Home | History | Annotate | Download | only in private 
      1 #
      2 # Define common prefixes for access vectors
      3 #
      4 # common common_name { permission_name ... }
      5 
      6 
      7 #
      8 # Define a common prefix for file access vectors.
      9 #
     10 
     11 common file
     12 {
     13 	ioctl
     14 	read
     15 	write
     16 	create
     17 	getattr
     18 	setattr
     19 	lock
     20 	relabelfrom
     21 	relabelto
     22 	append
     23 	unlink
     24 	link
     25 	rename
     26 	execute
     27 	quotaon
     28 	mounton
     29 }
     30 
     31 
     32 #
     33 # Define a common prefix for socket access vectors.
     34 #
     35 
     36 common socket
     37 {
     38 # inherited from file
     39 	ioctl
     40 	read
     41 	write
     42 	create
     43 	getattr
     44 	setattr
     45 	lock
     46 	relabelfrom
     47 	relabelto
     48 	append
     49 # socket-specific
     50 	bind
     51 	connect
     52 	listen
     53 	accept
     54 	getopt
     55 	setopt
     56 	shutdown
     57 	recvfrom
     58 	sendto
     59 	name_bind
     60 }
     61 
     62 #
     63 # Define a common prefix for ipc access vectors.
     64 #
     65 
     66 common ipc
     67 {
     68 	create
     69 	destroy
     70 	getattr
     71 	setattr
     72 	read
     73 	write
     74 	associate
     75 	unix_read
     76 	unix_write
     77 }
     78 
     79 #
     80 # Define a common for capability access vectors.
     81 #
     82 common cap
     83 {
     84 	# The capabilities are defined in include/linux/capability.h
     85 	# Capabilities >= 32 are defined in the cap2 common.
     86 	# Care should be taken to ensure that these are consistent with
     87 	# those definitions. (Order matters)
     88 
     89 	chown
     90 	dac_override
     91 	dac_read_search
     92 	fowner
     93 	fsetid
     94 	kill
     95 	setgid
     96 	setuid
     97 	setpcap
     98 	linux_immutable
     99 	net_bind_service
    100 	net_broadcast
    101 	net_admin
    102 	net_raw
    103 	ipc_lock
    104 	ipc_owner
    105 	sys_module
    106 	sys_rawio
    107 	sys_chroot
    108 	sys_ptrace
    109 	sys_pacct
    110 	sys_admin
    111 	sys_boot
    112 	sys_nice
    113 	sys_resource
    114 	sys_time
    115 	sys_tty_config
    116 	mknod
    117 	lease
    118 	audit_write
    119 	audit_control
    120 	setfcap
    121 }
    122 
    123 common cap2
    124 {
    125 	mac_override	# unused by SELinux
    126 	mac_admin	# unused by SELinux
    127 	syslog
    128 	wake_alarm
    129 	block_suspend
    130 	audit_read
    131 }
    132 
    133 #
    134 # Define the access vectors.
    135 #
    136 # class class_name [ inherits common_name ] { permission_name ... }
    137 
    138 
    139 #
    140 # Define the access vector interpretation for file-related objects.
    141 #
    142 
    143 class filesystem
    144 {
    145 	mount
    146 	remount
    147 	unmount
    148 	getattr
    149 	relabelfrom
    150 	relabelto
    151 	associate
    152 	quotamod
    153 	quotaget
    154 }
    155 
    156 class dir
    157 inherits file
    158 {
    159 	add_name
    160 	remove_name
    161 	reparent
    162 	search
    163 	rmdir
    164 	open
    165 	audit_access
    166 	execmod
    167 }
    168 
    169 class file
    170 inherits file
    171 {
    172 	execute_no_trans
    173 	entrypoint
    174 	execmod
    175 	open
    176 	audit_access
    177 }
    178 
    179 class lnk_file
    180 inherits file
    181 {
    182 	open
    183 	audit_access
    184 	execmod
    185 }
    186 
    187 class chr_file
    188 inherits file
    189 {
    190 	execute_no_trans
    191 	entrypoint
    192 	execmod
    193 	open
    194 	audit_access
    195 }
    196 
    197 class blk_file
    198 inherits file
    199 {
    200 	open
    201 	audit_access
    202 	execmod
    203 }
    204 
    205 class sock_file
    206 inherits file
    207 {
    208 	open
    209 	audit_access
    210 	execmod
    211 }
    212 
    213 class fifo_file
    214 inherits file
    215 {
    216 	open
    217 	audit_access
    218 	execmod
    219 }
    220 
    221 class fd
    222 {
    223 	use
    224 }
    225 
    226 
    227 #
    228 # Define the access vector interpretation for network-related objects.
    229 #
    230 
    231 class socket
    232 inherits socket
    233 
    234 class tcp_socket
    235 inherits socket
    236 {
    237 	node_bind
    238 	name_connect
    239 }
    240 
    241 class udp_socket
    242 inherits socket
    243 {
    244 	node_bind
    245 }
    246 
    247 class rawip_socket
    248 inherits socket
    249 {
    250 	node_bind
    251 }
    252 
    253 class node
    254 {
    255 	recvfrom
    256 	sendto
    257 }
    258 
    259 class netif
    260 {
    261 	ingress
    262 	egress
    263 }
    264 
    265 class netlink_socket
    266 inherits socket
    267 
    268 class packet_socket
    269 inherits socket
    270 
    271 class key_socket
    272 inherits socket
    273 
    274 class unix_stream_socket
    275 inherits socket
    276 {
    277 	connectto
    278 }
    279 
    280 class unix_dgram_socket
    281 inherits socket
    282 
    283 #
    284 # Define the access vector interpretation for process-related objects
    285 #
    286 
    287 class process
    288 {
    289 	fork
    290 	transition
    291 	sigchld # commonly granted from child to parent
    292 	sigkill # cannot be caught or ignored
    293 	sigstop # cannot be caught or ignored
    294 	signull # for kill(pid, 0)
    295 	signal  # all other signals
    296 	ptrace
    297 	getsched
    298 	setsched
    299 	getsession
    300 	getpgid
    301 	setpgid
    302 	getcap
    303 	setcap
    304 	share
    305 	getattr
    306 	setexec
    307 	setfscreate
    308 	noatsecure
    309 	siginh
    310 	setrlimit
    311 	rlimitinh
    312 	dyntransition
    313 	setcurrent
    314 	execmem
    315 	execstack
    316 	execheap
    317 	setkeycreate
    318 	setsockcreate
    319 }
    320 
    321 
    322 #
    323 # Define the access vector interpretation for ipc-related objects
    324 #
    325 
    326 class ipc
    327 inherits ipc
    328 
    329 class sem
    330 inherits ipc
    331 
    332 class msgq
    333 inherits ipc
    334 {
    335 	enqueue
    336 }
    337 
    338 class msg
    339 {
    340 	send
    341 	receive
    342 }
    343 
    344 class shm
    345 inherits ipc
    346 {
    347 	lock
    348 }
    349 
    350 
    351 #
    352 # Define the access vector interpretation for the security server.
    353 #
    354 
    355 class security
    356 {
    357 	compute_av
    358 	compute_create
    359 	compute_member
    360 	check_context
    361 	load_policy
    362 	compute_relabel
    363 	compute_user
    364 	setenforce     # was avc_toggle in system class
    365 	setbool
    366 	setsecparam
    367 	setcheckreqprot
    368 	read_policy
    369 }
    370 
    371 
    372 #
    373 # Define the access vector interpretation for system operations.
    374 #
    375 
    376 class system
    377 {
    378 	ipc_info
    379 	syslog_read
    380 	syslog_mod
    381 	syslog_console
    382 	module_request
    383 	module_load
    384 }
    385 
    386 #
    387 # Define the access vector interpretation for controlling capabilities
    388 #
    389 
    390 class capability
    391 inherits cap
    392 
    393 class capability2
    394 inherits cap2
    395 
    396 #
    397 # Extended Netlink classes
    398 #
    399 class netlink_route_socket
    400 inherits socket
    401 {
    402 	nlmsg_read
    403 	nlmsg_write
    404 }
    405 
    406 class netlink_tcpdiag_socket
    407 inherits socket
    408 {
    409 	nlmsg_read
    410 	nlmsg_write
    411 }
    412 
    413 class netlink_nflog_socket
    414 inherits socket
    415 
    416 class netlink_xfrm_socket
    417 inherits socket
    418 {
    419 	nlmsg_read
    420 	nlmsg_write
    421 }
    422 
    423 class netlink_selinux_socket
    424 inherits socket
    425 
    426 class netlink_audit_socket
    427 inherits socket
    428 {
    429 	nlmsg_read
    430 	nlmsg_write
    431 	nlmsg_relay
    432 	nlmsg_readpriv
    433 	nlmsg_tty_audit
    434 }
    435 
    436 class netlink_dnrt_socket
    437 inherits socket
    438 
    439 # Define the access vector interpretation for controlling
    440 # access to IPSec network data by association
    441 #
    442 class association
    443 {
    444 	sendto
    445 	recvfrom
    446 	setcontext
    447 	polmatch
    448 }
    449 
    450 # Updated Netlink class for KOBJECT_UEVENT family.
    451 class netlink_kobject_uevent_socket
    452 inherits socket
    453 
    454 class appletalk_socket
    455 inherits socket
    456 
    457 class packet
    458 {
    459 	send
    460 	recv
    461 	relabelto
    462 	flow_in		# deprecated
    463 	flow_out	# deprecated
    464 	forward_in
    465 	forward_out
    466 }
    467 
    468 class key
    469 {
    470 	view
    471 	read
    472 	write
    473 	search
    474 	link
    475 	setattr
    476 	create
    477 }
    478 
    479 class dccp_socket
    480 inherits socket
    481 {
    482 	node_bind
    483 	name_connect
    484 }
    485 
    486 class memprotect
    487 {
    488 	mmap_zero
    489 }
    490 
    491 # network peer labels
    492 class peer
    493 {
    494 	recv
    495 }
    496 
    497 class kernel_service
    498 {
    499 	use_as_override
    500 	create_files_as
    501 }
    502 
    503 class tun_socket
    504 inherits socket
    505 {
    506 	attach_queue
    507 }
    508 
    509 class binder
    510 {
    511 	impersonate
    512 	call
    513 	set_context_mgr
    514 	transfer
    515 }
    516 
    517 class netlink_iscsi_socket
    518 inherits socket
    519 
    520 class netlink_fib_lookup_socket
    521 inherits socket
    522 
    523 class netlink_connector_socket
    524 inherits socket
    525 
    526 class netlink_netfilter_socket
    527 inherits socket
    528 
    529 class netlink_generic_socket
    530 inherits socket
    531 
    532 class netlink_scsitransport_socket
    533 inherits socket
    534 
    535 class netlink_rdma_socket
    536 inherits socket
    537 
    538 class netlink_crypto_socket
    539 inherits socket
    540 
    541 #
    542 # Define the access vector interpretation for controlling capabilities
    543 # in user namespaces
    544 #
    545 
    546 class cap_userns
    547 inherits cap
    548 
    549 class cap2_userns
    550 inherits cap2
    551 
    552 
    553 #
    554 # Define the access vector interpretation for the new socket classes
    555 # enabled by the extended_socket_class policy capability.
    556 #
    557 
    558 #
    559 # The next two classes were previously mapped to rawip_socket and therefore
    560 # have the same definition as rawip_socket (until further permissions
    561 # are defined).
    562 #
    563 class sctp_socket
    564 inherits socket
    565 {
    566 	node_bind
    567 }
    568 
    569 class icmp_socket
    570 inherits socket
    571 {
    572 	node_bind
    573 }
    574 
    575 #
    576 # The remaining network socket classes were previously
    577 # mapped to the socket class and therefore have the
    578 # same definition as socket.
    579 #
    580 
    581 class ax25_socket
    582 inherits socket
    583 
    584 class ipx_socket
    585 inherits socket
    586 
    587 class netrom_socket
    588 inherits socket
    589 
    590 class atmpvc_socket
    591 inherits socket
    592 
    593 class x25_socket
    594 inherits socket
    595 
    596 class rose_socket
    597 inherits socket
    598 
    599 class decnet_socket
    600 inherits socket
    601 
    602 class atmsvc_socket
    603 inherits socket
    604 
    605 class rds_socket
    606 inherits socket
    607 
    608 class irda_socket
    609 inherits socket
    610 
    611 class pppox_socket
    612 inherits socket
    613 
    614 class llc_socket
    615 inherits socket
    616 
    617 class can_socket
    618 inherits socket
    619 
    620 class tipc_socket
    621 inherits socket
    622 
    623 class bluetooth_socket
    624 inherits socket
    625 
    626 class iucv_socket
    627 inherits socket
    628 
    629 class rxrpc_socket
    630 inherits socket
    631 
    632 class isdn_socket
    633 inherits socket
    634 
    635 class phonet_socket
    636 inherits socket
    637 
    638 class ieee802154_socket
    639 inherits socket
    640 
    641 class caif_socket
    642 inherits socket
    643 
    644 class alg_socket
    645 inherits socket
    646 
    647 class nfc_socket
    648 inherits socket
    649 
    650 class vsock_socket
    651 inherits socket
    652 
    653 class kcm_socket
    654 inherits socket
    655 
    656 class qipcrtr_socket
    657 inherits socket
    658 
    659 class property_service
    660 {
    661 	set
    662 }
    663 
    664 class service_manager
    665 {
    666 	add
    667 	find
    668 	list
    669 }
    670 
    671 class hwservice_manager
    672 {
    673 	add
    674 	find
    675 	list
    676 }
    677 
    678 class keystore_key
    679 {
    680 	get_state
    681 	get
    682 	insert
    683 	delete
    684 	exist
    685 	list
    686 	reset
    687 	password
    688 	lock
    689 	unlock
    690 	is_empty
    691 	sign
    692 	verify
    693 	grant
    694 	duplicate
    695 	clear_uid
    696 	add_auth
    697 	user_changed
    698 	gen_unique_id
    699 }
    700 
    701 class drmservice {
    702 	consumeRights
    703 	setPlaybackStatus
    704 	openDecryptSession
    705 	closeDecryptSession
    706 	initializeDecryptUnit
    707 	decrypt
    708 	finalizeDecryptUnit
    709 	pread
    710 }
    711