1Class and Permission Statements 2=============================== 3 4common 5------ 6 7Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more [`class`](cil_class_and_permission_statements.md#class) identifiers. The [`classcommon`](cil_class_and_permission_statements.md#classcommon) statement is used to associate a [`common`](cil_class_and_permission_statements.md#common) identifier to a specific [`class`](cil_class_and_permission_statements.md#class) identifier. 8 9**Statement definition:** 10 11```secil 12 (common common_id (permission_id ...)) 13``` 14 15**Where:** 16 17<table> 18<colgroup> 19<col width="25%" /> 20<col width="75%" /> 21</colgroup> 22<tbody> 23<tr class="odd"> 24<td align="left"><p><code>common</code></p></td> 25<td align="left"><p>The <code>common</code> keyword.</p></td> 26</tr> 27<tr class="even"> 28<td align="left"><p><code>common_id</code></p></td> 29<td align="left"><p>The <code>common</code> identifier.</p></td> 30</tr> 31<tr class="odd"> 32<td align="left"><p><code>permission_id</code></p></td> 33<td align="left"><p>One or more permissions.</p></td> 34</tr> 35</tbody> 36</table> 37 38**Example:** 39 40This common statement will associate the [`common`](cil_class_and_permission_statements.md#common) identifier '`file`' with the list of permissions: 41 42```secil 43 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 44``` 45 46classcommon 47----------- 48 49Associate a [`class`](cil_class_and_permission_statements.md#class) identifier to a one or more permissions declared by a [`common`](cil_class_and_permission_statements.md#common) identifier. 50 51**Statement definition:** 52 53```secil 54 (classcommon class_id common_id) 55``` 56 57**Where:** 58 59<table> 60<colgroup> 61<col width="25%" /> 62<col width="75%" /> 63</colgroup> 64<tbody> 65<tr class="odd"> 66<td align="left"><p><code>classcommon</code></p></td> 67<td align="left"><p>The <code>classcommon</code> keyword.</p></td> 68</tr> 69<tr class="even"> 70<td align="left"><p><code>class_id</code></p></td> 71<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 72</tr> 73<tr class="odd"> 74<td align="left"><p><code>common_id</code></p></td> 75<td align="left"><p>A single previously declared <code>common</code> identifier that defines the common permissions for that class.</p></td> 76</tr> 77</tbody> 78</table> 79 80**Example:** 81 82This associates the `dir` class with the list of permissions declared by the `file common` identifier: 83 84```secil 85 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 86 87 (classcommon dir file) 88``` 89 90class 91----- 92 93Declares a class and zero or more permissions in the current namespace. 94 95**Statement definition:** 96 97```secil 98 (class class_id (permission_id ...)) 99``` 100 101**Where:** 102 103<table> 104<colgroup> 105<col width="25%" /> 106<col width="75%" /> 107</colgroup> 108<tbody> 109<tr class="odd"> 110<td align="left"><p><code>class</code></p></td> 111<td align="left"><p>The <code>class</code> keyword.</p></td> 112</tr> 113<tr class="even"> 114<td align="left"><p><code>class_id</code></p></td> 115<td align="left"><p>The <code>class</code> identifier.</p></td> 116</tr> 117<tr class="odd"> 118<td align="left"><p><code>permission_id</code></p></td> 119<td align="left"><p>Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example.</p></td> 120</tr> 121</tbody> 122</table> 123 124**Examples:** 125 126This example defines a set of permissions for the `binder` class identifier: 127 128```secil 129 (class binder (impersonate call set_context_mgr transfer receive)) 130``` 131 132This example defines a common set of permissions to be used by the `sem` class, the `(class sem ())` does not define any other permissions (i.e. an empty list): 133 134```secil 135 (common ipc (create destroy getattr setattr read write associate unix_read unix_write)) 136 137 (classcommon sem ipc) 138 (class sem ()) 139``` 140 141and will produce the following set of permissions for the `sem` class identifier of: 142 143```secil 144 (class sem (create destroy getattr setattr read write associate unix_read unix_write)) 145``` 146 147This example, with the following combination of the [`common`](cil_class_and_permission_statements.md#common), [`classcommon`](cil_class_and_permission_statements.md#classcommon) and [`class`](cil_class_and_permission_statements.md#class) statements: 148 149```secil 150 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 151 152 (classcommon dir file) 153 (class dir (add_name remove_name reparent search rmdir open audit_access execmod)) 154``` 155 156will produce a set of permissions for the `dir` class identifier of: 157 158```secil 159 (class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 160``` 161 162classorder 163---------- 164 165Defines the order of [class](#class)'s. This is a mandatory statement. Multiple [`classorder`](cil_class_and_permission_statements.md#classorder) statements declared in the policy will form an ordered list. 166 167**Statement definition:** 168 169```secil 170 (classorder (class_id ...)) 171``` 172 173**Where:** 174 175<table> 176<colgroup> 177<col width="25%" /> 178<col width="75%" /> 179</colgroup> 180<tbody> 181<tr class="odd"> 182<td align="left"><p><code>classorder</code></p></td> 183<td align="left"><p>The <code>classorder</code> keyword.</p></td> 184</tr> 185<tr class="even"> 186<td align="left"><p><code>class_id</code></p></td> 187<td align="left"><p>One or more <code>class</code> identifiers.</p></td> 188</tr> 189</tbody> 190</table> 191 192**Example:** 193 194This will produce an ordered list of "`file dir process`" 195 196```secil 197 (class process) 198 (class file) 199 (class dir) 200 (classorder (file dir)) 201 (classorder (dir process)) 202``` 203 204**Unordered Classorder Statement:** 205 206If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. 207 208**Example:** 209 210This will produce an unordered list of "`file dir foo a bar baz`" 211 212```secil 213 (class file) 214 (class dir) 215 (class foo) 216 (class bar) 217 (class baz) 218 (class a) 219 (classorder (file dir)) 220 (classorder (dir foo)) 221 (classorder (unordered a)) 222 (classorder (unordered bar foo baz)) 223``` 224 225classpermission 226--------------- 227 228Declares a class permission set identifier in the current namespace that can be used by one or more [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to associate one or more classes and permissions to form a named set. 229 230**Statement definition:** 231 232```secil 233 (classpermission classpermissionset_id) 234``` 235 236**Where:** 237 238<table> 239<colgroup> 240<col width="25%" /> 241<col width="75%" /> 242</colgroup> 243<tbody> 244<tr class="odd"> 245<td align="left"><p><code>classpermission</code></p></td> 246<td align="left"><p>The <code>classpermission</code> keyword.</p></td> 247</tr> 248<tr class="even"> 249<td align="left"><p><code>classpermissionset_id</code></p></td> 250<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 251</tr> 252</tbody> 253</table> 254 255**Example:** 256 257See the [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) statement for examples. 258 259classpermissionset 260------------------ 261 262Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s may be used in av rules and constraints. 263 264**Statement definition:** 265 266```secil 267 (classpermissionset classpermissionset_id (class_id (permission_id | expr ...))) 268``` 269 270**Where:** 271 272<table> 273<colgroup> 274<col width="27%" /> 275<col width="72%" /> 276</colgroup> 277<tbody> 278<tr class="odd"> 279<td align="left"><p><code>classpermissionset</code></p></td> 280<td align="left"><p>The <code>classpermissionset</code> keyword.</p></td> 281</tr> 282<tr class="even"> 283<td align="left"><p><code>classpermissionset_id</code></p></td> 284<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 285</tr> 286<tr class="odd"> 287<td align="left"><p><code>class_id</code></p></td> 288<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 289</tr> 290<tr class="even"> 291<td align="left"><p><code>permission_id</code></p></td> 292<td align="left"><p>Zero or more permissions required by the class.</p> 293<p>Note that there must be at least one <code>permission</code> identifier or <code>expr</code> declared).</p></td> 294</tr> 295<tr class="odd"> 296<td align="left"><p><code>expr</code></p></td> 297<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 298<p><code> (and (permission_id ...) (permission_id ...))</code></p> 299<p><code> (or (permission_id ...) (permission_id ...))</code></p> 300<p><code> (xor (permission_id ...) (permission_id ...))</code></p> 301<p><code> (not (permission_id ...))</code></p> 302<p><code> (all)</code></p></td> 303</tr> 304</tbody> 305</table> 306 307**Examples:** 308 309These class permission set statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 310 311```secil 312 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 313 314 (type test_1) 315 (type test_2) 316 (type test_3) 317 (type test_4) 318 (type test_5) 319 320 ; NOT 321 (classpermission zygote_1) 322 (classpermissionset zygote_1 (zygote 323 (not 324 (specifyinvokewith specifyseinfo) 325 ) 326 )) 327 (allow unconfined.process test_1 zygote_1) 328 ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ; 329 330 ; AND - ALL - NOT - Equiv to test_1 331 (classpermission zygote_2) 332 (classpermissionset zygote_2 (zygote 333 (and 334 (all) 335 (not (specifyinvokewith specifyseinfo)) 336 ) 337 )) 338 (allow unconfined.process test_2 zygote_2) 339 ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities } ; 340 341 ; OR 342 (classpermission zygote_3) 343 (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo))))) 344 (allow unconfined.process test_3 zygote_3) 345 ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ; 346 347 ; XOR - This will not produce an allow rule as the XOR will remove all the permissions: 348 (classpermission zygote_4) 349 (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)))) 350 351 ; ALL 352 (classpermission zygote_all_perms) 353 (classpermissionset zygote_all_perms (zygote (all))) 354 (allow unconfined.process test_5 zygote_all_perms) 355 ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 356``` 357 358classmap 359-------- 360 361Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow: 362 3631. Multiple [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to be linked to a pair of [`classmap`](cil_class_and_permission_statements.md#classmap) / [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers. 364 3652. Multiple [`class`](cil_class_and_permission_statements.md#class)s to be associated to statements and rules that support a list of classes: 366 367 typetransition 368 typechange 369 typemember 370 rangetransition 371 roletransition 372 defaultuser 373 defaultrole 374 defaulttype 375 defaultrange 376 validatetrans 377 mlsvalidatetrans 378 379**Statement definition:** 380 381```secil 382 (classmap classmap_id (classmapping_id ...)) 383``` 384 385**Where:** 386 387<table> 388<colgroup> 389<col width="25%" /> 390<col width="75%" /> 391</colgroup> 392<tbody> 393<tr class="odd"> 394<td align="left"><p><code>classmap</code></p></td> 395<td align="left"><p>The <code>classmap</code> keyword.</p></td> 396</tr> 397<tr class="even"> 398<td align="left"><p><code>classmap_id</code></p></td> 399<td align="left"><p>The <code>classmap</code> identifier.</p></td> 400</tr> 401<tr class="odd"> 402<td align="left"><p><code>classmapping_id</code></p></td> 403<td align="left"><p>One or more <code>classmapping</code> identifiers.</p></td> 404</tr> 405</tbody> 406</table> 407 408**Example:** 409 410See the [`classmapping`](cil_class_and_permission_statements.md#classmapping) statement for examples. 411 412classmapping 413------------ 414 415Define sets of [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s (named or anonymous) to form a consolidated [`classmapping`](cil_class_and_permission_statements.md#classmapping) set. Generally there are multiple [`classmapping`](cil_class_and_permission_statements.md#classmapping) statements with the same [`classmap`](cil_class_and_permission_statements.md#classmap) and [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers that form a set of different [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)'s. This is useful when multiple class / permissions are required in rules such as the [`allow`](cil_access_vector_rules.md#allow) rules (as shown in the examples). 416 417**Statement definition:** 418 419```secil 420 (classmapping classmap_id classmapping_id classpermissionset_id) 421``` 422 423**Where:** 424 425<table> 426<colgroup> 427<col width="27%" /> 428<col width="72%" /> 429</colgroup> 430<tbody> 431<tr class="odd"> 432<td align="left"><p><code>classmapping</code></p></td> 433<td align="left"><p>The <code>classmapping</code> keyword.</p></td> 434</tr> 435<tr class="even"> 436<td align="left"><p><code>classmap_id</code></p></td> 437<td align="left"><p>A single previously declared <code>classmap</code> identifier.</p></td> 438</tr> 439<tr class="odd"> 440<td align="left"><p><code>classmapping_id</code></p></td> 441<td align="left"><p>The <code>classmapping</code> identifier.</p></td> 442</tr> 443<tr class="even"> 444<td align="left"><p><code>classpermissionset_id</code></p></td> 445<td align="left"><p>A single named <code>classpermissionset</code> identifier or a single anonymous <code>classpermissionset</code> using <code>expr</code>'s as required (see the <code>classpermissionset</code> statement).</p></td> 446</tr> 447</tbody> 448</table> 449 450**Examples:** 451 452These class mapping statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 453 454```secil 455 (class binder (impersonate call set_context_mgr transfer receive)) 456 (class property_service (set)) 457 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 458 459 (classpermission cps_zygote) 460 (classpermissionset cps_zygote (zygote (not (specifyids)))) 461 462 (classmap android_classes (set_1 set_2 set_3)) 463 464 (classmapping android_classes set_1 (binder (all))) 465 (classmapping android_classes set_1 (property_service (set))) 466 (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) 467 468 (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) 469 (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) 470 471 (classmapping android_classes set_3 cps_zygote) 472 (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) 473 474 (block map_example 475 (type type_1) 476 (type type_2) 477 (type type_3) 478 479 (allow type_1 self (android_classes (set_1))) 480 (allow type_2 self (android_classes (set_2))) 481 (allow type_3 self (android_classes (set_3))) 482 ) 483 484 ; The above will resolve to the following AV rules: 485 ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ; 486 ;; allow map_example.type_1 map_example.type_1 : property_service set ; 487 ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ; 488 489 ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ; 490 ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ; 491 492 ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ; 493 ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 494``` 495 496permissionx 497----------- 498 499Defines a named extended permission, which can be used in the [`allowx`](cil_access_vector_rules.md#allowx), [`auditallowx`](cil_access_vector_rules.md#auditallowx), [`dontauditx`](cil_access_vector_rules.md#dontauditx), and [`neverallowx`](cil_access_vector_rules.md#neverallowx) statements. 500 501**Statement definition:** 502 503```secil 504 (permissionx permissionx_id (kind class_id (permission ... | expr ...))) 505``` 506 507**Where:** 508 509<table> 510<colgroup> 511<col width="27%" /> 512<col width="72%" /> 513</colgroup> 514<tbody> 515<tr class="odd"> 516<td align="left"><p><code>permissionx</code></p></td> 517<td align="left"><p>The <code>permissionx</code> keyword.</p></td> 518</tr> 519<tr class="even"> 520<td align="left"><p><code>kind</code></p></td> 521<td align="left"><p>A keyword specifying how to interpret the extended permission values. Must be one of:</p> 522<table> 523<thead> 524<tr class="header"> 525<th align="left"><p><strong>kind</strong></p></th> 526<th align="left"><p><strong>description</strong></p></th> 527</tr> 528</thead> 529<tbody> 530<tr class="odd"> 531<td align="left"><p>ioctl</p></td> 532<td align="left"><p>Permissions define a whitelist of ioctl values. Permission values must range from <code>0x0000</code> to <code>0xFFFF</code>, inclusive.</p></td> 533</tr> 534</tbody> 535</table></td> 536</tr> 537<tr class="odd"> 538<td align="left"><p><code>class_id</code></p></td> 539<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 540</tr> 541<tr class="even"> 542<td align="left"><p><code>permission</code></p></td> 543<td align="left"><p>One or more numeric values, specified in decimal, or hexadecimal if prefixed with 0x, or octal if prefixed with 0. Values are interpreted based on the value of <code>kind</code>.</p></td> 544</tr> 545<tr class="odd"> 546<td align="left"><p><code>expr</code></p></td> 547<td align="left"><p>An expression, with valid operators and syntax:</p> 548<p><code> (range (permission ...) (permission ...))</code></p> 549<p><code> (and (permission ...) (permission ...))</code></p> 550<p><code> (or (permission ...) (permission ...))</code></p> 551<p><code> (xor (permission ...) (permission ...))</code></p> 552<p><code> (not (permission ...))</code></p> 553<p><code> (all)</code></p></td> 554</tr> 555</tbody> 556</table> 557 558**Examples:** 559 560```secil 561 (permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000))) 562 (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF))) 563 (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF))))) 564``` 565