access_vectors - fp2-dev/platform/external/sepolicy - Gitiles

 #
 # Define common prefixes for access vectors
 #
 # common common_name { permission_name ... }


 #
 # Define a common prefix for file access vectors.
 #

 common file
 {
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	unlink
 	link
 	rename
 	execute
 	swapon
 	quotaon
 	mounton
 }


 #
 # Define a common prefix for socket access vectors.
 #

 common socket
 {
 # inherited from file
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 # socket-specific
 	bind
 	connect
 	listen
 	accept
 	getopt
 	setopt
 	shutdown
 	recvfrom
 	sendto
 	recv_msg
 	send_msg
 	name_bind
 }

 #
 # Define a common prefix for ipc access vectors.
 #

 common ipc
 {
 	create
 	destroy
 	getattr
 	setattr
 	read
 	write
 	associate
 	unix_read
 	unix_write
 }

 #
 #  Define a common prefix for userspace database object access vectors.
 #

 common database
 {
 	create
 	drop
 	getattr
 	setattr
 	relabelfrom
 	relabelto
 }

 #
 # Define a common prefix for pointer and keyboard access vectors.
 #

 common x_device
 {
 	getattr
 	setattr
 	use
 	read
 	write
 	getfocus
 	setfocus
 	bell
 	force_cursor
 	freeze
 	grab
 	manage
 	list_property
 	get_property
 	set_property
 	add
 	remove
 	create
 	destroy
 }

 #
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }


 #
 # Define the access vector interpretation for file-related objects.
 #

 class filesystem
 {
 	mount
 	remount
 	unmount
 	getattr
 	relabelfrom
 	relabelto
 	transition
 	associate
 	quotamod
 	quotaget
 }

 class dir
 inherits file
 {
 	add_name
 	remove_name
 	reparent
 	search
 	rmdir
 	open
 	audit_access
 	execmod
 }

 class file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 	execmod
 	open
 	audit_access
 }

 class lnk_file
 inherits file
 {
 	open
 	audit_access
 	execmod
 }

 class chr_file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 	execmod
 	open
 	audit_access
 }

 class blk_file
 inherits file
 {
 	open
 	audit_access
 	execmod
 }

 class sock_file
 inherits file
 {
 	open
 	audit_access
 	execmod
 }

 class fifo_file
 inherits file
 {
 	open
 	audit_access
 	execmod
 }

 class fd
 {
 	use
 }


 #
 # Define the access vector interpretation for network-related objects.
 #

 class socket
 inherits socket

 class tcp_socket
 inherits socket
 {
 	connectto
 	newconn
 	acceptfrom
 	node_bind
 	name_connect
 }

 class udp_socket
 inherits socket
 {
 	node_bind
 }

 class rawip_socket
 inherits socket
 {
 	node_bind
 }

 class node
 {
 	tcp_recv
 	tcp_send
 	udp_recv
 	udp_send
 	rawip_recv
 	rawip_send
 	enforce_dest
 	dccp_recv
 	dccp_send
 	recvfrom
 	sendto
 }

 class netif
 {
 	tcp_recv
 	tcp_send
 	udp_recv
 	udp_send
 	rawip_recv
 	rawip_send
 	dccp_recv
 	dccp_send
 	ingress
 	egress
 }

 class netlink_socket
 inherits socket

 class packet_socket
 inherits socket

 class key_socket
 inherits socket

 class unix_stream_socket
 inherits socket
 {
 	connectto
 	newconn
 	acceptfrom
 }

 class unix_dgram_socket
 inherits socket

 #
 # Define the access vector interpretation for process-related objects
 #

 class process
 {
 	fork
 	transition
 	sigchld # commonly granted from child to parent
 	sigkill # cannot be caught or ignored
 	sigstop # cannot be caught or ignored
 	signull # for kill(pid, 0)
 	signal  # all other signals
 	ptrace
 	getsched
 	setsched
 	getsession
 	getpgid
 	setpgid
 	getcap
 	setcap
 	share
 	getattr
 	setexec
 	setfscreate
 	noatsecure
 	siginh
 	setrlimit
 	rlimitinh
 	dyntransition
 	setcurrent
 	execmem
 	execstack
 	execheap
 	setkeycreate
 	setsockcreate
 }


 #
 # Define the access vector interpretation for ipc-related objects
 #

 class ipc
 inherits ipc

 class sem
 inherits ipc

 class msgq
 inherits ipc
 {
 	enqueue
 }

 class msg
 {
 	send
 	receive
 }

 class shm
 inherits ipc
 {
 	lock
 }


 #
 # Define the access vector interpretation for the security server.
 #

 class security
 {
 	compute_av
 	compute_create
 	compute_member
 	check_context
 	load_policy
 	compute_relabel
 	compute_user
 	setenforce     # was avc_toggle in system class
 	setbool
 	setsecparam
 	setcheckreqprot
 	read_policy
 }


 #
 # Define the access vector interpretation for system operations.
 #

 class system
 {
 	ipc_info
 	syslog_read
 	syslog_mod
 	syslog_console
 	module_request
 }

 #
 # Define the access vector interpretation for controling capabilies
 #

 class capability
 {
 	# The capabilities are defined in include/linux/capability.h
 	# Capabilities >= 32 are defined in the capability2 class.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)

 	chown
 	dac_override
 	dac_read_search
 	fowner
 	fsetid
 	kill
 	setgid
 	setuid
 	setpcap
 	linux_immutable
 	net_bind_service
 	net_broadcast
 	net_admin
 	net_raw
 	ipc_lock
 	ipc_owner
 	sys_module
 	sys_rawio
 	sys_chroot
 	sys_ptrace
 	sys_pacct
 	sys_admin
 	sys_boot
 	sys_nice
 	sys_resource
 	sys_time
 	sys_tty_config
 	mknod
 	lease
 	audit_write
 	audit_control
 	setfcap
 }

 class capability2
 {
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
 	syslog
 	wake_alarm
 	block_suspend
 }

 #
 # Define the access vector interpretation for controlling
 # changes to passwd information.
 #
 class passwd
 {
 	passwd	# change another user passwd
 	chfn	# change another user finger info
 	chsh	# change another user shell
 	rootok  # pam_rootok check (skip auth)
 	crontab # crontab on another user
 }

 #
 # SE-X Windows stuff
 #
 class x_drawable
 {
 	create
 	destroy
 	read
 	write
 	blend
 	getattr
 	setattr
 	list_child
 	add_child
 	remove_child
 	list_property
 	get_property
 	set_property
 	manage
 	override
 	show
 	hide
 	send
 	receive
 }

 class x_screen
 {
 	getattr
 	setattr
 	hide_cursor
 	show_cursor
 	saver_getattr
 	saver_setattr
 	saver_hide
 	saver_show
 }

 class x_gc
 {
 	create
 	destroy
 	getattr
 	setattr
 	use
 }

 class x_font
 {
 	create
 	destroy
 	getattr
 	add_glyph
 	remove_glyph
 	use
 }

 class x_colormap
 {
 	create
 	destroy
 	read
 	write
 	getattr
 	add_color
 	remove_color
 	install
 	uninstall
 	use
 }

 class x_property
 {
 	create
 	destroy
 	read
 	write
 	append
 	getattr
 	setattr
 }

 class x_selection
 {
 	read
 	write
 	getattr
 	setattr
 }

 class x_cursor
 {
 	create
 	destroy
 	read
 	write
 	getattr
 	setattr
 	use
 }

 class x_client
 {
 	destroy
 	getattr
 	setattr
 	manage
 }

 class x_device
 inherits x_device

 class x_server
 {
 	getattr
 	setattr
 	record
 	debug
 	grab
 	manage
 }

 class x_extension
 {
 	query
 	use
 }

 class x_resource
 {
 	read
 	write
 }

 class x_event
 {
 	send
 	receive
 }

 class x_synthetic_event
 {
 	send
 	receive
 }

 #
 # Extended Netlink classes
 #
 class netlink_route_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_firewall_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_tcpdiag_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_nflog_socket
 inherits socket

 class netlink_xfrm_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_selinux_socket
 inherits socket

 class netlink_audit_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 	nlmsg_relay
 	nlmsg_readpriv
 	nlmsg_tty_audit
 }

 class netlink_ip6fw_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_dnrt_socket
 inherits socket

 # Define the access vector interpretation for controlling
 # access and communication through the D-BUS messaging
 # system.
 #
 class dbus
 {
 	acquire_svc
 	send_msg
 }

 # Define the access vector interpretation for controlling
 # access through the name service cache daemon (nscd).
 #
 class nscd
 {
 	getpwd
 	getgrp
 	gethost
 	getstat
 	admin
 	shmempwd
 	shmemgrp
 	shmemhost
 	getserv
 	shmemserv
 }

 # Define the access vector interpretation for controlling
 # access to IPSec network data by association
 #
 class association
 {
 	sendto
 	recvfrom
 	setcontext
 	polmatch
 }

 # Updated Netlink class for KOBJECT_UEVENT family.
 class netlink_kobject_uevent_socket
 inherits socket

 class appletalk_socket
 inherits socket

 class packet
 {
 	send
 	recv
 	relabelto
 	flow_in		# deprecated
 	flow_out	# deprecated
 	forward_in
 	forward_out
 }

 class key
 {
 	view
 	read
 	write
 	search
 	link
 	setattr
 	create
 }

 class context
 {
 	translate
 	contains
 }

 class dccp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 }

 class memprotect
 {
 	mmap_zero
 }

 class db_database
 inherits database
 {
 	access
 	install_module
 	load_module
 	get_param	# deprecated
 	set_param	# deprecated
 }

 class db_table
 inherits database
 {
 	use		# deprecated
 	select
 	update
 	insert
 	delete
 	lock
 }

 class db_procedure
 inherits database
 {
 	execute
 	entrypoint
 	install
 }

 class db_column
 inherits database
 {
 	use		# deprecated
 	select
 	update
 	insert
 }

 class db_tuple
 {
 	relabelfrom
 	relabelto
 	use		# deprecated
 	select
 	update
 	insert
 	delete
 }

 class db_blob
 inherits database
 {
 	read
 	write
 	import
 	export
 }

 # network peer labels
 class peer
 {
 	recv
 }

 class x_application_data
 {
 	paste
 	paste_after_confirm
 	copy
 }

 class kernel_service
 {
 	use_as_override
 	create_files_as
 }

 class tun_socket
 inherits socket

 class x_pointer
 inherits x_device

 class x_keyboard
 inherits x_device

 class db_schema
 inherits database
 {
 	search
 	add_name
 	remove_name
 }

 class db_view
 inherits database
 {
 	expand
 }

 class db_sequence
 inherits database
 {
 	get_value
 	next_value
 	set_value
 }

 class db_language
 inherits database
 {
 	implement
 	execute
 }

 class binder
 {
 	impersonate
 	call
 	set_context_mgr
 	transfer
 }

 class zygote
 {
 	specifyids
 	specifyrlimits
 	specifycapabilities
 	specifyinvokewith
 	specifyseinfo
 }

 class property_service
 {
 	set
 }
	#
	# Define common prefixes for access vectors
	#
	# common common_name { permission_name ... }


	#
	# Define a common prefix for file access vectors.
	#

	common file
	{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
	}


	#
	# Define a common prefix for socket access vectors.
	#

	common socket
	{
	# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
	}

	#
	# Define a common prefix for ipc access vectors.
	#

	common ipc
	{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
	}

	#
	# Define a common prefix for userspace database object access vectors.
	#

	common database
	{
	create
	drop
	getattr
	setattr
	relabelfrom
	relabelto
	}

	#
	# Define a common prefix for pointer and keyboard access vectors.
	#

	common x_device
	{
	getattr
	setattr
	use
	read
	write
	getfocus
	setfocus
	bell
	force_cursor
	freeze
	grab
	manage
	list_property
	get_property
	set_property
	add
	remove
	create
	destroy
	}

	#
	# Define the access vectors.
	#
	# class class_name [ inherits common_name ] { permission_name ... }


	#
	# Define the access vector interpretation for file-related objects.
	#

	class filesystem
	{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
	}

	class dir
	inherits file
	{
	add_name
	remove_name
	reparent
	search
	rmdir
	open
	audit_access
	execmod
	}

	class file
	inherits file
	{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
	}

	class lnk_file
	inherits file
	{
	open
	audit_access
	execmod
	}

	class chr_file
	inherits file
	{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
	}

	class blk_file
	inherits file
	{
	open
	audit_access
	execmod
	}

	class sock_file
	inherits file
	{
	open
	audit_access
	execmod
	}

	class fifo_file
	inherits file
	{
	open
	audit_access
	execmod
	}

	class fd
	{
	use
	}


	#
	# Define the access vector interpretation for network-related objects.
	#

	class socket
	inherits socket

	class tcp_socket
	inherits socket
	{
	connectto
	newconn
	acceptfrom
	node_bind
	name_connect
	}

	class udp_socket
	inherits socket
	{
	node_bind
	}

	class rawip_socket
	inherits socket
	{
	node_bind
	}

	class node
	{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
	dccp_recv
	dccp_send
	recvfrom
	sendto
	}

	class netif
	{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	dccp_recv
	dccp_send
	ingress
	egress
	}

	class netlink_socket
	inherits socket

	class packet_socket
	inherits socket

	class key_socket
	inherits socket

	class unix_stream_socket
	inherits socket
	{
	connectto
	newconn
	acceptfrom
	}

	class unix_dgram_socket
	inherits socket

	#
	# Define the access vector interpretation for process-related objects
	#

	class process
	{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
	}


	#
	# Define the access vector interpretation for ipc-related objects
	#

	class ipc
	inherits ipc

	class sem
	inherits ipc

	class msgq
	inherits ipc
	{
	enqueue
	}

	class msg
	{
	send
	receive
	}

	class shm
	inherits ipc
	{
	lock
	}


	#
	# Define the access vector interpretation for the security server.
	#

	class security
	{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
	read_policy
	}


	#
	# Define the access vector interpretation for system operations.
	#

	class system
	{
	ipc_info
	syslog_read
	syslog_mod
	syslog_console
	module_request
	}

	#
	# Define the access vector interpretation for controling capabilies
	#

	class capability
	{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the capability2 class.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	audit_write
	audit_control
	setfcap
	}

	class capability2
	{
	mac_override # unused by SELinux
	mac_admin # unused by SELinux
	syslog
	wake_alarm
	block_suspend
	}

	#
	# Define the access vector interpretation for controlling
	# changes to passwd information.
	#
	class passwd
	{
	passwd # change another user passwd
	chfn # change another user finger info
	chsh # change another user shell
	rootok # pam_rootok check (skip auth)
	crontab # crontab on another user
	}

	#
	# SE-X Windows stuff
	#
	class x_drawable
	{
	create
	destroy
	read
	write
	blend
	getattr
	setattr
	list_child
	add_child
	remove_child
	list_property
	get_property
	set_property
	manage
	override
	show
	hide
	send
	receive
	}

	class x_screen
	{
	getattr
	setattr
	hide_cursor
	show_cursor
	saver_getattr
	saver_setattr
	saver_hide
	saver_show
	}

	class x_gc
	{
	create
	destroy
	getattr
	setattr
	use
	}

	class x_font
	{
	create
	destroy
	getattr
	add_glyph
	remove_glyph
	use
	}

	class x_colormap
	{
	create
	destroy
	read
	write
	getattr
	add_color
	remove_color
	install
	uninstall
	use
	}

	class x_property
	{
	create
	destroy
	read
	write
	append
	getattr
	setattr
	}

	class x_selection
	{
	read
	write
	getattr
	setattr
	}

	class x_cursor
	{
	create
	destroy
	read
	write
	getattr
	setattr
	use
	}

	class x_client
	{
	destroy
	getattr
	setattr
	manage
	}

	class x_device
	inherits x_device

	class x_server
	{
	getattr
	setattr
	record
	debug
	grab
	manage
	}

	class x_extension
	{
	query
	use
	}

	class x_resource
	{
	read
	write
	}

	class x_event
	{
	send
	receive
	}

	class x_synthetic_event
	{
	send
	receive
	}

	#
	# Extended Netlink classes
	#
	class netlink_route_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_firewall_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_tcpdiag_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_nflog_socket
	inherits socket

	class netlink_xfrm_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_selinux_socket
	inherits socket

	class netlink_audit_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
	}

	class netlink_ip6fw_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_dnrt_socket
	inherits socket

	# Define the access vector interpretation for controlling
	# access and communication through the D-BUS messaging
	# system.
	#
	class dbus
	{
	acquire_svc
	send_msg
	}

	# Define the access vector interpretation for controlling
	# access through the name service cache daemon (nscd).
	#
	class nscd
	{
	getpwd
	getgrp
	gethost
	getstat
	admin
	shmempwd
	shmemgrp
	shmemhost
	getserv
	shmemserv
	}

	# Define the access vector interpretation for controlling
	# access to IPSec network data by association
	#
	class association
	{
	sendto
	recvfrom
	setcontext
	polmatch
	}

	# Updated Netlink class for KOBJECT_UEVENT family.
	class netlink_kobject_uevent_socket
	inherits socket

	class appletalk_socket
	inherits socket

	class packet
	{
	send
	recv
	relabelto
	flow_in # deprecated
	flow_out # deprecated
	forward_in
	forward_out
	}

	class key
	{
	view
	read
	write
	search
	link
	setattr
	create
	}

	class context
	{
	translate
	contains
	}

	class dccp_socket
	inherits socket
	{
	node_bind
	name_connect
	}

	class memprotect
	{
	mmap_zero
	}

	class db_database
	inherits database
	{
	access
	install_module
	load_module
	get_param # deprecated
	set_param # deprecated
	}

	class db_table
	inherits database
	{
	use # deprecated
	select
	update
	insert
	delete
	lock
	}

	class db_procedure
	inherits database
	{
	execute
	entrypoint
	install
	}

	class db_column
	inherits database
	{
	use # deprecated
	select
	update
	insert
	}

	class db_tuple
	{
	relabelfrom
	relabelto
	use # deprecated
	select
	update
	insert
	delete
	}

	class db_blob
	inherits database
	{
	read
	write
	import
	export
	}

	# network peer labels
	class peer
	{
	recv
	}

	class x_application_data
	{
	paste
	paste_after_confirm
	copy
	}

	class kernel_service
	{
	use_as_override
	create_files_as
	}

	class tun_socket
	inherits socket

	class x_pointer
	inherits x_device

	class x_keyboard
	inherits x_device

	class db_schema
	inherits database
	{
	search
	add_name
	remove_name
	}

	class db_view
	inherits database
	{
	expand
	}

	class db_sequence
	inherits database
	{
	get_value
	next_value
	set_value
	}

	class db_language
	inherits database
	{
	implement
	execute
	}

	class binder
	{
	impersonate
	call
	set_context_mgr
	transfer
	}

	class zygote
	{
	specifyids
	specifyrlimits
	specifycapabilities
	specifyinvokewith
	specifyseinfo
	}

	class property_service
	{
	set
	}