Home | History | Annotate | Download | only in private 
      1 #
      2 # Define common prefixes for access vectors
      3 #
      4 # common common_name { permission_name ... }
      5 
      6 
      7 #
      8 # Define a common prefix for file access vectors.
      9 #
     10 
     11 common file
     12 {
     13 	ioctl
     14 	read
     15 	write
     16 	create
     17 	getattr
     18 	setattr
     19 	lock
     20 	relabelfrom
     21 	relabelto
     22 	append
     23 	map
     24 	unlink
     25 	link
     26 	rename
     27 	execute
     28 	quotaon
     29 	mounton
     30 }
     31 
     32 
     33 #
     34 # Define a common prefix for socket access vectors.
     35 #
     36 
     37 common socket
     38 {
     39 # inherited from file
     40 	ioctl
     41 	read
     42 	write
     43 	create
     44 	getattr
     45 	setattr
     46 	lock
     47 	relabelfrom
     48 	relabelto
     49 	append
     50 	map
     51 # socket-specific
     52 	bind
     53 	connect
     54 	listen
     55 	accept
     56 	getopt
     57 	setopt
     58 	shutdown
     59 	recvfrom
     60 	sendto
     61 	name_bind
     62 }
     63 
     64 #
     65 # Define a common prefix for ipc access vectors.
     66 #
     67 
     68 common ipc
     69 {
     70 	create
     71 	destroy
     72 	getattr
     73 	setattr
     74 	read
     75 	write
     76 	associate
     77 	unix_read
     78 	unix_write
     79 }
     80 
     81 #
     82 # Define a common for capability access vectors.
     83 #
     84 common cap
     85 {
     86 	# The capabilities are defined in include/linux/capability.h
     87 	# Capabilities >= 32 are defined in the cap2 common.
     88 	# Care should be taken to ensure that these are consistent with
     89 	# those definitions. (Order matters)
     90 
     91 	chown
     92 	dac_override
     93 	dac_read_search
     94 	fowner
     95 	fsetid
     96 	kill
     97 	setgid
     98 	setuid
     99 	setpcap
    100 	linux_immutable
    101 	net_bind_service
    102 	net_broadcast
    103 	net_admin
    104 	net_raw
    105 	ipc_lock
    106 	ipc_owner
    107 	sys_module
    108 	sys_rawio
    109 	sys_chroot
    110 	sys_ptrace
    111 	sys_pacct
    112 	sys_admin
    113 	sys_boot
    114 	sys_nice
    115 	sys_resource
    116 	sys_time
    117 	sys_tty_config
    118 	mknod
    119 	lease
    120 	audit_write
    121 	audit_control
    122 	setfcap
    123 }
    124 
    125 common cap2
    126 {
    127 	mac_override	# unused by SELinux
    128 	mac_admin	# unused by SELinux
    129 	syslog
    130 	wake_alarm
    131 	block_suspend
    132 	audit_read
    133 }
    134 
    135 #
    136 # Define the access vectors.
    137 #
    138 # class class_name [ inherits common_name ] { permission_name ... }
    139 
    140 
    141 #
    142 # Define the access vector interpretation for file-related objects.
    143 #
    144 
    145 class filesystem
    146 {
    147 	mount
    148 	remount
    149 	unmount
    150 	getattr
    151 	relabelfrom
    152 	relabelto
    153 	associate
    154 	quotamod
    155 	quotaget
    156 }
    157 
    158 class dir
    159 inherits file
    160 {
    161 	add_name
    162 	remove_name
    163 	reparent
    164 	search
    165 	rmdir
    166 	open
    167 	audit_access
    168 	execmod
    169 }
    170 
    171 class file
    172 inherits file
    173 {
    174 	execute_no_trans
    175 	entrypoint
    176 	execmod
    177 	open
    178 	audit_access
    179 }
    180 
    181 class lnk_file
    182 inherits file
    183 {
    184 	open
    185 	audit_access
    186 	execmod
    187 }
    188 
    189 class chr_file
    190 inherits file
    191 {
    192 	execute_no_trans
    193 	entrypoint
    194 	execmod
    195 	open
    196 	audit_access
    197 }
    198 
    199 class blk_file
    200 inherits file
    201 {
    202 	open
    203 	audit_access
    204 	execmod
    205 }
    206 
    207 class sock_file
    208 inherits file
    209 {
    210 	open
    211 	audit_access
    212 	execmod
    213 }
    214 
    215 class fifo_file
    216 inherits file
    217 {
    218 	open
    219 	audit_access
    220 	execmod
    221 }
    222 
    223 class fd
    224 {
    225 	use
    226 }
    227 
    228 
    229 #
    230 # Define the access vector interpretation for network-related objects.
    231 #
    232 
    233 class socket
    234 inherits socket
    235 
    236 class tcp_socket
    237 inherits socket
    238 {
    239 	node_bind
    240 	name_connect
    241 }
    242 
    243 class udp_socket
    244 inherits socket
    245 {
    246 	node_bind
    247 }
    248 
    249 class rawip_socket
    250 inherits socket
    251 {
    252 	node_bind
    253 }
    254 
    255 class node
    256 {
    257 	recvfrom
    258 	sendto
    259 }
    260 
    261 class netif
    262 {
    263 	ingress
    264 	egress
    265 }
    266 
    267 class netlink_socket
    268 inherits socket
    269 
    270 class packet_socket
    271 inherits socket
    272 
    273 class key_socket
    274 inherits socket
    275 
    276 class unix_stream_socket
    277 inherits socket
    278 {
    279 	connectto
    280 }
    281 
    282 class unix_dgram_socket
    283 inherits socket
    284 
    285 class bpf
    286 {
    287 	map_create
    288 	map_read
    289 	map_write
    290 	prog_load
    291 	prog_run
    292 }
    293 
    294 #
    295 # Define the access vector interpretation for process-related objects
    296 #
    297 
    298 class process
    299 {
    300 	fork
    301 	transition
    302 	sigchld # commonly granted from child to parent
    303 	sigkill # cannot be caught or ignored
    304 	sigstop # cannot be caught or ignored
    305 	signull # for kill(pid, 0)
    306 	signal  # all other signals
    307 	ptrace
    308 	getsched
    309 	setsched
    310 	getsession
    311 	getpgid
    312 	setpgid
    313 	getcap
    314 	setcap
    315 	share
    316 	getattr
    317 	setexec
    318 	setfscreate
    319 	noatsecure
    320 	siginh
    321 	setrlimit
    322 	rlimitinh
    323 	dyntransition
    324 	setcurrent
    325 	execmem
    326 	execstack
    327 	execheap
    328 	setkeycreate
    329 	setsockcreate
    330 	getrlimit
    331 }
    332 
    333 
    334 #
    335 # Define the access vector interpretation for ipc-related objects
    336 #
    337 
    338 class ipc
    339 inherits ipc
    340 
    341 class sem
    342 inherits ipc
    343 
    344 class msgq
    345 inherits ipc
    346 {
    347 	enqueue
    348 }
    349 
    350 class msg
    351 {
    352 	send
    353 	receive
    354 }
    355 
    356 class shm
    357 inherits ipc
    358 {
    359 	lock
    360 }
    361 
    362 
    363 #
    364 # Define the access vector interpretation for the security server.
    365 #
    366 
    367 class security
    368 {
    369 	compute_av
    370 	compute_create
    371 	compute_member
    372 	check_context
    373 	load_policy
    374 	compute_relabel
    375 	compute_user
    376 	setenforce     # was avc_toggle in system class
    377 	setbool
    378 	setsecparam
    379 	setcheckreqprot
    380 	read_policy
    381 	validate_trans
    382 }
    383 
    384 
    385 #
    386 # Define the access vector interpretation for system operations.
    387 #
    388 
    389 class system
    390 {
    391 	ipc_info
    392 	syslog_read
    393 	syslog_mod
    394 	syslog_console
    395 	module_request
    396 	module_load
    397 }
    398 
    399 #
    400 # Define the access vector interpretation for controlling capabilities
    401 #
    402 
    403 class capability
    404 inherits cap
    405 
    406 class capability2
    407 inherits cap2
    408 
    409 #
    410 # Extended Netlink classes
    411 #
    412 class netlink_route_socket
    413 inherits socket
    414 {
    415 	nlmsg_read
    416 	nlmsg_write
    417 }
    418 
    419 class netlink_tcpdiag_socket
    420 inherits socket
    421 {
    422 	nlmsg_read
    423 	nlmsg_write
    424 }
    425 
    426 class netlink_nflog_socket
    427 inherits socket
    428 
    429 class netlink_xfrm_socket
    430 inherits socket
    431 {
    432 	nlmsg_read
    433 	nlmsg_write
    434 }
    435 
    436 class netlink_selinux_socket
    437 inherits socket
    438 
    439 class netlink_audit_socket
    440 inherits socket
    441 {
    442 	nlmsg_read
    443 	nlmsg_write
    444 	nlmsg_relay
    445 	nlmsg_readpriv
    446 	nlmsg_tty_audit
    447 }
    448 
    449 class netlink_dnrt_socket
    450 inherits socket
    451 
    452 # Define the access vector interpretation for controlling
    453 # access to IPSec network data by association
    454 #
    455 class association
    456 {
    457 	sendto
    458 	recvfrom
    459 	setcontext
    460 	polmatch
    461 }
    462 
    463 # Updated Netlink class for KOBJECT_UEVENT family.
    464 class netlink_kobject_uevent_socket
    465 inherits socket
    466 
    467 class appletalk_socket
    468 inherits socket
    469 
    470 class packet
    471 {
    472 	send
    473 	recv
    474 	relabelto
    475 	flow_in		# deprecated
    476 	flow_out	# deprecated
    477 	forward_in
    478 	forward_out
    479 }
    480 
    481 class key
    482 {
    483 	view
    484 	read
    485 	write
    486 	search
    487 	link
    488 	setattr
    489 	create
    490 }
    491 
    492 class dccp_socket
    493 inherits socket
    494 {
    495 	node_bind
    496 	name_connect
    497 }
    498 
    499 class memprotect
    500 {
    501 	mmap_zero
    502 }
    503 
    504 # network peer labels
    505 class peer
    506 {
    507 	recv
    508 }
    509 
    510 class kernel_service
    511 {
    512 	use_as_override
    513 	create_files_as
    514 }
    515 
    516 class tun_socket
    517 inherits socket
    518 {
    519 	attach_queue
    520 }
    521 
    522 class binder
    523 {
    524 	impersonate
    525 	call
    526 	set_context_mgr
    527 	transfer
    528 }
    529 
    530 class netlink_iscsi_socket
    531 inherits socket
    532 
    533 class netlink_fib_lookup_socket
    534 inherits socket
    535 
    536 class netlink_connector_socket
    537 inherits socket
    538 
    539 class netlink_netfilter_socket
    540 inherits socket
    541 
    542 class netlink_generic_socket
    543 inherits socket
    544 
    545 class netlink_scsitransport_socket
    546 inherits socket
    547 
    548 class netlink_rdma_socket
    549 inherits socket
    550 
    551 class netlink_crypto_socket
    552 inherits socket
    553 
    554 #
    555 # Define the access vector interpretation for controlling capabilities
    556 # in user namespaces
    557 #
    558 
    559 class cap_userns
    560 inherits cap
    561 
    562 class cap2_userns
    563 inherits cap2
    564 
    565 
    566 #
    567 # Define the access vector interpretation for the new socket classes
    568 # enabled by the extended_socket_class policy capability.
    569 #
    570 
    571 #
    572 # The next two classes were previously mapped to rawip_socket and therefore
    573 # have the same definition as rawip_socket (until further permissions
    574 # are defined).
    575 #
    576 class sctp_socket
    577 inherits socket
    578 {
    579 	node_bind
    580 }
    581 
    582 class icmp_socket
    583 inherits socket
    584 {
    585 	node_bind
    586 }
    587 
    588 #
    589 # The remaining network socket classes were previously
    590 # mapped to the socket class and therefore have the
    591 # same definition as socket.
    592 #
    593 
    594 class ax25_socket
    595 inherits socket
    596 
    597 class ipx_socket
    598 inherits socket
    599 
    600 class netrom_socket
    601 inherits socket
    602 
    603 class atmpvc_socket
    604 inherits socket
    605 
    606 class x25_socket
    607 inherits socket
    608 
    609 class rose_socket
    610 inherits socket
    611 
    612 class decnet_socket
    613 inherits socket
    614 
    615 class atmsvc_socket
    616 inherits socket
    617 
    618 class rds_socket
    619 inherits socket
    620 
    621 class irda_socket
    622 inherits socket
    623 
    624 class pppox_socket
    625 inherits socket
    626 
    627 class llc_socket
    628 inherits socket
    629 
    630 class can_socket
    631 inherits socket
    632 
    633 class tipc_socket
    634 inherits socket
    635 
    636 class bluetooth_socket
    637 inherits socket
    638 
    639 class iucv_socket
    640 inherits socket
    641 
    642 class rxrpc_socket
    643 inherits socket
    644 
    645 class isdn_socket
    646 inherits socket
    647 
    648 class phonet_socket
    649 inherits socket
    650 
    651 class ieee802154_socket
    652 inherits socket
    653 
    654 class caif_socket
    655 inherits socket
    656 
    657 class alg_socket
    658 inherits socket
    659 
    660 class nfc_socket
    661 inherits socket
    662 
    663 class vsock_socket
    664 inherits socket
    665 
    666 class kcm_socket
    667 inherits socket
    668 
    669 class qipcrtr_socket
    670 inherits socket
    671 
    672 class smc_socket
    673 inherits socket
    674 
    675 class property_service
    676 {
    677 	set
    678 }
    679 
    680 class service_manager
    681 {
    682 	add
    683 	find
    684 	list
    685 }
    686 
    687 class hwservice_manager
    688 {
    689 	add
    690 	find
    691 	list
    692 }
    693 
    694 class keystore_key
    695 {
    696 	get_state
    697 	get
    698 	insert
    699 	delete
    700 	exist
    701 	list
    702 	reset
    703 	password
    704 	lock
    705 	unlock
    706 	is_empty
    707 	sign
    708 	verify
    709 	grant
    710 	duplicate
    711 	clear_uid
    712 	add_auth
    713 	user_changed
    714 	gen_unique_id
    715 }
    716 
    717 class drmservice {
    718 	consumeRights
    719 	setPlaybackStatus
    720 	openDecryptSession
    721 	closeDecryptSession
    722 	initializeDecryptUnit
    723 	decrypt
    724 	finalizeDecryptUnit
    725 	pread
    726 }
    727