1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30 audit_access 31 open 32 execmod 33 watch 34 watch_mount 35 watch_sb 36 watch_with_perm 37 watch_reads 38} 39 40 41# 42# Define a common prefix for socket access vectors. 43# 44 45common socket 46{ 47# inherited from file 48 ioctl 49 read 50 write 51 create 52 getattr 53 setattr 54 lock 55 relabelfrom 56 relabelto 57 append 58 map 59# socket-specific 60 bind 61 connect 62 listen 63 accept 64 getopt 65 setopt 66 shutdown 67 recvfrom 68 sendto 69 name_bind 70} 71 72# 73# Define a common prefix for ipc access vectors. 74# 75 76common ipc 77{ 78 create 79 destroy 80 getattr 81 setattr 82 read 83 write 84 associate 85 unix_read 86 unix_write 87} 88 89# 90# Define a common for capability access vectors. 91# 92common cap 93{ 94 # The capabilities are defined in include/linux/capability.h 95 # Capabilities >= 32 are defined in the cap2 common. 96 # Care should be taken to ensure that these are consistent with 97 # those definitions. (Order matters) 98 99 chown 100 dac_override 101 dac_read_search 102 fowner 103 fsetid 104 kill 105 setgid 106 setuid 107 setpcap 108 linux_immutable 109 net_bind_service 110 net_broadcast 111 net_admin 112 net_raw 113 ipc_lock 114 ipc_owner 115 sys_module 116 sys_rawio 117 sys_chroot 118 sys_ptrace 119 sys_pacct 120 sys_admin 121 sys_boot 122 sys_nice 123 sys_resource 124 sys_time 125 sys_tty_config 126 mknod 127 lease 128 audit_write 129 audit_control 130 setfcap 131} 132 133common cap2 134{ 135 mac_override # unused by SELinux 136 mac_admin 137 syslog 138 wake_alarm 139 block_suspend 140 audit_read 141} 142 143# 144# Define the access vectors. 145# 146# class class_name [ inherits common_name ] { permission_name ... } 147 148 149# 150# Define the access vector interpretation for file-related objects. 151# 152 153class filesystem 154{ 155 mount 156 remount 157 unmount 158 getattr 159 relabelfrom 160 relabelto 161 associate 162 quotamod 163 quotaget 164 watch 165} 166 167class dir 168inherits file 169{ 170 add_name 171 remove_name 172 reparent 173 search 174 rmdir 175} 176 177class file 178inherits file 179{ 180 execute_no_trans 181 entrypoint 182} 183 184class lnk_file 185inherits file 186 187class chr_file 188inherits file 189{ 190 execute_no_trans 191 entrypoint 192} 193 194class blk_file 195inherits file 196 197class sock_file 198inherits file 199 200class fifo_file 201inherits file 202 203class fd 204{ 205 use 206} 207 208 209# 210# Define the access vector interpretation for network-related objects. 211# 212 213class socket 214inherits socket 215 216class tcp_socket 217inherits socket 218{ 219 node_bind 220 name_connect 221} 222 223class udp_socket 224inherits socket 225{ 226 node_bind 227} 228 229class rawip_socket 230inherits socket 231{ 232 node_bind 233} 234 235class node 236{ 237 recvfrom 238 sendto 239} 240 241class netif 242{ 243 ingress 244 egress 245} 246 247class netlink_socket 248inherits socket 249 250class packet_socket 251inherits socket 252 253class key_socket 254inherits socket 255 256class unix_stream_socket 257inherits socket 258{ 259 connectto 260} 261 262class unix_dgram_socket 263inherits socket 264 265# 266# Define the access vector interpretation for process-related objects 267# 268 269class process 270{ 271 fork 272 transition 273 sigchld # commonly granted from child to parent 274 sigkill # cannot be caught or ignored 275 sigstop # cannot be caught or ignored 276 signull # for kill(pid, 0) 277 signal # all other signals 278 ptrace 279 getsched 280 setsched 281 getsession 282 getpgid 283 setpgid 284 getcap 285 setcap 286 share 287 getattr 288 setexec 289 setfscreate 290 noatsecure 291 siginh 292 setrlimit 293 rlimitinh 294 dyntransition 295 setcurrent 296 execmem 297 execstack 298 execheap 299 setkeycreate 300 setsockcreate 301 getrlimit 302} 303 304class process2 305{ 306 nnp_transition 307 nosuid_transition 308} 309 310# 311# Define the access vector interpretation for ipc-related objects 312# 313 314class ipc 315inherits ipc 316 317class sem 318inherits ipc 319 320class msgq 321inherits ipc 322{ 323 enqueue 324} 325 326class msg 327{ 328 send 329 receive 330} 331 332class shm 333inherits ipc 334{ 335 lock 336} 337 338 339# 340# Define the access vector interpretation for the security server. 341# 342 343class security 344{ 345 compute_av 346 compute_create 347 compute_member 348 check_context 349 load_policy 350 compute_relabel 351 compute_user 352 setenforce # was avc_toggle in system class 353 setbool 354 setsecparam 355 setcheckreqprot 356 read_policy 357 validate_trans 358} 359 360 361# 362# Define the access vector interpretation for system operations. 363# 364 365class system 366{ 367 ipc_info 368 syslog_read 369 syslog_mod 370 syslog_console 371 module_request 372 module_load 373} 374 375# 376# Define the access vector interpretation for controlling capabilities 377# 378 379class capability 380inherits cap 381 382class capability2 383inherits cap2 384 385# 386# Extended Netlink classes 387# 388class netlink_route_socket 389inherits socket 390{ 391 nlmsg_read 392 nlmsg_write 393 nlmsg_readpriv 394} 395 396class netlink_tcpdiag_socket 397inherits socket 398{ 399 nlmsg_read 400 nlmsg_write 401} 402 403class netlink_nflog_socket 404inherits socket 405 406class netlink_xfrm_socket 407inherits socket 408{ 409 nlmsg_read 410 nlmsg_write 411} 412 413class netlink_selinux_socket 414inherits socket 415 416class netlink_audit_socket 417inherits socket 418{ 419 nlmsg_read 420 nlmsg_write 421 nlmsg_relay 422 nlmsg_readpriv 423 nlmsg_tty_audit 424} 425 426class netlink_dnrt_socket 427inherits socket 428 429# Define the access vector interpretation for controlling 430# access to IPSec network data by association 431# 432class association 433{ 434 sendto 435 recvfrom 436 setcontext 437 polmatch 438} 439 440# Updated Netlink class for KOBJECT_UEVENT family. 441class netlink_kobject_uevent_socket 442inherits socket 443 444class appletalk_socket 445inherits socket 446 447class packet 448{ 449 send 450 recv 451 relabelto 452 forward_in 453 forward_out 454} 455 456class key 457{ 458 view 459 read 460 write 461 search 462 link 463 setattr 464 create 465} 466 467class dccp_socket 468inherits socket 469{ 470 node_bind 471 name_connect 472} 473 474class memprotect 475{ 476 mmap_zero 477} 478 479# network peer labels 480class peer 481{ 482 recv 483} 484 485class kernel_service 486{ 487 use_as_override 488 create_files_as 489} 490 491class tun_socket 492inherits socket 493{ 494 attach_queue 495} 496 497class binder 498{ 499 impersonate 500 call 501 set_context_mgr 502 transfer 503} 504 505class netlink_iscsi_socket 506inherits socket 507 508class netlink_fib_lookup_socket 509inherits socket 510 511class netlink_connector_socket 512inherits socket 513 514class netlink_netfilter_socket 515inherits socket 516 517class netlink_generic_socket 518inherits socket 519 520class netlink_scsitransport_socket 521inherits socket 522 523class netlink_rdma_socket 524inherits socket 525 526class netlink_crypto_socket 527inherits socket 528 529class infiniband_pkey 530{ 531 access 532} 533 534class infiniband_endport 535{ 536 manage_subnet 537} 538 539# 540# Define the access vector interpretation for controlling capabilities 541# in user namespaces 542# 543 544class cap_userns 545inherits cap 546 547class cap2_userns 548inherits cap2 549 550 551# 552# Define the access vector interpretation for the new socket classes 553# enabled by the extended_socket_class policy capability. 554# 555 556# 557# The next two classes were previously mapped to rawip_socket and therefore 558# have the same definition as rawip_socket (until further permissions 559# are defined). 560# 561class sctp_socket 562inherits socket 563{ 564 node_bind 565 name_connect 566 association 567} 568 569class icmp_socket 570inherits socket 571{ 572 node_bind 573} 574 575# 576# The remaining network socket classes were previously 577# mapped to the socket class and therefore have the 578# same definition as socket. 579# 580 581class ax25_socket 582inherits socket 583 584class ipx_socket 585inherits socket 586 587class netrom_socket 588inherits socket 589 590class atmpvc_socket 591inherits socket 592 593class x25_socket 594inherits socket 595 596class rose_socket 597inherits socket 598 599class decnet_socket 600inherits socket 601 602class atmsvc_socket 603inherits socket 604 605class rds_socket 606inherits socket 607 608class irda_socket 609inherits socket 610 611class pppox_socket 612inherits socket 613 614class llc_socket 615inherits socket 616 617class can_socket 618inherits socket 619 620class tipc_socket 621inherits socket 622 623class bluetooth_socket 624inherits socket 625 626class iucv_socket 627inherits socket 628 629class rxrpc_socket 630inherits socket 631 632class isdn_socket 633inherits socket 634 635class phonet_socket 636inherits socket 637 638class ieee802154_socket 639inherits socket 640 641class caif_socket 642inherits socket 643 644class alg_socket 645inherits socket 646 647class nfc_socket 648inherits socket 649 650class vsock_socket 651inherits socket 652 653class kcm_socket 654inherits socket 655 656class qipcrtr_socket 657inherits socket 658 659class smc_socket 660inherits socket 661 662class bpf 663{ 664 map_create 665 map_read 666 map_write 667 prog_load 668 prog_run 669} 670 671class property_service 672{ 673 set 674} 675 676class service_manager 677{ 678 add 679 find 680 list 681} 682 683class hwservice_manager 684{ 685 add 686 find 687 list 688} 689 690class keystore_key 691{ 692 get_state 693 get 694 insert 695 delete 696 exist 697 list 698 reset 699 password 700 lock 701 unlock 702 is_empty 703 sign 704 verify 705 grant 706 duplicate 707 clear_uid 708 add_auth 709 user_changed 710 gen_unique_id 711} 712 713class drmservice { 714 consumeRights 715 setPlaybackStatus 716 openDecryptSession 717 closeDecryptSession 718 initializeDecryptUnit 719 decrypt 720 finalizeDecryptUnit 721 pread 722} 723 724class xdp_socket 725inherits socket 726 727class perf_event 728{ 729 open 730 cpu 731 kernel 732 tracepoint 733 read 734 write 735} 736 737class lockdown 738{ 739 integrity 740 confidentiality 741} 742