Home | History | Annotate | Download | only in docs 
      1 Default Object Statements
      2 =========================
      3 
      4 These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
      5 
      6 defaultuser
      7 -----------
      8 
      9 Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
     10 
     11 **Statement definition:**
     12 
     13     (defaultuser class_id default)
     14 
     15 **Where:**
     16 
     17 <table>
     18 <colgroup>
     19 <col width="25%" />
     20 <col width="75%" />
     21 </colgroup>
     22 <tbody>
     23 <tr class="odd">
     24 <td align="left"><p><code>defaultuser</code></p></td>
     25 <td align="left"><p>The <code>defaultuser</code> keyword.</p></td>
     26 </tr>
     27 <tr class="even">
     28 <td align="left"><p><code>class_id</code></p></td>
     29 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
     30 </tr>
     31 <tr class="odd">
     32 <td align="left"><p><code>default</code></p></td>
     33 <td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
     34 </tr>
     35 </tbody>
     36 </table>
     37 
     38 **Example:**
     39 
     40 When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context:
     41 
     42     (class binder (impersonate call set_context_mgr transfer receive))
     43     (class property_service (set))
     44     (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
     45     (class memprotect (mmap_zero))
     46 
     47     (classmap android_classes (android))
     48     (classmapping android_classes android (binder (all)))
     49     (classmapping android_classes android (property_service (set)))
     50     (classmapping android_classes android (zygote (not (specifycapabilities))))
     51 
     52     (defaultuser (android_classes memprotect) source)
     53 
     54     ; Will produce the following in the binary policy file:
     55     ;; default_user binder source;
     56     ;; default_user zygote source;
     57     ;; default_user property_service source;
     58     ;; default_user memprotect source;
     59 
     60 defaultrole
     61 -----------
     62 
     63 Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
     64 
     65     (defaultrole class_id default)
     66 
     67 **Where:**
     68 
     69 <table>
     70 <colgroup>
     71 <col width="25%" />
     72 <col width="75%" />
     73 </colgroup>
     74 <tbody>
     75 <tr class="odd">
     76 <td align="left"><p><code>defaultrole</code></p></td>
     77 <td align="left"><p>The <code>defaultrole</code> keyword.</p></td>
     78 </tr>
     79 <tr class="even">
     80 <td align="left"><p><code>class_id</code></p></td>
     81 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
     82 </tr>
     83 <tr class="odd">
     84 <td align="left"><p><code>default</code></p></td>
     85 <td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
     86 </tr>
     87 </tbody>
     88 </table>
     89 
     90 **Example:**
     91 
     92 When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context:
     93 
     94     (class binder (impersonate call set_context_mgr transfer receive))
     95     (class property_service (set))
     96     (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
     97 
     98     (defaultrole (binder property_service zygote) target)
     99 
    100     ; Will produce the following in the binary policy file:
    101     ;; default_role binder target;
    102     ;; default_role zygote target;
    103     ;; default_role property_service target;
    104 
    105 defaulttype
    106 -----------
    107 
    108 Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28.
    109 
    110 **Statement definition:**
    111 
    112     (defaulttype class_id default)
    113 
    114 **Where:**
    115 
    116 <table>
    117 <colgroup>
    118 <col width="25%" />
    119 <col width="75%" />
    120 </colgroup>
    121 <tbody>
    122 <tr class="odd">
    123 <td align="left"><p><code>defaulttype</code></p></td>
    124 <td align="left"><p>The <code>defaulttype</code> keyword.</p></td>
    125 </tr>
    126 <tr class="even">
    127 <td align="left"><p><code>class_id</code></p></td>
    128 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
    129 </tr>
    130 <tr class="odd">
    131 <td align="left"><p><code>default</code></p></td>
    132 <td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
    133 </tr>
    134 </tbody>
    135 </table>
    136 
    137 **Example:**
    138 
    139 When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context:
    140 
    141     (defaulttype socket source)
    142 
    143 defaultrange
    144 ------------
    145 
    146 Allows the default level or range to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
    147 
    148 **Statement definition:**
    149 
    150     (defaultrange class_id default range)
    151 
    152 **Where:**
    153 
    154 <table>
    155 <colgroup>
    156 <col width="25%" />
    157 <col width="75%" />
    158 </colgroup>
    159 <tbody>
    160 <tr class="odd">
    161 <td align="left"><p><code>defaultrange</code></p></td>
    162 <td align="left"><p>The <code>defaultrange</code> keyword.</p></td>
    163 </tr>
    164 <tr class="even">
    165 <td align="left"><p><code>class_id</code></p></td>
    166 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
    167 </tr>
    168 <tr class="odd">
    169 <td align="left"><p><code>default</code></p></td>
    170 <td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
    171 </tr>
    172 <tr class="even">
    173 <td align="left"><p><code>range</code></p></td>
    174 <td align="left"><p>A keyword of either <code>low</code>, <code>high</code> or <code>low-high</code>.</p></td>
    175 </tr>
    176 </tbody>
    177 </table>
    178 
    179 **Example:**
    180 
    181 When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context:
    182 
    183     (defaultrange file target low_high)
    184