1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30 audit_access 31 open 32 execmod 33 watch 34 watch_mount 35 watch_sb 36 watch_with_perm 37 watch_reads 38} 39 40 41# 42# Define a common prefix for socket access vectors. 43# 44 45common socket 46{ 47# inherited from file 48 ioctl 49 read 50 write 51 create 52 getattr 53 setattr 54 lock 55 relabelfrom 56 relabelto 57 append 58 map 59# socket-specific 60 bind 61 connect 62 listen 63 accept 64 getopt 65 setopt 66 shutdown 67 recvfrom 68 sendto 69 name_bind 70} 71 72# 73# Define a common prefix for ipc access vectors. 74# 75 76common ipc 77{ 78 create 79 destroy 80 getattr 81 setattr 82 read 83 write 84 associate 85 unix_read 86 unix_write 87} 88 89# 90# Define a common for capability access vectors. 91# 92common cap 93{ 94 # The capabilities are defined in include/linux/capability.h 95 # Capabilities >= 32 are defined in the cap2 common. 96 # Care should be taken to ensure that these are consistent with 97 # those definitions. (Order matters) 98 99 chown 100 dac_override 101 dac_read_search 102 fowner 103 fsetid 104 kill 105 setgid 106 setuid 107 setpcap 108 linux_immutable 109 net_bind_service 110 net_broadcast 111 net_admin 112 net_raw 113 ipc_lock 114 ipc_owner 115 sys_module 116 sys_rawio 117 sys_chroot 118 sys_ptrace 119 sys_pacct 120 sys_admin 121 sys_boot 122 sys_nice 123 sys_resource 124 sys_time 125 sys_tty_config 126 mknod 127 lease 128 audit_write 129 audit_control 130 setfcap 131} 132 133common cap2 134{ 135 mac_override # unused by SELinux 136 mac_admin 137 syslog 138 wake_alarm 139 block_suspend 140 audit_read 141 perfmon 142} 143 144# 145# Define the access vectors. 146# 147# class class_name [ inherits common_name ] { permission_name ... } 148 149 150# 151# Define the access vector interpretation for file-related objects. 152# 153 154class filesystem 155{ 156 mount 157 remount 158 unmount 159 getattr 160 relabelfrom 161 relabelto 162 associate 163 quotamod 164 quotaget 165 watch 166} 167 168class dir 169inherits file 170{ 171 add_name 172 remove_name 173 reparent 174 search 175 rmdir 176} 177 178class file 179inherits file 180{ 181 execute_no_trans 182 entrypoint 183} 184 185class anon_inode 186inherits file 187 188class lnk_file 189inherits file 190 191class chr_file 192inherits file 193{ 194 execute_no_trans 195 entrypoint 196} 197 198class blk_file 199inherits file 200 201class sock_file 202inherits file 203 204class fifo_file 205inherits file 206 207class fd 208{ 209 use 210} 211 212 213# 214# Define the access vector interpretation for network-related objects. 215# 216 217class socket 218inherits socket 219 220class tcp_socket 221inherits socket 222{ 223 node_bind 224 name_connect 225} 226 227class udp_socket 228inherits socket 229{ 230 node_bind 231} 232 233class rawip_socket 234inherits socket 235{ 236 node_bind 237} 238 239class node 240{ 241 recvfrom 242 sendto 243} 244 245class netif 246{ 247 ingress 248 egress 249} 250 251class netlink_socket 252inherits socket 253 254class packet_socket 255inherits socket 256 257class key_socket 258inherits socket 259 260class unix_stream_socket 261inherits socket 262{ 263 connectto 264} 265 266class unix_dgram_socket 267inherits socket 268 269# 270# Define the access vector interpretation for process-related objects 271# 272 273class process 274{ 275 fork 276 transition 277 sigchld # commonly granted from child to parent 278 sigkill # cannot be caught or ignored 279 sigstop # cannot be caught or ignored 280 signull # for kill(pid, 0) 281 signal # all other signals 282 ptrace 283 getsched 284 setsched 285 getsession 286 getpgid 287 setpgid 288 getcap 289 setcap 290 share 291 getattr 292 setexec 293 setfscreate 294 noatsecure 295 siginh 296 setrlimit 297 rlimitinh 298 dyntransition 299 setcurrent 300 execmem 301 execstack 302 execheap 303 setkeycreate 304 setsockcreate 305 getrlimit 306} 307 308class process2 309{ 310 nnp_transition 311 nosuid_transition 312} 313 314# 315# Define the access vector interpretation for ipc-related objects 316# 317 318class ipc 319inherits ipc 320 321class sem 322inherits ipc 323 324class msgq 325inherits ipc 326{ 327 enqueue 328} 329 330class msg 331{ 332 send 333 receive 334} 335 336class shm 337inherits ipc 338{ 339 lock 340} 341 342 343# 344# Define the access vector interpretation for the security server. 345# 346 347class security 348{ 349 compute_av 350 compute_create 351 compute_member 352 check_context 353 load_policy 354 compute_relabel 355 compute_user 356 setenforce # was avc_toggle in system class 357 setbool 358 setsecparam 359 setcheckreqprot 360 read_policy 361 validate_trans 362} 363 364 365# 366# Define the access vector interpretation for system operations. 367# 368 369class system 370{ 371 ipc_info 372 syslog_read 373 syslog_mod 374 syslog_console 375 module_request 376 module_load 377} 378 379# 380# Define the access vector interpretation for controlling capabilities 381# 382 383class capability 384inherits cap 385 386class capability2 387inherits cap2 388 389# 390# Extended Netlink classes 391# 392class netlink_route_socket 393inherits socket 394{ 395 nlmsg_read 396 nlmsg_write 397 nlmsg_readpriv 398} 399 400class netlink_tcpdiag_socket 401inherits socket 402{ 403 nlmsg_read 404 nlmsg_write 405} 406 407class netlink_nflog_socket 408inherits socket 409 410class netlink_xfrm_socket 411inherits socket 412{ 413 nlmsg_read 414 nlmsg_write 415} 416 417class netlink_selinux_socket 418inherits socket 419 420class netlink_audit_socket 421inherits socket 422{ 423 nlmsg_read 424 nlmsg_write 425 nlmsg_relay 426 nlmsg_readpriv 427 nlmsg_tty_audit 428} 429 430class netlink_dnrt_socket 431inherits socket 432 433# Define the access vector interpretation for controlling 434# access to IPSec network data by association 435# 436class association 437{ 438 sendto 439 recvfrom 440 setcontext 441 polmatch 442} 443 444# Updated Netlink class for KOBJECT_UEVENT family. 445class netlink_kobject_uevent_socket 446inherits socket 447 448class appletalk_socket 449inherits socket 450 451class packet 452{ 453 send 454 recv 455 relabelto 456 forward_in 457 forward_out 458} 459 460class key 461{ 462 view 463 read 464 write 465 search 466 link 467 setattr 468 create 469} 470 471class dccp_socket 472inherits socket 473{ 474 node_bind 475 name_connect 476} 477 478class memprotect 479{ 480 mmap_zero 481} 482 483# network peer labels 484class peer 485{ 486 recv 487} 488 489class kernel_service 490{ 491 use_as_override 492 create_files_as 493} 494 495class tun_socket 496inherits socket 497{ 498 attach_queue 499} 500 501class binder 502{ 503 impersonate 504 call 505 set_context_mgr 506 transfer 507} 508 509class netlink_iscsi_socket 510inherits socket 511 512class netlink_fib_lookup_socket 513inherits socket 514 515class netlink_connector_socket 516inherits socket 517 518class netlink_netfilter_socket 519inherits socket 520 521class netlink_generic_socket 522inherits socket 523 524class netlink_scsitransport_socket 525inherits socket 526 527class netlink_rdma_socket 528inherits socket 529 530class netlink_crypto_socket 531inherits socket 532 533class infiniband_pkey 534{ 535 access 536} 537 538class infiniband_endport 539{ 540 manage_subnet 541} 542 543# 544# Define the access vector interpretation for controlling capabilities 545# in user namespaces 546# 547 548class cap_userns 549inherits cap 550 551class cap2_userns 552inherits cap2 553 554 555# 556# Define the access vector interpretation for the new socket classes 557# enabled by the extended_socket_class policy capability. 558# 559 560# 561# The next two classes were previously mapped to rawip_socket and therefore 562# have the same definition as rawip_socket (until further permissions 563# are defined). 564# 565class sctp_socket 566inherits socket 567{ 568 node_bind 569 name_connect 570 association 571} 572 573class icmp_socket 574inherits socket 575{ 576 node_bind 577} 578 579# 580# The remaining network socket classes were previously 581# mapped to the socket class and therefore have the 582# same definition as socket. 583# 584 585class ax25_socket 586inherits socket 587 588class ipx_socket 589inherits socket 590 591class netrom_socket 592inherits socket 593 594class atmpvc_socket 595inherits socket 596 597class x25_socket 598inherits socket 599 600class rose_socket 601inherits socket 602 603class decnet_socket 604inherits socket 605 606class atmsvc_socket 607inherits socket 608 609class rds_socket 610inherits socket 611 612class irda_socket 613inherits socket 614 615class pppox_socket 616inherits socket 617 618class llc_socket 619inherits socket 620 621class can_socket 622inherits socket 623 624class tipc_socket 625inherits socket 626 627class bluetooth_socket 628inherits socket 629 630class iucv_socket 631inherits socket 632 633class rxrpc_socket 634inherits socket 635 636class isdn_socket 637inherits socket 638 639class phonet_socket 640inherits socket 641 642class ieee802154_socket 643inherits socket 644 645class caif_socket 646inherits socket 647 648class alg_socket 649inherits socket 650 651class nfc_socket 652inherits socket 653 654class vsock_socket 655inherits socket 656 657class kcm_socket 658inherits socket 659 660class qipcrtr_socket 661inherits socket 662 663class smc_socket 664inherits socket 665 666class bpf 667{ 668 map_create 669 map_read 670 map_write 671 prog_load 672 prog_run 673} 674 675class property_service 676{ 677 set 678} 679 680class service_manager 681{ 682 add 683 find 684 list 685} 686 687class hwservice_manager 688{ 689 add 690 find 691 list 692} 693 694class keystore_key 695{ 696 get_state 697 get 698 insert 699 delete 700 exist 701 list 702 reset 703 password 704 lock 705 unlock 706 is_empty 707 sign 708 verify 709 grant 710 duplicate 711 clear_uid 712 add_auth 713 user_changed 714 gen_unique_id 715} 716 717class keystore2 718{ 719 add_auth 720 change_password 721 change_user 722 clear_ns 723 clear_uid 724 early_boot_ended 725 get_auth_token 726 get_state 727 list 728 lock 729 pull_metrics 730 report_off_body 731 reset 732 unlock 733 delete_all_keys 734} 735 736class keystore2_key 737{ 738 convert_storage_key_to_ephemeral 739 delete 740 gen_unique_id 741 get_info 742 grant 743 manage_blob 744 rebind 745 req_forced_op 746 update 747 use 748 use_dev_id 749} 750 751class drmservice { 752 consumeRights 753 setPlaybackStatus 754 openDecryptSession 755 closeDecryptSession 756 initializeDecryptUnit 757 decrypt 758 finalizeDecryptUnit 759 pread 760} 761 762class xdp_socket 763inherits socket 764 765class perf_event 766{ 767 open 768 cpu 769 kernel 770 tracepoint 771 read 772 write 773} 774 775class lockdown 776{ 777 integrity 778 confidentiality 779} 780