Home | History | Annotate | Download | only in private 
      1 #
      2 # Define common prefixes for access vectors
      3 #
      4 # common common_name { permission_name ... }
      5 
      6 
      7 #
      8 # Define a common prefix for file access vectors.
      9 #
     10 
     11 common file
     12 {
     13 	ioctl
     14 	read
     15 	write
     16 	create
     17 	getattr
     18 	setattr
     19 	lock
     20 	relabelfrom
     21 	relabelto
     22 	append
     23 	map
     24 	unlink
     25 	link
     26 	rename
     27 	execute
     28 	quotaon
     29 	mounton
     30 }
     31 
     32 
     33 #
     34 # Define a common prefix for socket access vectors.
     35 #
     36 
     37 common socket
     38 {
     39 # inherited from file
     40 	ioctl
     41 	read
     42 	write
     43 	create
     44 	getattr
     45 	setattr
     46 	lock
     47 	relabelfrom
     48 	relabelto
     49 	append
     50 	map
     51 # socket-specific
     52 	bind
     53 	connect
     54 	listen
     55 	accept
     56 	getopt
     57 	setopt
     58 	shutdown
     59 	recvfrom
     60 	sendto
     61 	name_bind
     62 }
     63 
     64 #
     65 # Define a common prefix for ipc access vectors.
     66 #
     67 
     68 common ipc
     69 {
     70 	create
     71 	destroy
     72 	getattr
     73 	setattr
     74 	read
     75 	write
     76 	associate
     77 	unix_read
     78 	unix_write
     79 }
     80 
     81 #
     82 # Define a common for capability access vectors.
     83 #
     84 common cap
     85 {
     86 	# The capabilities are defined in include/linux/capability.h
     87 	# Capabilities >= 32 are defined in the cap2 common.
     88 	# Care should be taken to ensure that these are consistent with
     89 	# those definitions. (Order matters)
     90 
     91 	chown
     92 	dac_override
     93 	dac_read_search
     94 	fowner
     95 	fsetid
     96 	kill
     97 	setgid
     98 	setuid
     99 	setpcap
    100 	linux_immutable
    101 	net_bind_service
    102 	net_broadcast
    103 	net_admin
    104 	net_raw
    105 	ipc_lock
    106 	ipc_owner
    107 	sys_module
    108 	sys_rawio
    109 	sys_chroot
    110 	sys_ptrace
    111 	sys_pacct
    112 	sys_admin
    113 	sys_boot
    114 	sys_nice
    115 	sys_resource
    116 	sys_time
    117 	sys_tty_config
    118 	mknod
    119 	lease
    120 	audit_write
    121 	audit_control
    122 	setfcap
    123 }
    124 
    125 common cap2
    126 {
    127 	mac_override	# unused by SELinux
    128 	mac_admin	# unused by SELinux
    129 	syslog
    130 	wake_alarm
    131 	block_suspend
    132 	audit_read
    133 }
    134 
    135 #
    136 # Define the access vectors.
    137 #
    138 # class class_name [ inherits common_name ] { permission_name ... }
    139 
    140 
    141 #
    142 # Define the access vector interpretation for file-related objects.
    143 #
    144 
    145 class filesystem
    146 {
    147 	mount
    148 	remount
    149 	unmount
    150 	getattr
    151 	relabelfrom
    152 	relabelto
    153 	associate
    154 	quotamod
    155 	quotaget
    156 }
    157 
    158 class dir
    159 inherits file
    160 {
    161 	add_name
    162 	remove_name
    163 	reparent
    164 	search
    165 	rmdir
    166 	open
    167 	audit_access
    168 	execmod
    169 }
    170 
    171 class file
    172 inherits file
    173 {
    174 	execute_no_trans
    175 	entrypoint
    176 	execmod
    177 	open
    178 	audit_access
    179 }
    180 
    181 class lnk_file
    182 inherits file
    183 {
    184 	open
    185 	audit_access
    186 	execmod
    187 }
    188 
    189 class chr_file
    190 inherits file
    191 {
    192 	execute_no_trans
    193 	entrypoint
    194 	execmod
    195 	open
    196 	audit_access
    197 }
    198 
    199 class blk_file
    200 inherits file
    201 {
    202 	open
    203 	audit_access
    204 	execmod
    205 }
    206 
    207 class sock_file
    208 inherits file
    209 {
    210 	open
    211 	audit_access
    212 	execmod
    213 }
    214 
    215 class fifo_file
    216 inherits file
    217 {
    218 	open
    219 	audit_access
    220 	execmod
    221 }
    222 
    223 class fd
    224 {
    225 	use
    226 }
    227 
    228 
    229 #
    230 # Define the access vector interpretation for network-related objects.
    231 #
    232 
    233 class socket
    234 inherits socket
    235 
    236 class tcp_socket
    237 inherits socket
    238 {
    239 	node_bind
    240 	name_connect
    241 }
    242 
    243 class udp_socket
    244 inherits socket
    245 {
    246 	node_bind
    247 }
    248 
    249 class rawip_socket
    250 inherits socket
    251 {
    252 	node_bind
    253 }
    254 
    255 class node
    256 {
    257 	recvfrom
    258 	sendto
    259 }
    260 
    261 class netif
    262 {
    263 	ingress
    264 	egress
    265 }
    266 
    267 class netlink_socket
    268 inherits socket
    269 
    270 class packet_socket
    271 inherits socket
    272 
    273 class key_socket
    274 inherits socket
    275 
    276 class unix_stream_socket
    277 inherits socket
    278 {
    279 	connectto
    280 }
    281 
    282 class unix_dgram_socket
    283 inherits socket
    284 
    285 #
    286 # Define the access vector interpretation for process-related objects
    287 #
    288 
    289 class process
    290 {
    291 	fork
    292 	transition
    293 	sigchld # commonly granted from child to parent
    294 	sigkill # cannot be caught or ignored
    295 	sigstop # cannot be caught or ignored
    296 	signull # for kill(pid, 0)
    297 	signal  # all other signals
    298 	ptrace
    299 	getsched
    300 	setsched
    301 	getsession
    302 	getpgid
    303 	setpgid
    304 	getcap
    305 	setcap
    306 	share
    307 	getattr
    308 	setexec
    309 	setfscreate
    310 	noatsecure
    311 	siginh
    312 	setrlimit
    313 	rlimitinh
    314 	dyntransition
    315 	setcurrent
    316 	execmem
    317 	execstack
    318 	execheap
    319 	setkeycreate
    320 	setsockcreate
    321 	getrlimit
    322 }
    323 
    324 
    325 #
    326 # Define the access vector interpretation for ipc-related objects
    327 #
    328 
    329 class ipc
    330 inherits ipc
    331 
    332 class sem
    333 inherits ipc
    334 
    335 class msgq
    336 inherits ipc
    337 {
    338 	enqueue
    339 }
    340 
    341 class msg
    342 {
    343 	send
    344 	receive
    345 }
    346 
    347 class shm
    348 inherits ipc
    349 {
    350 	lock
    351 }
    352 
    353 
    354 #
    355 # Define the access vector interpretation for the security server.
    356 #
    357 
    358 class security
    359 {
    360 	compute_av
    361 	compute_create
    362 	compute_member
    363 	check_context
    364 	load_policy
    365 	compute_relabel
    366 	compute_user
    367 	setenforce     # was avc_toggle in system class
    368 	setbool
    369 	setsecparam
    370 	setcheckreqprot
    371 	read_policy
    372 	validate_trans
    373 }
    374 
    375 
    376 #
    377 # Define the access vector interpretation for system operations.
    378 #
    379 
    380 class system
    381 {
    382 	ipc_info
    383 	syslog_read
    384 	syslog_mod
    385 	syslog_console
    386 	module_request
    387 	module_load
    388 }
    389 
    390 #
    391 # Define the access vector interpretation for controlling capabilities
    392 #
    393 
    394 class capability
    395 inherits cap
    396 
    397 class capability2
    398 inherits cap2
    399 
    400 #
    401 # Extended Netlink classes
    402 #
    403 class netlink_route_socket
    404 inherits socket
    405 {
    406 	nlmsg_read
    407 	nlmsg_write
    408 }
    409 
    410 class netlink_tcpdiag_socket
    411 inherits socket
    412 {
    413 	nlmsg_read
    414 	nlmsg_write
    415 }
    416 
    417 class netlink_nflog_socket
    418 inherits socket
    419 
    420 class netlink_xfrm_socket
    421 inherits socket
    422 {
    423 	nlmsg_read
    424 	nlmsg_write
    425 }
    426 
    427 class netlink_selinux_socket
    428 inherits socket
    429 
    430 class netlink_audit_socket
    431 inherits socket
    432 {
    433 	nlmsg_read
    434 	nlmsg_write
    435 	nlmsg_relay
    436 	nlmsg_readpriv
    437 	nlmsg_tty_audit
    438 }
    439 
    440 class netlink_dnrt_socket
    441 inherits socket
    442 
    443 # Define the access vector interpretation for controlling
    444 # access to IPSec network data by association
    445 #
    446 class association
    447 {
    448 	sendto
    449 	recvfrom
    450 	setcontext
    451 	polmatch
    452 }
    453 
    454 # Updated Netlink class for KOBJECT_UEVENT family.
    455 class netlink_kobject_uevent_socket
    456 inherits socket
    457 
    458 class appletalk_socket
    459 inherits socket
    460 
    461 class packet
    462 {
    463 	send
    464 	recv
    465 	relabelto
    466 	flow_in		# deprecated
    467 	flow_out	# deprecated
    468 	forward_in
    469 	forward_out
    470 }
    471 
    472 class key
    473 {
    474 	view
    475 	read
    476 	write
    477 	search
    478 	link
    479 	setattr
    480 	create
    481 }
    482 
    483 class dccp_socket
    484 inherits socket
    485 {
    486 	node_bind
    487 	name_connect
    488 }
    489 
    490 class memprotect
    491 {
    492 	mmap_zero
    493 }
    494 
    495 # network peer labels
    496 class peer
    497 {
    498 	recv
    499 }
    500 
    501 class kernel_service
    502 {
    503 	use_as_override
    504 	create_files_as
    505 }
    506 
    507 class tun_socket
    508 inherits socket
    509 {
    510 	attach_queue
    511 }
    512 
    513 class binder
    514 {
    515 	impersonate
    516 	call
    517 	set_context_mgr
    518 	transfer
    519 }
    520 
    521 class netlink_iscsi_socket
    522 inherits socket
    523 
    524 class netlink_fib_lookup_socket
    525 inherits socket
    526 
    527 class netlink_connector_socket
    528 inherits socket
    529 
    530 class netlink_netfilter_socket
    531 inherits socket
    532 
    533 class netlink_generic_socket
    534 inherits socket
    535 
    536 class netlink_scsitransport_socket
    537 inherits socket
    538 
    539 class netlink_rdma_socket
    540 inherits socket
    541 
    542 class netlink_crypto_socket
    543 inherits socket
    544 
    545 #
    546 # Define the access vector interpretation for controlling capabilities
    547 # in user namespaces
    548 #
    549 
    550 class cap_userns
    551 inherits cap
    552 
    553 class cap2_userns
    554 inherits cap2
    555 
    556 
    557 #
    558 # Define the access vector interpretation for the new socket classes
    559 # enabled by the extended_socket_class policy capability.
    560 #
    561 
    562 #
    563 # The next two classes were previously mapped to rawip_socket and therefore
    564 # have the same definition as rawip_socket (until further permissions
    565 # are defined).
    566 #
    567 class sctp_socket
    568 inherits socket
    569 {
    570 	node_bind
    571 }
    572 
    573 class icmp_socket
    574 inherits socket
    575 {
    576 	node_bind
    577 }
    578 
    579 #
    580 # The remaining network socket classes were previously
    581 # mapped to the socket class and therefore have the
    582 # same definition as socket.
    583 #
    584 
    585 class ax25_socket
    586 inherits socket
    587 
    588 class ipx_socket
    589 inherits socket
    590 
    591 class netrom_socket
    592 inherits socket
    593 
    594 class atmpvc_socket
    595 inherits socket
    596 
    597 class x25_socket
    598 inherits socket
    599 
    600 class rose_socket
    601 inherits socket
    602 
    603 class decnet_socket
    604 inherits socket
    605 
    606 class atmsvc_socket
    607 inherits socket
    608 
    609 class rds_socket
    610 inherits socket
    611 
    612 class irda_socket
    613 inherits socket
    614 
    615 class pppox_socket
    616 inherits socket
    617 
    618 class llc_socket
    619 inherits socket
    620 
    621 class can_socket
    622 inherits socket
    623 
    624 class tipc_socket
    625 inherits socket
    626 
    627 class bluetooth_socket
    628 inherits socket
    629 
    630 class iucv_socket
    631 inherits socket
    632 
    633 class rxrpc_socket
    634 inherits socket
    635 
    636 class isdn_socket
    637 inherits socket
    638 
    639 class phonet_socket
    640 inherits socket
    641 
    642 class ieee802154_socket
    643 inherits socket
    644 
    645 class caif_socket
    646 inherits socket
    647 
    648 class alg_socket
    649 inherits socket
    650 
    651 class nfc_socket
    652 inherits socket
    653 
    654 class vsock_socket
    655 inherits socket
    656 
    657 class kcm_socket
    658 inherits socket
    659 
    660 class qipcrtr_socket
    661 inherits socket
    662 
    663 class smc_socket
    664 inherits socket
    665 
    666 class property_service
    667 {
    668 	set
    669 }
    670 
    671 class service_manager
    672 {
    673 	add
    674 	find
    675 	list
    676 }
    677 
    678 class hwservice_manager
    679 {
    680 	add
    681 	find
    682 	list
    683 }
    684 
    685 class keystore_key
    686 {
    687 	get_state
    688 	get
    689 	insert
    690 	delete
    691 	exist
    692 	list
    693 	reset
    694 	password
    695 	lock
    696 	unlock
    697 	is_empty
    698 	sign
    699 	verify
    700 	grant
    701 	duplicate
    702 	clear_uid
    703 	add_auth
    704 	user_changed
    705 	gen_unique_id
    706 }
    707 
    708 class drmservice {
    709 	consumeRights
    710 	setPlaybackStatus
    711 	openDecryptSession
    712 	closeDecryptSession
    713 	initializeDecryptUnit
    714 	decrypt
    715 	finalizeDecryptUnit
    716 	pread
    717 }
    718