• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Default Object Statements
2=========================
3
4These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
5
6defaultuser
7-----------
8
9Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
10
11**Statement definition:**
12
13    (defaultuser class_id default)
14
15**Where:**
16
17<table>
18<colgroup>
19<col width="25%" />
20<col width="75%" />
21</colgroup>
22<tbody>
23<tr class="odd">
24<td align="left"><p><code>defaultuser</code></p></td>
25<td align="left"><p>The <code>defaultuser</code> keyword.</p></td>
26</tr>
27<tr class="even">
28<td align="left"><p><code>class_id</code></p></td>
29<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
30</tr>
31<tr class="odd">
32<td align="left"><p><code>default</code></p></td>
33<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
34</tr>
35</tbody>
36</table>
37
38**Example:**
39
40When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context:
41
42    (class binder (impersonate call set_context_mgr transfer receive))
43    (class property_service (set))
44    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
45    (class memprotect (mmap_zero))
46
47    (classmap android_classes (android))
48    (classmapping android_classes android (binder (all)))
49    (classmapping android_classes android (property_service (set)))
50    (classmapping android_classes android (zygote (not (specifycapabilities))))
51
52    (defaultuser (android_classes memprotect) source)
53
54    ; Will produce the following in the binary policy file:
55    ;; default_user binder source;
56    ;; default_user zygote source;
57    ;; default_user property_service source;
58    ;; default_user memprotect source;
59
60defaultrole
61-----------
62
63Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.
64
65    (defaultrole class_id default)
66
67**Where:**
68
69<table>
70<colgroup>
71<col width="25%" />
72<col width="75%" />
73</colgroup>
74<tbody>
75<tr class="odd">
76<td align="left"><p><code>defaultrole</code></p></td>
77<td align="left"><p>The <code>defaultrole</code> keyword.</p></td>
78</tr>
79<tr class="even">
80<td align="left"><p><code>class_id</code></p></td>
81<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
82</tr>
83<tr class="odd">
84<td align="left"><p><code>default</code></p></td>
85<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
86</tr>
87</tbody>
88</table>
89
90**Example:**
91
92When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context:
93
94    (class binder (impersonate call set_context_mgr transfer receive))
95    (class property_service (set))
96    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
97
98    (defaultrole (binder property_service zygote) target)
99
100    ; Will produce the following in the binary policy file:
101    ;; default_role binder target;
102    ;; default_role zygote target;
103    ;; default_role property_service target;
104
105defaulttype
106-----------
107
108Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28.
109
110**Statement definition:**
111
112    (defaulttype class_id default)
113
114**Where:**
115
116<table>
117<colgroup>
118<col width="25%" />
119<col width="75%" />
120</colgroup>
121<tbody>
122<tr class="odd">
123<td align="left"><p><code>defaulttype</code></p></td>
124<td align="left"><p>The <code>defaulttype</code> keyword.</p></td>
125</tr>
126<tr class="even">
127<td align="left"><p><code>class_id</code></p></td>
128<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
129</tr>
130<tr class="odd">
131<td align="left"><p><code>default</code></p></td>
132<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
133</tr>
134</tbody>
135</table>
136
137**Example:**
138
139When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context:
140
141    (defaulttype socket source)
142
143defaultrange
144------------
145
146Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32.
147
148**Statement definition:**
149
150    (defaultrange class_id default <range>)
151
152**Where:**
153
154<table>
155<colgroup>
156<col width="25%" />
157<col width="75%" />
158</colgroup>
159<tbody>
160<tr class="odd">
161<td align="left"><p><code>defaultrange</code></p></td>
162<td align="left"><p>The <code>defaultrange</code> keyword.</p></td>
163</tr>
164<tr class="even">
165<td align="left"><p><code>class_id</code></p></td>
166<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
167</tr>
168<tr class="odd">
169<td align="left"><p><code>default</code></p></td>
170<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td>
171</tr>
172<tr class="even">
173<td align="left"><p><code>range</code></p></td>
174<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td>
175</tr>
176</tbody>
177</table>
178
179**Example:**
180
181When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context:
182
183    (defaultrange file target low_high)
184
185MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:
186
187    (defaultrange db_table glblub)
188