1Access Vector Rules 2=================== 3 4allow 5----- 6 7Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class ([`validatetrans`](cil_constraint_statements.md#validatetrans) or [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)) or source, target class and permissions ([`constrain`](cil_constraint_statements.md#constrain) or [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) statements). 8 9**Rule definition:** 10 11```secil 12 (allow source_id target_id|self classpermissionset_id ...) 13``` 14 15**Where:** 16 17<table> 18<colgroup> 19<col width="27%" /> 20<col width="72%" /> 21</colgroup> 22<tbody> 23<tr class="odd"> 24<td align="left"><p><code>allow</code></p></td> 25<td align="left"><p>The <code>allow</code> keyword.</p></td> 26</tr> 27<tr class="even"> 28<td align="left"><p><code>source_id</code></p></td> 29<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 30</tr> 31<tr class="odd"> 32<td align="left"><p><code>target_id</code></p></td> 33<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 34<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 35</tr> 36<tr class="even"> 37<td align="left"><p><code>classpermissionset_id</code></p></td> 38<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 39</tr> 40</tbody> 41</table> 42 43**Examples:** 44 45These examples show a selection of possible permutations of [`allow`](cil_access_vector_rules.md#allow) rules: 46 47```secil 48 (class binder (impersonate call set_context_mgr transfer receive)) 49 (class property_service (set)) 50 (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 51 52 (classpermission cps_zygote) 53 (classpermissionset cps_zygote (zygote (not (specifyids)))) 54 55 (classmap android_classes (set_1 set_2 set_3)) 56 57 (classmapping android_classes set_1 (binder (all))) 58 (classmapping android_classes set_1 (property_service (set))) 59 (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) 60 61 (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) 62 (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) 63 64 (classmapping android_classes set_3 cps_zygote) 65 (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) 66 67 (block av_rules 68 (type type_1) 69 (type type_2) 70 (type type_3) 71 (type type_4) 72 (type type_5) 73 74 (typeattribute all_types) 75 (typeattributeset all_types (all)) 76 77 ; These examples have named and anonymous classpermissionset's and 78 ; classmap/classmapping statements 79 (allow type_1 self (property_service (set))) ; anonymous 80 (allow type_2 self (zygote (specifyids))) ; anonymous 81 (allow type_3 self cps_zygote) ; named 82 (allow type_4 self (android_classes (set_3))) ; classmap/classmapping 83 (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping 84 85 ;; This rule will cause the build to fail unless --disable-neverallow 86 ; (neverallow type_5 all_types (property_service (set))) 87 (allow type_5 type_5 (property_service (set))) 88 (allow type_1 all_types (property_service (set))) 89 ) 90``` 91 92auditallow 93---------- 94 95Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event. 96 97**Rule definition:** 98 99```secil 100 (auditallow source_id target_id|self classpermissionset_id ...) 101``` 102 103**Where:** 104 105<table> 106<colgroup> 107<col width="29%" /> 108<col width="70%" /> 109</colgroup> 110<tbody> 111<tr class="odd"> 112<td align="left"><p><code>auditallow</code></p></td> 113<td align="left"><p>The <code>auditallow</code> keyword.</p></td> 114</tr> 115<tr class="even"> 116<td align="left"><p><code>source_id</code></p></td> 117<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 118</tr> 119<tr class="odd"> 120<td align="left"><p><code>target_id</code></p></td> 121<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 122<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 123</tr> 124<tr class="even"> 125<td align="left"><p><code>classpermissionset_id</code></p></td> 126<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 127</tr> 128</tbody> 129</table> 130 131**Example:** 132 133This example will log an audit event whenever the corresponding [`allow`](cil_access_vector_rules.md#allow) rule grants access to the specified permissions: 134 135```secil 136 (allow release_app.process secmark_demo.browser_packet (packet (send recv append bind))) 137 138 (auditallow release_app.process secmark_demo.browser_packet (packet (send recv))) 139``` 140 141dontaudit 142--------- 143 144Do not audit the access rights defined when access denied. This stops excessive log entries for known events. 145 146Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. 147 148**Rule definition:** 149 150```secil 151 (dontaudit source_id target_id|self classpermissionset_id ...) 152``` 153 154**Where:** 155 156<table> 157<colgroup> 158<col width="27%" /> 159<col width="72%" /> 160</colgroup> 161<tbody> 162<tr class="odd"> 163<td align="left"><p><code>dontaudit</code></p></td> 164<td align="left"><p>The <code>dontaudit</code> keyword.</p></td> 165</tr> 166<tr class="even"> 167<td align="left"><p><code>source_id</code></p></td> 168<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 169</tr> 170<tr class="odd"> 171<td align="left"><p><code>target_id</code></p></td> 172<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 173<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 174</tr> 175<tr class="even"> 176<td align="left"><p><code>classpermissionset_id</code></p></td> 177<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 178</tr> 179</tbody> 180</table> 181 182**Example:** 183 184This example will not audit the denied access: 185 186```secil 187 (dontaudit zygote.process self (capability (fsetid))) 188``` 189 190neverallow 191---------- 192 193Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified. 194 195Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags. 196 197**Rule definition:** 198 199```secil 200 (neverallow source_id target_id|self classpermissionset_id ...) 201``` 202 203**Where:** 204 205<table> 206<colgroup> 207<col width="27%" /> 208<col width="72%" /> 209</colgroup> 210<tbody> 211<tr class="odd"> 212<td align="left"><p><code>neverallow</code></p></td> 213<td align="left"><p>The <code>neverallow</code> keyword.</p></td> 214</tr> 215<tr class="even"> 216<td align="left"><p><code>source_id</code></p></td> 217<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 218</tr> 219<tr class="odd"> 220<td align="left"><p><code>target_id</code></p></td> 221<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 222<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 223</tr> 224<tr class="even"> 225<td align="left"><p><code>classpermissionset_id</code></p></td> 226<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 227</tr> 228</tbody> 229</table> 230 231**Example:** 232 233This example will not compile as `type_3` is not allowed to be a source type for the [`allow`](cil_access_vector_rules.md#allow) rule: 234 235```secil 236 (class property_service (set)) 237 238 (block av_rules 239 (type type_1) 240 (type type_2) 241 (type type_3) 242 (typeattribute all_types) 243 (typeattributeset all_types ((all))) 244 245 (neverallow type_3 all_types (property_service (set))) 246 ; This rule will fail compilation: 247 (allow type_3 self (property_service (set))) 248 ) 249``` 250 251allowx 252------ 253 254Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx). 255 256Note that for this to work there must *also* be valid equivalent [`allow`](cil_access_vector_rules.md#allow) rules present. 257 258**Rule definition:** 259 260```secil 261 (allowx source_id target_id|self permissionx_id) 262``` 263 264**Where:** 265 266<table> 267<colgroup> 268<col width="27%" /> 269<col width="72%" /> 270</colgroup> 271<tbody> 272<tr class="odd"> 273<td align="left"><p><code>allowx</code></p></td> 274<td align="left"><p>The <code>allowx</code> keyword.</p></td> 275</tr> 276<tr class="even"> 277<td align="left"><p><code>source_id</code></p></td> 278<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p></td> 279</tr> 280<tr class="odd"> 281<td align="left"><p><code>target_id</code></p></td> 282<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p> 283<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 284</tr> 285<tr class="even"> 286<td align="left"><p><code>permissionx_id</code></p></td> 287<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td> 288</tr> 289</tbody> 290</table> 291 292**Examples:** 293 294These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules: 295 296```secil 297 (allow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite 298 (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) 299 300 (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010)))) 301 (allow type_3 type_4 (udp_socket (ioctl))) ;; pre-requisite 302 (allowx type_3 type_4 ioctl_nodebug) 303``` 304 305 306auditallowx 307----------- 308 309Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event. 310 311Note that for this to work there must *also* be valid equivalent [`auditallow`](cil_access_vector_rules.md#auditallow) rules present. 312 313**Rule definition:** 314 315```secil 316 (auditallowx source_id target_id|self permissionx_id) 317``` 318 319**Where:** 320 321<table> 322<colgroup> 323<col width="27%" /> 324<col width="72%" /> 325</colgroup> 326<tbody> 327<tr class="odd"> 328<td align="left"><p><code>auditallowx</code></p></td> 329<td align="left"><p>The <code>auditallowx</code> keyword.</p></td> 330</tr> 331<tr class="even"> 332<td align="left"><p><code>source_id</code></p></td> 333<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 334</tr> 335<tr class="odd"> 336<td align="left"><p><code>target_id</code></p></td> 337<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 338<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 339</tr> 340<tr class="even"> 341<td align="left"><p><code>permissionx_id</code></p></td> 342<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td> 343</tr> 344</tbody> 345</table> 346 347**Examples:** 348 349This example will log an audit event whenever the corresponding [`allowx`](cil_access_vector_rules.md#allowx) rule grants access to the specified extended permissions: 350 351```secil 352 (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF))) 353 354 (auditallow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite 355 (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010))) 356``` 357 358dontauditx 359---------- 360 361Do not audit the access rights defined when access denied. This stops excessive log entries for known events. 362 363Note that for this to work there must *also* be at least one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type. 364 365Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. 366 367**Rule definition:** 368 369```secil 370 (dontauditx source_id target_id|self permissionx_id) 371``` 372 373**Where:** 374 375<table> 376<colgroup> 377<col width="27%" /> 378<col width="72%" /> 379</colgroup> 380<tbody> 381<tr class="odd"> 382<td align="left"><p><code>dontauditx</code></p></td> 383<td align="left"><p>The <code>dontauditx</code> keyword.</p></td> 384</tr> 385<tr class="even"> 386<td align="left"><p><code>source_id</code></p></td> 387<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 388</tr> 389<tr class="odd"> 390<td align="left"><p><code>target_id</code></p></td> 391<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 392<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 393</tr> 394<tr class="even"> 395<td align="left"><p><code>permissionx_id</code></p></td> 396<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td> 397</tr> 398</tbody> 399</table> 400 401**Examples:** 402 403This example will not audit the denied access: 404 405```secil 406 (allowx type_1 type_2 (ioctl tcp_socket (0x1))) ;; pre-requisite, just some irrelevant random ioctl 407 (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF))) 408``` 409 410neverallowx 411---------- 412Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified. 413 414Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags. 415 416**Rule definition:** 417 418```secil 419 (neverallowx source_id target_id|self permissionx_id) 420``` 421 422**Where:** 423 424<table> 425<colgroup> 426<col width="27%" /> 427<col width="72%" /> 428</colgroup> 429<tbody> 430<tr class="odd"> 431<td align="left"><p><code>neverallowx</code></p></td> 432<td align="left"><p>The <code>neverallowx</code> keyword.</p></td> 433</tr> 434<tr class="even"> 435<td align="left"><p><code>source_id</code></p></td> 436<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 437</tr> 438<tr class="odd"> 439<td align="left"><p><code>target_id</code></p></td> 440<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p> 441<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td> 442</tr> 443<tr class="even"> 444<td align="left"><p><code>permissionx_id</code></p></td> 445<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td> 446</tr> 447</tbody> 448</table> 449 450**Examples:** 451 452This example will not compile as `type_3` is not allowed to be a source type and ioctl range for the [`allowx`](cil_access_vector_rules.md#allowx) rule: 453 454```secil 455 (class property_service (ioctl)) 456 (block av_rules 457 (type type_1) 458 (type type_2) 459 (type type_3) 460 (typeattribute all_types) 461 (typeattributeset all_types ((all))) 462 (neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF))) 463 ; This rule will fail compilation: 464 (allowx type_3 self (ioctl property_service (0x20A0))) 465 ) 466``` 467