ` 179 allow $1 $2:binder transfer; 180 ') 181 182 ##################################### 183 # binder_service(domain) 184 # Mark a domain as being a Binder service domain. 185 # Used to allow binder IPC to the various system services. 186 define(`binder_service', ` 187 typeattribute $1 binderservicedomain; 188 ') 189 190 ##################################### 191 # selinux_check_access(domain) 192 # Allow domain to check SELinux permissions via selinuxfs. 193 define(`selinux_check_access', ` 194 allow $1 selinuxfs:dir r_dir_perms; 195 allow $1 selinuxfs:file rw_file_perms; 196 allow $1 kernel:security compute_av; 197 allow $1 self:netlink_selinux_socket *; 198 ') 199 200 ##################################### 201 # selinux_check_context(domain) 202 # Allow domain to check SELinux contexts via selinuxfs. 203 define(`selinux_check_context', ` 204 allow $1 selinuxfs:dir r_dir_perms; 205 allow $1 selinuxfs:file rw_file_perms; 206 allow $1 kernel:security check_context; 207 ') 208 209 ##################################### 210 # selinux_getenforce(domain) 211 # Allow domain to check whether SELinux is enforcing. 212 define(`selinux_getenforce', ` 213 allow $1 selinuxfs:dir r_dir_perms; 214 allow $1 selinuxfs:file r_file_perms; 215 ') 216 217 ##################################### 218 # selinux_setenforce(domain) 219 # Allow domain to set SELinux to enforcing. 220 define(`selinux_setenforce', ` 221 allow $1 selinuxfs:dir r_dir_perms; 222 allow $1 selinuxfs:file rw_file_perms; 223 allow $1 kernel:security setenforce; 224 ') 225 226 ##################################### 227 # selinux_setbool(domain) 228 # Allow domain to set SELinux booleans. 229 define(`selinux_setbool', ` 230 allow $1 selinuxfs:dir r_dir_perms; 231 allow $1 selinuxfs:file rw_file_perms; 232 allow $1 kernel:security setbool; 233 ') 234
