Home | History | Annotate | Download | only in sepolicy 
      1 #
      2 # Define common prefixes for access vectors
      3 #
      4 # common common_name { permission_name ... }
      5 
      6 
      7 #
      8 # Define a common prefix for file access vectors.
      9 #
     10 
     11 common file
     12 {
     13 	ioctl
     14 	read
     15 	write
     16 	create
     17 	getattr
     18 	setattr
     19 	lock
     20 	relabelfrom
     21 	relabelto
     22 	append
     23 	unlink
     24 	link
     25 	rename
     26 	execute
     27 	swapon
     28 	quotaon
     29 	mounton
     30 }
     31 
     32 
     33 #
     34 # Define a common prefix for socket access vectors.
     35 #
     36 
     37 common socket
     38 {
     39 # inherited from file
     40 	ioctl
     41 	read
     42 	write
     43 	create
     44 	getattr
     45 	setattr
     46 	lock
     47 	relabelfrom
     48 	relabelto
     49 	append
     50 # socket-specific
     51 	bind
     52 	connect
     53 	listen
     54 	accept
     55 	getopt
     56 	setopt
     57 	shutdown
     58 	recvfrom
     59 	sendto
     60 	recv_msg
     61 	send_msg
     62 	name_bind
     63 }
     64 
     65 #
     66 # Define a common prefix for ipc access vectors.
     67 #
     68 
     69 common ipc
     70 {
     71 	create
     72 	destroy
     73 	getattr
     74 	setattr
     75 	read
     76 	write
     77 	associate
     78 	unix_read
     79 	unix_write
     80 }
     81 
     82 #
     83 # Define the access vectors.
     84 #
     85 # class class_name [ inherits common_name ] { permission_name ... }
     86 
     87 
     88 #
     89 # Define the access vector interpretation for file-related objects.
     90 #
     91 
     92 class filesystem
     93 {
     94 	mount
     95 	remount
     96 	unmount
     97 	getattr
     98 	relabelfrom
     99 	relabelto
    100 	transition
    101 	associate
    102 	quotamod
    103 	quotaget
    104 }
    105 
    106 class dir
    107 inherits file
    108 {
    109 	add_name
    110 	remove_name
    111 	reparent
    112 	search
    113 	rmdir
    114 	open
    115 	audit_access
    116 	execmod
    117 }
    118 
    119 class file
    120 inherits file
    121 {
    122 	execute_no_trans
    123 	entrypoint
    124 	execmod
    125 	open
    126 	audit_access
    127 }
    128 
    129 class lnk_file
    130 inherits file
    131 {
    132 	open
    133 	audit_access
    134 	execmod
    135 }
    136 
    137 class chr_file
    138 inherits file
    139 {
    140 	execute_no_trans
    141 	entrypoint
    142 	execmod
    143 	open
    144 	audit_access
    145 }
    146 
    147 class blk_file
    148 inherits file
    149 {
    150 	open
    151 	audit_access
    152 	execmod
    153 }
    154 
    155 class sock_file
    156 inherits file
    157 {
    158 	open
    159 	audit_access
    160 	execmod
    161 }
    162 
    163 class fifo_file
    164 inherits file
    165 {
    166 	open
    167 	audit_access
    168 	execmod
    169 }
    170 
    171 class fd
    172 {
    173 	use
    174 }
    175 
    176 
    177 #
    178 # Define the access vector interpretation for network-related objects.
    179 #
    180 
    181 class socket
    182 inherits socket
    183 
    184 class tcp_socket
    185 inherits socket
    186 {
    187 	connectto
    188 	newconn
    189 	acceptfrom
    190 	node_bind
    191 	name_connect
    192 }
    193 
    194 class udp_socket
    195 inherits socket
    196 {
    197 	node_bind
    198 }
    199 
    200 class rawip_socket
    201 inherits socket
    202 {
    203 	node_bind
    204 }
    205 
    206 class node
    207 {
    208 	tcp_recv
    209 	tcp_send
    210 	udp_recv
    211 	udp_send
    212 	rawip_recv
    213 	rawip_send
    214 	enforce_dest
    215 	dccp_recv
    216 	dccp_send
    217 	recvfrom
    218 	sendto
    219 }
    220 
    221 class netif
    222 {
    223 	tcp_recv
    224 	tcp_send
    225 	udp_recv
    226 	udp_send
    227 	rawip_recv
    228 	rawip_send
    229 	dccp_recv
    230 	dccp_send
    231 	ingress
    232 	egress
    233 }
    234 
    235 class netlink_socket
    236 inherits socket
    237 
    238 class packet_socket
    239 inherits socket
    240 
    241 class key_socket
    242 inherits socket
    243 
    244 class unix_stream_socket
    245 inherits socket
    246 {
    247 	connectto
    248 	newconn
    249 	acceptfrom
    250 }
    251 
    252 class unix_dgram_socket
    253 inherits socket
    254 
    255 #
    256 # Define the access vector interpretation for process-related objects
    257 #
    258 
    259 class process
    260 {
    261 	fork
    262 	transition
    263 	sigchld # commonly granted from child to parent
    264 	sigkill # cannot be caught or ignored
    265 	sigstop # cannot be caught or ignored
    266 	signull # for kill(pid, 0)
    267 	signal  # all other signals
    268 	ptrace
    269 	getsched
    270 	setsched
    271 	getsession
    272 	getpgid
    273 	setpgid
    274 	getcap
    275 	setcap
    276 	share
    277 	getattr
    278 	setexec
    279 	setfscreate
    280 	noatsecure
    281 	siginh
    282 	setrlimit
    283 	rlimitinh
    284 	dyntransition
    285 	setcurrent
    286 	execmem
    287 	execstack
    288 	execheap
    289 	setkeycreate
    290 	setsockcreate
    291 }
    292 
    293 
    294 #
    295 # Define the access vector interpretation for ipc-related objects
    296 #
    297 
    298 class ipc
    299 inherits ipc
    300 
    301 class sem
    302 inherits ipc
    303 
    304 class msgq
    305 inherits ipc
    306 {
    307 	enqueue
    308 }
    309 
    310 class msg
    311 {
    312 	send
    313 	receive
    314 }
    315 
    316 class shm
    317 inherits ipc
    318 {
    319 	lock
    320 }
    321 
    322 
    323 #
    324 # Define the access vector interpretation for the security server.
    325 #
    326 
    327 class security
    328 {
    329 	compute_av
    330 	compute_create
    331 	compute_member
    332 	check_context
    333 	load_policy
    334 	compute_relabel
    335 	compute_user
    336 	setenforce     # was avc_toggle in system class
    337 	setbool
    338 	setsecparam
    339 	setcheckreqprot
    340 	read_policy
    341 }
    342 
    343 
    344 #
    345 # Define the access vector interpretation for system operations.
    346 #
    347 
    348 class system
    349 {
    350 	ipc_info
    351 	syslog_read
    352 	syslog_mod
    353 	syslog_console
    354 	module_request
    355 	module_load
    356 }
    357 
    358 #
    359 # Define the access vector interpretation for controling capabilies
    360 #
    361 
    362 class capability
    363 {
    364 	# The capabilities are defined in include/linux/capability.h
    365 	# Capabilities >= 32 are defined in the capability2 class.
    366 	# Care should be taken to ensure that these are consistent with
    367 	# those definitions. (Order matters)
    368 
    369 	chown
    370 	dac_override
    371 	dac_read_search
    372 	fowner
    373 	fsetid
    374 	kill
    375 	setgid
    376 	setuid
    377 	setpcap
    378 	linux_immutable
    379 	net_bind_service
    380 	net_broadcast
    381 	net_admin
    382 	net_raw
    383 	ipc_lock
    384 	ipc_owner
    385 	sys_module
    386 	sys_rawio
    387 	sys_chroot
    388 	sys_ptrace
    389 	sys_pacct
    390 	sys_admin
    391 	sys_boot
    392 	sys_nice
    393 	sys_resource
    394 	sys_time
    395 	sys_tty_config
    396 	mknod
    397 	lease
    398 	audit_write
    399 	audit_control
    400 	setfcap
    401 }
    402 
    403 class capability2
    404 {
    405 	mac_override	# unused by SELinux
    406 	mac_admin	# unused by SELinux
    407 	syslog
    408 	wake_alarm
    409 	block_suspend
    410 	audit_read
    411 }
    412 
    413 #
    414 # Extended Netlink classes
    415 #
    416 class netlink_route_socket
    417 inherits socket
    418 {
    419 	nlmsg_read
    420 	nlmsg_write
    421 }
    422 
    423 class netlink_firewall_socket
    424 inherits socket
    425 {
    426 	nlmsg_read
    427 	nlmsg_write
    428 }
    429 
    430 class netlink_tcpdiag_socket
    431 inherits socket
    432 {
    433 	nlmsg_read
    434 	nlmsg_write
    435 }
    436 
    437 class netlink_nflog_socket
    438 inherits socket
    439 
    440 class netlink_xfrm_socket
    441 inherits socket
    442 {
    443 	nlmsg_read
    444 	nlmsg_write
    445 }
    446 
    447 class netlink_selinux_socket
    448 inherits socket
    449 
    450 class netlink_audit_socket
    451 inherits socket
    452 {
    453 	nlmsg_read
    454 	nlmsg_write
    455 	nlmsg_relay
    456 	nlmsg_readpriv
    457 	nlmsg_tty_audit
    458 }
    459 
    460 class netlink_ip6fw_socket
    461 inherits socket
    462 {
    463 	nlmsg_read
    464 	nlmsg_write
    465 }
    466 
    467 class netlink_dnrt_socket
    468 inherits socket
    469 
    470 # Define the access vector interpretation for controlling
    471 # access to IPSec network data by association
    472 #
    473 class association
    474 {
    475 	sendto
    476 	recvfrom
    477 	setcontext
    478 	polmatch
    479 }
    480 
    481 # Updated Netlink class for KOBJECT_UEVENT family.
    482 class netlink_kobject_uevent_socket
    483 inherits socket
    484 
    485 class appletalk_socket
    486 inherits socket
    487 
    488 class packet
    489 {
    490 	send
    491 	recv
    492 	relabelto
    493 	flow_in		# deprecated
    494 	flow_out	# deprecated
    495 	forward_in
    496 	forward_out
    497 }
    498 
    499 class key
    500 {
    501 	view
    502 	read
    503 	write
    504 	search
    505 	link
    506 	setattr
    507 	create
    508 }
    509 
    510 class dccp_socket
    511 inherits socket
    512 {
    513 	node_bind
    514 	name_connect
    515 }
    516 
    517 class memprotect
    518 {
    519 	mmap_zero
    520 }
    521 
    522 # network peer labels
    523 class peer
    524 {
    525 	recv
    526 }
    527 
    528 class kernel_service
    529 {
    530 	use_as_override
    531 	create_files_as
    532 }
    533 
    534 class tun_socket
    535 inherits socket
    536 {
    537 	attach_queue
    538 }
    539 
    540 class binder
    541 {
    542 	impersonate
    543 	call
    544 	set_context_mgr
    545 	transfer
    546 }
    547 
    548 class netlink_iscsi_socket
    549 inherits socket
    550 
    551 class netlink_fib_lookup_socket
    552 inherits socket
    553 
    554 class netlink_connector_socket
    555 inherits socket
    556 
    557 class netlink_netfilter_socket
    558 inherits socket
    559 
    560 class netlink_generic_socket
    561 inherits socket
    562 
    563 class netlink_scsitransport_socket
    564 inherits socket
    565 
    566 class netlink_rdma_socket
    567 inherits socket
    568 
    569 class netlink_crypto_socket
    570 inherits socket
    571 
    572 class property_service
    573 {
    574 	set
    575 }
    576 
    577 class service_manager
    578 {
    579 	add
    580 	find
    581 	list
    582 }
    583 
    584 class keystore_key
    585 {
    586 	get_state
    587 	get
    588 	insert
    589 	delete
    590 	exist
    591 	list
    592 	reset
    593 	password
    594 	lock
    595 	unlock
    596 	is_empty
    597 	sign
    598 	verify
    599 	grant
    600 	duplicate
    601 	clear_uid
    602 	add_auth
    603 	user_changed
    604 }
    605 
    606 class debuggerd
    607 {
    608 	dump_tombstone
    609 	dump_backtrace
    610 }
    611 
    612 class drmservice {
    613 	consumeRights
    614 	setPlaybackStatus
    615 	openDecryptSession
    616 	closeDecryptSession
    617 	initializeDecryptUnit
    618 	decrypt
    619 	finalizeDecryptUnit
    620 	pread
    621 }
    622