1Class and Permission Statements 2=============================== 3 4common 5------ 6 7Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more [`class`](cil_class_and_permission_statements.md#class) identifiers. The [`classcommon`](cil_class_and_permission_statements.md#classcommon) statement is used to associate a [`common`](cil_class_and_permission_statements.md#common) identifier to a specific [`class`](cil_class_and_permission_statements.md#class) identifier. 8 9**Statement definition:** 10 11 (common common_id (permission_id ...)) 12 13**Where:** 14 15<table> 16<colgroup> 17<col width="25%" /> 18<col width="75%" /> 19</colgroup> 20<tbody> 21<tr class="odd"> 22<td align="left"><p><code>common</code></p></td> 23<td align="left"><p>The <code>common</code> keyword.</p></td> 24</tr> 25<tr class="even"> 26<td align="left"><p><code>common_id</code></p></td> 27<td align="left"><p>The <code>common</code> identifier.</p></td> 28</tr> 29<tr class="odd"> 30<td align="left"><p><code>permission_id</code></p></td> 31<td align="left"><p>One or more permissions.</p></td> 32</tr> 33</tbody> 34</table> 35 36**Example:** 37 38This common statement will associate the [`common`](cil_class_and_permission_statements.md#common) identifier '`file`' with the list of permissions: 39 40 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 41 42classcommon 43----------- 44 45Associate a [`class`](cil_class_and_permission_statements.md#class) identifier to a one or more permissions declared by a [`common`](cil_class_and_permission_statements.md#common) identifier. 46 47**Statement definition:** 48 49 (classcommon class_id common_id) 50 51**Where:** 52 53<table> 54<colgroup> 55<col width="25%" /> 56<col width="75%" /> 57</colgroup> 58<tbody> 59<tr class="odd"> 60<td align="left"><p><code>classcommon</code></p></td> 61<td align="left"><p>The <code>classcommon</code> keyword.</p></td> 62</tr> 63<tr class="even"> 64<td align="left"><p><code>class_id</code></p></td> 65<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 66</tr> 67<tr class="odd"> 68<td align="left"><p><code>common_id</code></p></td> 69<td align="left"><p>A single previously declared <code>common</code> identifier that defines the common permissions for that class.</p></td> 70</tr> 71</tbody> 72</table> 73 74**Example:** 75 76This associates the `dir` class with the list of permissions declared by the `file common` identifier: 77 78 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 79 80 (classcommon dir file) 81 82class 83----- 84 85Declares a class and zero or more permissions in the current namespace. 86 87**Statement definition:** 88 89 (class class_id (permission_id ...)) 90 91**Where:** 92 93<table> 94<colgroup> 95<col width="25%" /> 96<col width="75%" /> 97</colgroup> 98<tbody> 99<tr class="odd"> 100<td align="left"><p><code>class</code></p></td> 101<td align="left"><p>The <code>class</code> keyword.</p></td> 102</tr> 103<tr class="even"> 104<td align="left"><p><code>class_id</code></p></td> 105<td align="left"><p>The <code>class</code> identifier.</p></td> 106</tr> 107<tr class="odd"> 108<td align="left"><p><code>permission_id</code></p></td> 109<td align="left"><p>Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example.</p></td> 110</tr> 111</tbody> 112</table> 113 114**Examples:** 115 116This example defines a set of permissions for the `binder` class identifier: 117 118 (class binder (impersonate call set_context_mgr transfer receive)) 119 120This example defines a common set of permissions to be used by the `sem` class, the `(class sem ())` does not define any other permissions (i.e. an empty list): 121 122 (common ipc (create destroy getattr setattr read write associate unix_read unix_write)) 123 124 (classcommon sem ipc) 125 (class sem ()) 126 127and will produce the following set of permissions for the `sem` class identifier of: 128 129 (class sem (create destroy getattr setattr read write associate unix_read unix_write)) 130 131This example, with the following combination of the [`common`](cil_class_and_permission_statements.md#common), [`classcommon`](cil_class_and_permission_statements.md#classcommon) and [`class`](cil_class_and_permission_statements.md#class) statements: 132 133 (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 134 135 (classcommon dir file) 136 (class dir (add_name remove_name reparent search rmdir open audit_access execmod)) 137 138will produce a set of permissions for the `dir` class identifier of: 139 140 (class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 141 142classorder 143---------- 144 145Defines the order of [class](#class)'s. This is a mandatory statement. Multiple [`classorder`](cil_class_and_permission_statements.md#classorder) statements declared in the policy will form an ordered list. 146 147**Statement definition:** 148 149 (classorder (class_id ...)) 150 151**Where:** 152 153<table> 154<colgroup> 155<col width="25%" /> 156<col width="75%" /> 157</colgroup> 158<tbody> 159<tr class="odd"> 160<td align="left"><p><code>classorder</code></p></td> 161<td align="left"><p>The <code>classorder</code> keyword.</p></td> 162</tr> 163<tr class="even"> 164<td align="left"><p><code>class_id</code></p></td> 165<td align="left"><p>One or more <code>class</code> identifiers.</p></td> 166</tr> 167</tbody> 168</table> 169 170**Example:** 171 172This will produce an ordered list of "`file dir process`" 173 174 (class process) 175 (class file) 176 (class dir) 177 (classorder (file dir)) 178 (classorder (dir process)) 179 180**Unordered Classorder Statement:** 181 182If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. 183 184**Example:** 185 186This will produce an unordered list of "`file dir foo a bar baz`" 187 188 (class file) 189 (class dir) 190 (class foo) 191 (class bar) 192 (class baz) 193 (class a) 194 (classorder (file dir)) 195 (classorder (dir foo)) 196 (classorder (unordered a)) 197 (classorder (unordered bar foo baz)) 198 199classpermission 200--------------- 201 202Declares a class permission set identifier in the current namespace that can be used by one or more [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to associate one or more classes and permissions to form a named set. 203 204**Statement definition:** 205 206 (classpermission classpermissionset_id) 207 208**Where:** 209 210<table> 211<colgroup> 212<col width="25%" /> 213<col width="75%" /> 214</colgroup> 215<tbody> 216<tr class="odd"> 217<td align="left"><p><code>classpermission</code></p></td> 218<td align="left"><p>The <code>classpermission</code> keyword.</p></td> 219</tr> 220<tr class="even"> 221<td align="left"><p><code>classpermissionset_id</code></p></td> 222<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 223</tr> 224</tbody> 225</table> 226 227**Example:** 228 229See the [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) statement for examples. 230 231classpermissionset 232------------------ 233 234Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s may be used in av rules and constraints. 235 236**Statement definition:** 237 238 (classpermissionset classpermissionset_id (class_id (permission_id | expr ...))) 239 240**Where:** 241 242<table> 243<colgroup> 244<col width="27%" /> 245<col width="72%" /> 246</colgroup> 247<tbody> 248<tr class="odd"> 249<td align="left"><p><code>classpermissionset</code></p></td> 250<td align="left"><p>The <code>classpermissionset</code> keyword.</p></td> 251</tr> 252<tr class="even"> 253<td align="left"><p><code>classpermissionset_id</code></p></td> 254<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 255</tr> 256<tr class="odd"> 257<td align="left"><p><code>class_id</code></p></td> 258<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 259</tr> 260<tr class="even"> 261<td align="left"><p><code>permission_id</code></p></td> 262<td align="left"><p>Zero or more permissions required by the class.</p> 263<p>Note that there must be at least one <code>permission</code> identifier or <code>expr</code> declared).</p></td> 264</tr> 265<tr class="odd"> 266<td align="left"><p><code>expr</code></p></td> 267<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 268<p><code> (and (permission_id ...) (permission_id ...))</code></p> 269<p><code> (or (permission_id ...) (permission_id ...))</code></p> 270<p><code> (xor (permission_id ...) (permission_id ...))</code></p> 271<p><code> (not (permission_id ...))</code></p> 272<p><code> (all)</code></p></td> 273</tr> 274</tbody> 275</table> 276 277**Examples:** 278 279These class permission set statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 280 281 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 282 283 (type test_1) 284 (type test_2) 285 (type test_3) 286 (type test_4) 287 (type test_5) 288 289 ; NOT 290 (classpermission zygote_1) 291 (classpermissionset zygote_1 (zygote 292 (not 293 (specifyinvokewith specifyseinfo) 294 ) 295 )) 296 (allow unconfined.process test_1 zygote_1) 297 ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ; 298 299 ; AND - ALL - NOT - Equiv to test_1 300 (classpermission zygote_2) 301 (classpermissionset zygote_2 (zygote 302 (and 303 (all) 304 (not (specifyinvokewith specifyseinfo)) 305 ) 306 )) 307 (allow unconfined.process test_2 zygote_2) 308 ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities } ; 309 310 ; OR 311 (classpermission zygote_3) 312 (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo))))) 313 (allow unconfined.process test_3 zygote_3) 314 ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ; 315 316 ; XOR - This will not produce an allow rule as the XOR will remove all the permissions: 317 (classpermission zygote_4) 318 (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)))) 319 320 ; ALL 321 (classpermission zygote_all_perms) 322 (classpermissionset zygote_all_perms (zygote (all))) 323 (allow unconfined.process test_5 zygote_all_perms) 324 ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 325 326classmap 327-------- 328 329Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow: 330 3311. Multiple [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to be linked to a pair of [`classmap`](cil_class_and_permission_statements.md#classmap) / [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers. 332 3332. Multiple [`class`](cil_class_and_permission_statements.md#class)s to be associated to statements and rules that support a list of classes: 334 335 typetransition 336 typechange 337 typemember 338 rangetransition 339 roletransition 340 defaultuser 341 defaultrole 342 defaulttype 343 defaultrange 344 validatetrans 345 mlsvalidatetrans 346 347**Statement definition:** 348 349 (classmap classmap_id (classmapping_id ...)) 350 351**Where:** 352 353<table> 354<colgroup> 355<col width="25%" /> 356<col width="75%" /> 357</colgroup> 358<tbody> 359<tr class="odd"> 360<td align="left"><p><code>classmap</code></p></td> 361<td align="left"><p>The <code>classmap</code> keyword.</p></td> 362</tr> 363<tr class="even"> 364<td align="left"><p><code>classmap_id</code></p></td> 365<td align="left"><p>The <code>classmap</code> identifier.</p></td> 366</tr> 367<tr class="odd"> 368<td align="left"><p><code>classmapping_id</code></p></td> 369<td align="left"><p>One or more <code>classmapping</code> identifiers.</p></td> 370</tr> 371</tbody> 372</table> 373 374**Example:** 375 376See the [`classmapping`](cil_class_and_permission_statements.md#classmapping) statement for examples. 377 378classmapping 379------------ 380 381Define sets of [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s (named or anonymous) to form a consolidated [`classmapping`](cil_class_and_permission_statements.md#classmapping) set. Generally there are multiple [`classmapping`](cil_class_and_permission_statements.md#classmapping) statements with the same [`classmap`](cil_class_and_permission_statements.md#classmap) and [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers that form a set of different [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)'s. This is useful when multiple class / permissions are required in rules such as the [`allow`](cil_access_vector_rules.md#allow) rules (as shown in the examples). 382 383**Statement definition:** 384 385 (classmapping classmap_id classmapping_id classpermissionset_id) 386 387**Where:** 388 389<table> 390<colgroup> 391<col width="27%" /> 392<col width="72%" /> 393</colgroup> 394<tbody> 395<tr class="odd"> 396<td align="left"><p><code>classmapping</code></p></td> 397<td align="left"><p>The <code>classmapping</code> keyword.</p></td> 398</tr> 399<tr class="even"> 400<td align="left"><p><code>classmap_id</code></p></td> 401<td align="left"><p>A single previously declared <code>classmap</code> identifier.</p></td> 402</tr> 403<tr class="odd"> 404<td align="left"><p><code>classmapping_id</code></p></td> 405<td align="left"><p>The <code>classmapping</code> identifier.</p></td> 406</tr> 407<tr class="even"> 408<td align="left"><p><code>classpermissionset_id</code></p></td> 409<td align="left"><p>A single named <code>classpermissionset</code> identifier or a single anonymous <code>classpermissionset</code> using <code>expr</code>'s as required (see the <code>classpermissionset</code> statement).</p></td> 410</tr> 411</tbody> 412</table> 413 414**Examples:** 415 416These class mapping statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 417 418 (class binder (impersonate call set_context_mgr transfer receive)) 419 (class property_service (set)) 420 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 421 422 (classpermission cps_zygote) 423 (classpermissionset cps_zygote (zygote (not (specifyids)))) 424 425 (classmap android_classes (set_1 set_2 set_3)) 426 427 (classmapping android_classes set_1 (binder (all))) 428 (classmapping android_classes set_1 (property_service (set))) 429 (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) 430 431 (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) 432 (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) 433 434 (classmapping android_classes set_3 cps_zygote) 435 (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) 436 437 (block map_example 438 (type type_1) 439 (type type_2) 440 (type type_3) 441 442 (allow type_1 self (android_classes (set_1))) 443 (allow type_2 self (android_classes (set_2))) 444 (allow type_3 self (android_classes (set_3))) 445 ) 446 447 ; The above will resolve to the following AV rules: 448 ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ; 449 ;; allow map_example.type_1 map_example.type_1 : property_service set ; 450 ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ; 451 452 ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ; 453 ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ; 454 455 ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ; 456 ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 457 458permissionx 459----------- 460 461Defines a named extended permission, which can be used in the [`allowx`](cil_access_vector_rules.md#allowx), [`auditallowx`](cil_access_vector_rules.md#auditallowx), [`dontauditx`](cil_access_vector_rules.md#dontauditx), and [`neverallowx`](cil_access_vector_rules.md#neverallowx) statements. 462 463**Statement definition:** 464 465 (permissionx permissionx_id (kind class_id (permission ... | expr ...))) 466 467**Where:** 468 469<table> 470<colgroup> 471<col width="27%" /> 472<col width="72%" /> 473</colgroup> 474<tbody> 475<tr class="odd"> 476<td align="left"><p><code>permissionx</code></p></td> 477<td align="left"><p>The <code>permissionx</code> keyword.</p></td> 478</tr> 479<tr class="even"> 480<td align="left"><p><code>kind</code></p></td> 481<td align="left"><p>A keyword specifying how to interpret the extended permission values. Must be one of:</p> 482<table> 483<thead> 484<tr class="header"> 485<th align="left"><p><strong>kind</strong></p></th> 486<th align="left"><p><strong>description</strong></p></th> 487</tr> 488</thead> 489<tbody> 490<tr class="odd"> 491<td align="left"><p>ioctl</p></td> 492<td align="left"><p>Permissions define a whitelist of ioctl values. Permission values must range from <code>0x0000</code> to <code>0xFFFF</code>, inclusive.</p></td> 493</tr> 494</tbody> 495</table></td> 496</tr> 497<tr class="odd"> 498<td align="left"><p><code>class_id</code></p></td> 499<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 500</tr> 501<tr class="even"> 502<td align="left"><p><code>permission</code></p></td> 503<td align="left"><p>One or more numeric values, specified in decimal, or hexadecimal if prefixed with 0x, or octal if prefixed with 0. Values are interpreted based on the value of <code>kind</code>.</p></td> 504</tr> 505<tr class="odd"> 506<td align="left"><p><code>expr</code></p></td> 507<td align="left"><p>An expression, with valid operators and syntax:</p> 508<p><code> (range (permission ...) (permission ...))</code></p> 509<p><code> (and (permission ...) (permission ...))</code></p> 510<p><code> (or (permission ...) (permission ...))</code></p> 511<p><code> (xor (permission ...) (permission ...))</code></p> 512<p><code> (not (permission ...))</code></p> 513<p><code> (all)</code></p></td> 514</tr> 515</tbody> 516</table> 517 518**Examples:** 519 520 (permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000))) 521 (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF))) 522 (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF))))) 523