Home | History | Annotate | Download | only in docs 
      1 Access Vector Rules
      2 ===================
      3 
      4 allow
      5 -----
      6 
      7 Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class ([`validatetrans`](cil_constraint_statements.md#validatetrans) or [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)) or source, target class and permissions ([`constrain`](cil_constraint_statements.md#constrain) or [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) statements).
      8 
      9 **Rule definition:**
     10 
     11     (allow source_id target_id|self classpermissionset_id ...)
     12 
     13 **Where:**
     14 
     15 <table>
     16 <colgroup>
     17 <col width="27%" />
     18 <col width="72%" />
     19 </colgroup>
     20 <tbody>
     21 <tr class="odd">
     22 <td align="left"><p><code>allow</code></p></td>
     23 <td align="left"><p>The <code>allow</code> keyword.</p></td>
     24 </tr>
     25 <tr class="even">
     26 <td align="left"><p><code>source_id</code></p></td>
     27 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
     28 </tr>
     29 <tr class="odd">
     30 <td align="left"><p><code>target_id</code></p></td>
     31 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
     32 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
     33 </tr>
     34 <tr class="even">
     35 <td align="left"><p><code>classpermissionset_id</code></p></td>
     36 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
     37 </tr>
     38 </tbody>
     39 </table>
     40 
     41 **Examples:**
     42 
     43 These examples show a selection of possible permutations of [`allow`](cil_access_vector_rules.md#allow) rules:
     44 
     45     (class binder (impersonate call set_context_mgr transfer receive))
     46     (class property_service (set))
     47     (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
     48 
     49     (classpermission cps_zygote)
     50     (classpermissionset cps_zygote (zygote (not (specifyids))))
     51 
     52     (classmap android_classes (set_1 set_2 set_3))
     53 
     54     (classmapping android_classes set_1 (binder (all)))
     55     (classmapping android_classes set_1 (property_service (set)))
     56     (classmapping android_classes set_1 (zygote (not (specifycapabilities))))
     57 
     58     (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
     59     (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
     60 
     61     (classmapping android_classes set_3 cps_zygote)
     62     (classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
     63 
     64     (block av_rules
     65         (type type_1)
     66         (type type_2)
     67         (type type_3)
     68         (type type_4)
     69         (type type_5)
     70 
     71         (typeattribute all_types)
     72         (typeattributeset all_types (all))
     73 
     74     ; These examples have named and anonymous classpermissionset's and
     75     ; classmap/classmapping statements
     76         (allow type_1 self (property_service (set)))          ; anonymous
     77         (allow type_2 self (zygote (specifyids)))             ; anonymous
     78         (allow type_3 self cps_zygote)                        ; named
     79         (allow type_4 self (android_classes (set_3)))         ; classmap/classmapping
     80         (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping
     81 
     82     ;; This rule will cause the build to fail unless --disable-neverallow
     83     ;    (neverallow type_5 all_types (property_service (set)))
     84         (allow type_5 type_5 (property_service (set)))
     85         (allow type_1 all_types (property_service (set)))
     86     )
     87 
     88 auditallow
     89 ----------
     90 
     91 Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event.
     92 
     93 **Rule definition:**
     94 
     95     (auditallow source_id target_id|self classpermissionset_id ...)
     96 
     97 **Where:**
     98 
     99 <table>
    100 <colgroup>
    101 <col width="29%" />
    102 <col width="70%" />
    103 </colgroup>
    104 <tbody>
    105 <tr class="odd">
    106 <td align="left"><p><code>auditallow</code></p></td>
    107 <td align="left"><p>The <code>auditallow</code> keyword.</p></td>
    108 </tr>
    109 <tr class="even">
    110 <td align="left"><p><code>source_id</code></p></td>
    111 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    112 </tr>
    113 <tr class="odd">
    114 <td align="left"><p><code>target_id</code></p></td>
    115 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    116 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    117 </tr>
    118 <tr class="even">
    119 <td align="left"><p><code>classpermissionset_id</code></p></td>
    120 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
    121 </tr>
    122 </tbody>
    123 </table>
    124 
    125 **Example:**
    126 
    127 This example will log an audit event whenever the corresponding [`allow`](cil_access_vector_rules.md#allow) rule grants access to the specified permissions:
    128 
    129     (allow release_app.process secmark_demo.browser_packet (packet (send recv append bind)))
    130 
    131     (auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
    132 
    133 
    134 dontaudit
    135 ---------
    136 
    137 Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
    138 
    139 Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
    140 
    141 **Rule definition:**
    142 
    143     (dontaudit source_id target_id|self classpermissionset_id ...)
    144 
    145 **Where:**
    146 
    147 <table>
    148 <colgroup>
    149 <col width="27%" />
    150 <col width="72%" />
    151 </colgroup>
    152 <tbody>
    153 <tr class="odd">
    154 <td align="left"><p><code>dontaudit</code></p></td>
    155 <td align="left"><p>The <code>dontaudit</code> keyword.</p></td>
    156 </tr>
    157 <tr class="even">
    158 <td align="left"><p><code>source_id</code></p></td>
    159 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    160 </tr>
    161 <tr class="odd">
    162 <td align="left"><p><code>target_id</code></p></td>
    163 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    164 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    165 </tr>
    166 <tr class="even">
    167 <td align="left"><p><code>classpermissionset_id</code></p></td>
    168 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
    169 </tr>
    170 </tbody>
    171 </table>
    172 
    173 **Example:**
    174 
    175 This example will not audit the denied access:
    176 
    177     (dontaudit zygote.process self (capability (fsetid)))
    178 
    179 neverallow
    180 ----------
    181 
    182 Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified.
    183 
    184 Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags.
    185 
    186 **Rule definition:**
    187 
    188     (neverallow source_id target_id|self classpermissionset_id ...)
    189 
    190 **Where:**
    191 
    192 <table>
    193 <colgroup>
    194 <col width="27%" />
    195 <col width="72%" />
    196 </colgroup>
    197 <tbody>
    198 <tr class="odd">
    199 <td align="left"><p><code>neverallow</code></p></td>
    200 <td align="left"><p>The <code>neverallow</code> keyword.</p></td>
    201 </tr>
    202 <tr class="even">
    203 <td align="left"><p><code>source_id</code></p></td>
    204 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    205 </tr>
    206 <tr class="odd">
    207 <td align="left"><p><code>target_id</code></p></td>
    208 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    209 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    210 </tr>
    211 <tr class="even">
    212 <td align="left"><p><code>classpermissionset_id</code></p></td>
    213 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
    214 </tr>
    215 </tbody>
    216 </table>
    217 
    218 **Example:**
    219 
    220 This example will not compile as `type_3` is not allowed to be a source type for the [`allow`](cil_access_vector_rules.md#allow) rule:
    221 
    222     (class property_service (set))
    223 
    224     (block av_rules
    225         (type type_1)
    226         (type type_2)
    227         (type type_3)
    228         (typeattribute all_types)
    229         (typeattributeset all_types ((all)))
    230 
    231         (neverallow type_3 all_types (property_service (set)))
    232         ; This rule will fail compilation:
    233         (allow type_3 self (property_service (set)))
    234     )
    235 
    236 allowx
    237 ------
    238 
    239 Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx).
    240 
    241 **Rule definition:**
    242 
    243     (allowx source_id target_id|self permissionx_id)
    244 
    245 **Where:**
    246 
    247 <table>
    248 <colgroup>
    249 <col width="27%" />
    250 <col width="72%" />
    251 </colgroup>
    252 <tbody>
    253 <tr class="odd">
    254 <td align="left"><p><code>allowx</code></p></td>
    255 <td align="left"><p>The <code>allowx</code> keyword.</p></td>
    256 </tr>
    257 <tr class="even">
    258 <td align="left"><p><code>source_id</code></p></td>
    259 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p></td>
    260 </tr>
    261 <tr class="odd">
    262 <td align="left"><p><code>target_id</code></p></td>
    263 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p>
    264 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    265 </tr>
    266 <tr class="even">
    267 <td align="left"><p><code>permissionx_id</code></p></td>
    268 <td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
    269 </tr>
    270 </tbody>
    271 </table>
    272 
    273 **Examples:**
    274 
    275 These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules:
    276 
    277     (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
    278 
    279     (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
    280     (allowx type_3 type_4 ioctl_nodebug)
    281 
    282 
    283 
    284 auditallowx
    285 -----------
    286 
    287 Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event.
    288 
    289 **Rule definition:**
    290 
    291     (auditallowx source_id target_id|self permissionx_id)
    292 
    293 **Where:**
    294 
    295 <table>
    296 <colgroup>
    297 <col width="27%" />
    298 <col width="72%" />
    299 </colgroup>
    300 <tbody>
    301 <tr class="odd">
    302 <td align="left"><p><code>auditallowx</code></p></td>
    303 <td align="left"><p>The <code>auditallowx</code> keyword.</p></td>
    304 </tr>
    305 <tr class="even">
    306 <td align="left"><p><code>source_id</code></p></td>
    307 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    308 </tr>
    309 <tr class="odd">
    310 <td align="left"><p><code>target_id</code></p></td>
    311 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    312 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    313 </tr>
    314 <tr class="even">
    315 <td align="left"><p><code>permissionx_id</code></p></td>
    316 <td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
    317 </tr>
    318 </tbody>
    319 </table>
    320 
    321 **Examples:**
    322 
    323 This example will log an audit event whenever the corresponding [`allowx`](cil_access_vector_rules.md#allowx) rule grants access to the specified extended permissions:
    324 
    325     (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
    326 
    327     (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010)))
    328 
    329 
    330 dontauditx
    331 ----------
    332 
    333 Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
    334 
    335 Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
    336 
    337 **Rule definition:**
    338 
    339     (dontauditx source_id target_id|self permissionx_id)
    340 
    341 **Where:**
    342 
    343 <table>
    344 <colgroup>
    345 <col width="27%" />
    346 <col width="72%" />
    347 </colgroup>
    348 <tbody>
    349 <tr class="odd">
    350 <td align="left"><p><code>dontauditx</code></p></td>
    351 <td align="left"><p>The <code>dontauditx</code> keyword.</p></td>
    352 </tr>
    353 <tr class="even">
    354 <td align="left"><p><code>source_id</code></p></td>
    355 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    356 </tr>
    357 <tr class="odd">
    358 <td align="left"><p><code>target_id</code></p></td>
    359 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    360 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    361 </tr>
    362 <tr class="even">
    363 <td align="left"><p><code>permissionx_id</code></p></td>
    364 <td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
    365 </tr>
    366 </tbody>
    367 </table>
    368 
    369 **Examples:**
    370 
    371 This example will not audit the denied access:
    372 
    373     (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
    374 
    375 
    376 neverallowx
    377 ----------
    378 Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified.
    379 
    380 Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags.
    381 
    382 **Rule definition:**
    383 
    384     (neverallowx source_id target_id|self permissionx_id)
    385 
    386 **Where:**
    387 
    388 <table>
    389 <colgroup>
    390 <col width="27%" />
    391 <col width="72%" />
    392 </colgroup>
    393 <tbody>
    394 <tr class="odd">
    395 <td align="left"><p><code>neverallows</code></p></td>
    396 <td align="left"><p>The <code>neverallowx</code> keyword.</p></td>
    397 </tr>
    398 <tr class="even">
    399 <td align="left"><p><code>source_id</code></p></td>
    400 <td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
    401 </tr>
    402 <tr class="odd">
    403 <td align="left"><p><code>target_id</code></p></td>
    404 <td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
    405 <p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
    406 </tr>
    407 <tr class="even">
    408 <td align="left"><p><code>permissionx_id</code></p></td>
    409 <td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
    410 </tr>
    411 </tbody>
    412 </table>
    413 
    414 **Examples:**
    415 
    416 This example will not compile as `type_3` is not allowed to be a source type and ioctl range for the [`allowx`](cil_access_vector_rules.md#allowx) rule:
    417 
    418 	(class property_service (ioctl))
    419 	(block av_rules
    420 		(type type_1)
    421 		(type type_2)
    422 		(type type_3)
    423 		(typeattribute all_types)
    424 		(typeattributeset all_types ((all)))
    425 		(neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF)))
    426 		; This rule will fail compilation:
    427 		(allowx type_3 self (ioctl property_service (0x20A0)))
    428 	)
    429