• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Class and Permission Statements
2===============================
3
4common
5------
6
7Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more [`class`](cil_class_and_permission_statements.md#class) identifiers. The [`classcommon`](cil_class_and_permission_statements.md#classcommon) statement is used to associate a [`common`](cil_class_and_permission_statements.md#common) identifier to a specific [`class`](cil_class_and_permission_statements.md#class) identifier.
8
9**Statement definition:**
10
11```secil
12    (common common_id (permission_id ...))
13```
14
15**Where:**
16
17<table>
18<colgroup>
19<col width="25%" />
20<col width="75%" />
21</colgroup>
22<tbody>
23<tr class="odd">
24<td align="left"><p><code>common</code></p></td>
25<td align="left"><p>The <code>common</code> keyword.</p></td>
26</tr>
27<tr class="even">
28<td align="left"><p><code>common_id</code></p></td>
29<td align="left"><p>The <code>common</code> identifier.</p></td>
30</tr>
31<tr class="odd">
32<td align="left"><p><code>permission_id</code></p></td>
33<td align="left"><p>One or more permissions.</p></td>
34</tr>
35</tbody>
36</table>
37
38**Example:**
39
40This common statement will associate the [`common`](cil_class_and_permission_statements.md#common) identifier '`file`' with the list of permissions:
41
42```secil
43    (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
44```
45
46classcommon
47-----------
48
49Associate a [`class`](cil_class_and_permission_statements.md#class) identifier to a one or more permissions declared by a [`common`](cil_class_and_permission_statements.md#common) identifier.
50
51**Statement definition:**
52
53```secil
54    (classcommon class_id common_id)
55```
56
57**Where:**
58
59<table>
60<colgroup>
61<col width="25%" />
62<col width="75%" />
63</colgroup>
64<tbody>
65<tr class="odd">
66<td align="left"><p><code>classcommon</code></p></td>
67<td align="left"><p>The <code>classcommon</code> keyword.</p></td>
68</tr>
69<tr class="even">
70<td align="left"><p><code>class_id</code></p></td>
71<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td>
72</tr>
73<tr class="odd">
74<td align="left"><p><code>common_id</code></p></td>
75<td align="left"><p>A single previously declared <code>common</code> identifier that defines the common permissions for that class.</p></td>
76</tr>
77</tbody>
78</table>
79
80**Example:**
81
82This associates the `dir` class with the list of permissions declared by the `file common` identifier:
83
84```secil
85    (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
86
87    (classcommon dir file)
88```
89
90class
91-----
92
93Declares a class and zero or more permissions in the current namespace.
94
95**Statement definition:**
96
97```secil
98    (class class_id (permission_id ...))
99```
100
101**Where:**
102
103<table>
104<colgroup>
105<col width="25%" />
106<col width="75%" />
107</colgroup>
108<tbody>
109<tr class="odd">
110<td align="left"><p><code>class</code></p></td>
111<td align="left"><p>The <code>class</code> keyword.</p></td>
112</tr>
113<tr class="even">
114<td align="left"><p><code>class_id</code></p></td>
115<td align="left"><p>The <code>class</code> identifier.</p></td>
116</tr>
117<tr class="odd">
118<td align="left"><p><code>permission_id</code></p></td>
119<td align="left"><p>Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example.</p></td>
120</tr>
121</tbody>
122</table>
123
124**Examples:**
125
126This example defines a set of permissions for the `binder` class identifier:
127
128```secil
129    (class binder (impersonate call set_context_mgr transfer receive))
130```
131
132This example defines a common set of permissions to be used by the `sem` class, the `(class sem ())` does not define any other permissions (i.e. an empty list):
133
134```secil
135    (common ipc (create destroy getattr setattr read write associate unix_read unix_write))
136
137    (classcommon sem ipc)
138    (class sem ())
139```
140
141and will produce the following set of permissions for the `sem` class identifier of:
142
143```secil
144    (class sem (create destroy getattr setattr read write associate unix_read unix_write))
145```
146
147This example, with the following combination of the [`common`](cil_class_and_permission_statements.md#common), [`classcommon`](cil_class_and_permission_statements.md#classcommon) and [`class`](cil_class_and_permission_statements.md#class) statements:
148
149```secil
150    (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
151
152    (classcommon dir file)
153    (class dir (add_name remove_name reparent search rmdir open audit_access execmod))
154```
155
156will produce a set of permissions for the `dir` class identifier of:
157
158```secil
159    (class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
160```
161
162classorder
163----------
164
165Defines the order of [class](#class)'s. This is a mandatory statement. Multiple [`classorder`](cil_class_and_permission_statements.md#classorder) statements declared in the policy will form an ordered list.
166
167**Statement definition:**
168
169```secil
170    (classorder (class_id ...))
171```
172
173**Where:**
174
175<table>
176<colgroup>
177<col width="25%" />
178<col width="75%" />
179</colgroup>
180<tbody>
181<tr class="odd">
182<td align="left"><p><code>classorder</code></p></td>
183<td align="left"><p>The <code>classorder</code> keyword.</p></td>
184</tr>
185<tr class="even">
186<td align="left"><p><code>class_id</code></p></td>
187<td align="left"><p>One or more <code>class</code> identifiers.</p></td>
188</tr>
189</tbody>
190</table>
191
192**Example:**
193
194This will produce an ordered list of "`file dir process`"
195
196```secil
197    (class process)
198    (class file)
199    (class dir)
200    (classorder (file dir))
201    (classorder (dir process))
202```
203
204**Unordered Classorder Statement:**
205
206If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing.
207
208**Example:**
209
210This will produce an unordered list of "`file dir foo a bar baz`"
211
212```secil
213	(class file)
214	(class dir)
215	(class foo)
216	(class bar)
217	(class baz)
218	(class a)
219	(classorder (file dir))
220	(classorder (dir foo))
221	(classorder (unordered a))
222	(classorder (unordered bar foo baz))
223```
224
225classpermission
226---------------
227
228Declares a class permission set identifier in the current namespace that can be used by one or more [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to associate one or more classes and permissions to form a named set.
229
230**Statement definition:**
231
232```secil
233    (classpermission classpermissionset_id)
234```
235
236**Where:**
237
238<table>
239<colgroup>
240<col width="25%" />
241<col width="75%" />
242</colgroup>
243<tbody>
244<tr class="odd">
245<td align="left"><p><code>classpermission</code></p></td>
246<td align="left"><p>The <code>classpermission</code> keyword.</p></td>
247</tr>
248<tr class="even">
249<td align="left"><p><code>classpermissionset_id</code></p></td>
250<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td>
251</tr>
252</tbody>
253</table>
254
255**Example:**
256
257See the [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) statement for examples.
258
259classpermissionset
260------------------
261
262Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s may be used in av rules and constraints.
263
264**Statement definition:**
265
266```secil
267    (classpermissionset classpermissionset_id (class_id (permission_id | expr ...)))
268```
269
270**Where:**
271
272<table>
273<colgroup>
274<col width="27%" />
275<col width="72%" />
276</colgroup>
277<tbody>
278<tr class="odd">
279<td align="left"><p><code>classpermissionset</code></p></td>
280<td align="left"><p>The <code>classpermissionset</code> keyword.</p></td>
281</tr>
282<tr class="even">
283<td align="left"><p><code>classpermissionset_id</code></p></td>
284<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td>
285</tr>
286<tr class="odd">
287<td align="left"><p><code>class_id</code></p></td>
288<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td>
289</tr>
290<tr class="even">
291<td align="left"><p><code>permission_id</code></p></td>
292<td align="left"><p>Zero or more permissions required by the class.</p>
293<p>Note that there must be at least one <code>permission</code> identifier or <code>expr</code> declared).</p></td>
294</tr>
295<tr class="odd">
296<td align="left"><p><code>expr</code></p></td>
297<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
298<p><code>    (and (permission_id ...) (permission_id ...))</code></p>
299<p><code>    (or  (permission_id ...) (permission_id ...))</code></p>
300<p><code>    (xor (permission_id ...) (permission_id ...))</code></p>
301<p><code>    (not (permission_id ...))</code></p>
302<p><code>    (all)</code></p></td>
303</tr>
304</tbody>
305</table>
306
307**Examples:**
308
309These class permission set statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules:
310
311```secil
312    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
313
314    (type test_1)
315    (type test_2)
316    (type test_3)
317    (type test_4)
318    (type test_5)
319
320    ; NOT
321    (classpermission zygote_1)
322    (classpermissionset zygote_1 (zygote
323        (not
324            (specifyinvokewith specifyseinfo)
325        )
326    ))
327    (allow unconfined.process test_1 zygote_1)
328    ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ;
329
330    ; AND - ALL - NOT - Equiv to test_1
331    (classpermission zygote_2)
332    (classpermissionset zygote_2 (zygote
333        (and
334            (all)
335            (not (specifyinvokewith specifyseinfo))
336        )
337    ))
338    (allow unconfined.process test_2 zygote_2)
339    ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities  } ;
340
341    ; OR
342    (classpermission zygote_3)
343    (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo)))))
344    (allow unconfined.process test_3 zygote_3)
345    ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ;
346
347    ; XOR - This will not produce an allow rule as the XOR will remove all the permissions:
348    (classpermission zygote_4)
349    (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))))
350
351    ; ALL
352    (classpermission zygote_all_perms)
353    (classpermissionset zygote_all_perms (zygote (all)))
354    (allow unconfined.process test_5 zygote_all_perms)
355    ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
356```
357
358classmap
359--------
360
361Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow:
362
3631.  Multiple [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to be linked to a pair of [`classmap`](cil_class_and_permission_statements.md#classmap) / [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers.
364
3652.  Multiple [`class`](cil_class_and_permission_statements.md#class)s to be associated to statements and rules that support a list of classes:
366
367    typetransition
368    typechange
369    typemember
370    rangetransition
371    roletransition
372    defaultuser
373    defaultrole
374    defaulttype
375    defaultrange
376    validatetrans
377    mlsvalidatetrans
378
379**Statement definition:**
380
381```secil
382    (classmap classmap_id (classmapping_id ...))
383```
384
385**Where:**
386
387<table>
388<colgroup>
389<col width="25%" />
390<col width="75%" />
391</colgroup>
392<tbody>
393<tr class="odd">
394<td align="left"><p><code>classmap</code></p></td>
395<td align="left"><p>The <code>classmap</code> keyword.</p></td>
396</tr>
397<tr class="even">
398<td align="left"><p><code>classmap_id</code></p></td>
399<td align="left"><p>The <code>classmap</code> identifier.</p></td>
400</tr>
401<tr class="odd">
402<td align="left"><p><code>classmapping_id</code></p></td>
403<td align="left"><p>One or more <code>classmapping</code> identifiers.</p></td>
404</tr>
405</tbody>
406</table>
407
408**Example:**
409
410See the [`classmapping`](cil_class_and_permission_statements.md#classmapping) statement for examples.
411
412classmapping
413------------
414
415Define sets of [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s (named or anonymous) to form a consolidated [`classmapping`](cil_class_and_permission_statements.md#classmapping) set. Generally there are multiple [`classmapping`](cil_class_and_permission_statements.md#classmapping) statements with the same [`classmap`](cil_class_and_permission_statements.md#classmap) and [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers that form a set of different [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)'s. This is useful when multiple class / permissions are required in rules such as the [`allow`](cil_access_vector_rules.md#allow) rules (as shown in the examples).
416
417**Statement definition:**
418
419```secil
420    (classmapping classmap_id classmapping_id classpermissionset_id)
421```
422
423**Where:**
424
425<table>
426<colgroup>
427<col width="27%" />
428<col width="72%" />
429</colgroup>
430<tbody>
431<tr class="odd">
432<td align="left"><p><code>classmapping</code></p></td>
433<td align="left"><p>The <code>classmapping</code> keyword.</p></td>
434</tr>
435<tr class="even">
436<td align="left"><p><code>classmap_id</code></p></td>
437<td align="left"><p>A single previously declared <code>classmap</code> identifier.</p></td>
438</tr>
439<tr class="odd">
440<td align="left"><p><code>classmapping_id</code></p></td>
441<td align="left"><p>The <code>classmapping</code> identifier.</p></td>
442</tr>
443<tr class="even">
444<td align="left"><p><code>classpermissionset_id</code></p></td>
445<td align="left"><p>A single named <code>classpermissionset</code> identifier or a single anonymous <code>classpermissionset</code> using <code>expr</code>'s as required (see the <code>classpermissionset</code> statement).</p></td>
446</tr>
447</tbody>
448</table>
449
450**Examples:**
451
452These class mapping statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules:
453
454```secil
455    (class binder (impersonate call set_context_mgr transfer receive))
456    (class property_service (set))
457    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
458
459    (classpermission cps_zygote)
460    (classpermissionset cps_zygote (zygote (not (specifyids))))
461
462    (classmap android_classes (set_1 set_2 set_3))
463
464    (classmapping android_classes set_1 (binder (all)))
465    (classmapping android_classes set_1 (property_service (set)))
466    (classmapping android_classes set_1 (zygote (not (specifycapabilities))))
467
468    (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
469    (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
470
471    (classmapping android_classes set_3 cps_zygote)
472    (classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
473
474    (block map_example
475        (type type_1)
476        (type type_2)
477        (type type_3)
478
479        (allow type_1 self (android_classes (set_1)))
480        (allow type_2 self (android_classes (set_2)))
481        (allow type_3 self (android_classes (set_3)))
482    )
483
484    ; The above will resolve to the following AV rules:
485    ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ;
486    ;; allow map_example.type_1 map_example.type_1 : property_service set ;
487    ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ;
488
489    ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ;
490    ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ;
491
492    ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ;
493    ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
494```
495
496permissionx
497-----------
498
499Defines a named extended permission, which can be used in the [`allowx`](cil_access_vector_rules.md#allowx), [`auditallowx`](cil_access_vector_rules.md#auditallowx), [`dontauditx`](cil_access_vector_rules.md#dontauditx), and  [`neverallowx`](cil_access_vector_rules.md#neverallowx) statements.
500
501**Statement definition:**
502
503```secil
504    (permissionx permissionx_id (kind class_id (permission ... | expr ...)))
505```
506
507**Where:**
508
509<table>
510<colgroup>
511<col width="27%" />
512<col width="72%" />
513</colgroup>
514<tbody>
515<tr class="odd">
516<td align="left"><p><code>permissionx</code></p></td>
517<td align="left"><p>The <code>permissionx</code> keyword.</p></td>
518</tr>
519<tr class="even">
520<td align="left"><p><code>kind</code></p></td>
521<td align="left"><p>A keyword specifying how to interpret the extended permission values. Must be one of:</p>
522<table>
523<thead>
524<tr class="header">
525<th align="left"><p><strong>kind</strong></p></th>
526<th align="left"><p><strong>description</strong></p></th>
527</tr>
528</thead>
529<tbody>
530<tr class="odd">
531<td align="left"><p>ioctl</p></td>
532<td align="left"><p>Permissions define a whitelist of ioctl values. Permission values must range from <code>0x0000</code> to <code>0xFFFF</code>, inclusive.</p></td>
533</tr>
534</tbody>
535</table></td>
536</tr>
537<tr class="odd">
538<td align="left"><p><code>class_id</code></p></td>
539<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td>
540</tr>
541<tr class="even">
542<td align="left"><p><code>permission</code></p></td>
543<td align="left"><p>One or more numeric values, specified in decimal, or hexadecimal if prefixed with 0x, or octal if prefixed with 0. Values are interpreted based on the value of <code>kind</code>.</p></td>
544</tr>
545<tr class="odd">
546<td align="left"><p><code>expr</code></p></td>
547<td align="left"><p>An expression, with valid operators and syntax:</p>
548<p><code>    (range (permission ...) (permission ...))</code></p>
549<p><code>    (and (permission ...) (permission ...))</code></p>
550<p><code>    (or  (permission ...) (permission ...))</code></p>
551<p><code>    (xor (permission ...) (permission ...))</code></p>
552<p><code>    (not (permission ...))</code></p>
553<p><code>    (all)</code></p></td>
554</tr>
555</tbody>
556</table>
557
558**Examples:**
559
560```secil
561    (permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000)))
562    (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF)))
563    (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
564```
565