• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30	audit_access
31	open
32	execmod
33	watch
34	watch_mount
35	watch_sb
36	watch_with_perm
37	watch_reads
38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48	ioctl
49	read
50	write
51	create
52	getattr
53	setattr
54	lock
55	relabelfrom
56	relabelto
57	append
58	map
59# socket-specific
60	bind
61	connect
62	listen
63	accept
64	getopt
65	setopt
66	shutdown
67	recvfrom
68	sendto
69	name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78	create
79	destroy
80	getattr
81	setattr
82	read
83	write
84	associate
85	unix_read
86	unix_write
87}
88
89#
90# Define a common for capability access vectors.
91#
92common cap
93{
94	# The capabilities are defined in include/linux/capability.h
95	# Capabilities >= 32 are defined in the cap2 common.
96	# Care should be taken to ensure that these are consistent with
97	# those definitions. (Order matters)
98
99	chown
100	dac_override
101	dac_read_search
102	fowner
103	fsetid
104	kill
105	setgid
106	setuid
107	setpcap
108	linux_immutable
109	net_bind_service
110	net_broadcast
111	net_admin
112	net_raw
113	ipc_lock
114	ipc_owner
115	sys_module
116	sys_rawio
117	sys_chroot
118	sys_ptrace
119	sys_pacct
120	sys_admin
121	sys_boot
122	sys_nice
123	sys_resource
124	sys_time
125	sys_tty_config
126	mknod
127	lease
128	audit_write
129	audit_control
130	setfcap
131}
132
133common cap2
134{
135	mac_override	# unused by SELinux
136	mac_admin
137	syslog
138	wake_alarm
139	block_suspend
140	audit_read
141	perfmon
142}
143
144#
145# Define the access vectors.
146#
147# class class_name [ inherits common_name ] { permission_name ... }
148
149
150#
151# Define the access vector interpretation for file-related objects.
152#
153
154class filesystem
155{
156	mount
157	remount
158	unmount
159	getattr
160	relabelfrom
161	relabelto
162	associate
163	quotamod
164	quotaget
165	watch
166}
167
168class dir
169inherits file
170{
171	add_name
172	remove_name
173	reparent
174	search
175	rmdir
176}
177
178class file
179inherits file
180{
181	execute_no_trans
182	entrypoint
183}
184
185class anon_inode
186inherits file
187
188class lnk_file
189inherits file
190
191class chr_file
192inherits file
193{
194	execute_no_trans
195	entrypoint
196}
197
198class blk_file
199inherits file
200
201class sock_file
202inherits file
203
204class fifo_file
205inherits file
206
207class fd
208{
209	use
210}
211
212
213#
214# Define the access vector interpretation for network-related objects.
215#
216
217class socket
218inherits socket
219
220class tcp_socket
221inherits socket
222{
223	node_bind
224	name_connect
225}
226
227class udp_socket
228inherits socket
229{
230	node_bind
231}
232
233class rawip_socket
234inherits socket
235{
236	node_bind
237}
238
239class node
240{
241	recvfrom
242	sendto
243}
244
245class netif
246{
247	ingress
248	egress
249}
250
251class netlink_socket
252inherits socket
253
254class packet_socket
255inherits socket
256
257class key_socket
258inherits socket
259
260class unix_stream_socket
261inherits socket
262{
263	connectto
264}
265
266class unix_dgram_socket
267inherits socket
268
269#
270# Define the access vector interpretation for process-related objects
271#
272
273class process
274{
275	fork
276	transition
277	sigchld # commonly granted from child to parent
278	sigkill # cannot be caught or ignored
279	sigstop # cannot be caught or ignored
280	signull # for kill(pid, 0)
281	signal  # all other signals
282	ptrace
283	getsched
284	setsched
285	getsession
286	getpgid
287	setpgid
288	getcap
289	setcap
290	share
291	getattr
292	setexec
293	setfscreate
294	noatsecure
295	siginh
296	setrlimit
297	rlimitinh
298	dyntransition
299	setcurrent
300	execmem
301	execstack
302	execheap
303	setkeycreate
304	setsockcreate
305	getrlimit
306}
307
308class process2
309{
310	nnp_transition
311	nosuid_transition
312}
313
314#
315# Define the access vector interpretation for ipc-related objects
316#
317
318class ipc
319inherits ipc
320
321class sem
322inherits ipc
323
324class msgq
325inherits ipc
326{
327	enqueue
328}
329
330class msg
331{
332	send
333	receive
334}
335
336class shm
337inherits ipc
338{
339	lock
340}
341
342
343#
344# Define the access vector interpretation for the security server.
345#
346
347class security
348{
349	compute_av
350	compute_create
351	compute_member
352	check_context
353	load_policy
354	compute_relabel
355	compute_user
356	setenforce     # was avc_toggle in system class
357	setbool
358	setsecparam
359	setcheckreqprot
360	read_policy
361	validate_trans
362}
363
364
365#
366# Define the access vector interpretation for system operations.
367#
368
369class system
370{
371	ipc_info
372	syslog_read
373	syslog_mod
374	syslog_console
375	module_request
376	module_load
377}
378
379#
380# Define the access vector interpretation for controlling capabilities
381#
382
383class capability
384inherits cap
385
386class capability2
387inherits cap2
388
389#
390# Extended Netlink classes
391#
392class netlink_route_socket
393inherits socket
394{
395	nlmsg_read
396	nlmsg_write
397	nlmsg_readpriv
398	nlmsg_getneigh
399}
400
401class netlink_tcpdiag_socket
402inherits socket
403{
404	nlmsg_read
405	nlmsg_write
406}
407
408class netlink_nflog_socket
409inherits socket
410
411class netlink_xfrm_socket
412inherits socket
413{
414	nlmsg_read
415	nlmsg_write
416}
417
418class netlink_selinux_socket
419inherits socket
420
421class netlink_audit_socket
422inherits socket
423{
424	nlmsg_read
425	nlmsg_write
426	nlmsg_relay
427	nlmsg_readpriv
428	nlmsg_tty_audit
429}
430
431class netlink_dnrt_socket
432inherits socket
433
434# Define the access vector interpretation for controlling
435# access to IPSec network data by association
436#
437class association
438{
439	sendto
440	recvfrom
441	setcontext
442	polmatch
443}
444
445# Updated Netlink class for KOBJECT_UEVENT family.
446class netlink_kobject_uevent_socket
447inherits socket
448
449class appletalk_socket
450inherits socket
451
452class packet
453{
454	send
455	recv
456	relabelto
457	forward_in
458	forward_out
459}
460
461class key
462{
463	view
464	read
465	write
466	search
467	link
468	setattr
469	create
470}
471
472class dccp_socket
473inherits socket
474{
475	node_bind
476	name_connect
477}
478
479class memprotect
480{
481	mmap_zero
482}
483
484# network peer labels
485class peer
486{
487	recv
488}
489
490class kernel_service
491{
492	use_as_override
493	create_files_as
494}
495
496class tun_socket
497inherits socket
498{
499	attach_queue
500}
501
502class binder
503{
504	impersonate
505	call
506	set_context_mgr
507	transfer
508}
509
510class netlink_iscsi_socket
511inherits socket
512
513class netlink_fib_lookup_socket
514inherits socket
515
516class netlink_connector_socket
517inherits socket
518
519class netlink_netfilter_socket
520inherits socket
521
522class netlink_generic_socket
523inherits socket
524
525class netlink_scsitransport_socket
526inherits socket
527
528class netlink_rdma_socket
529inherits socket
530
531class netlink_crypto_socket
532inherits socket
533
534class infiniband_pkey
535{
536	access
537}
538
539class infiniband_endport
540{
541	manage_subnet
542}
543
544#
545# Define the access vector interpretation for controlling capabilities
546# in user namespaces
547#
548
549class cap_userns
550inherits cap
551
552class cap2_userns
553inherits cap2
554
555
556#
557# Define the access vector interpretation for the new socket classes
558# enabled by the extended_socket_class policy capability.
559#
560
561#
562# The next two classes were previously mapped to rawip_socket and therefore
563# have the same definition as rawip_socket (until further permissions
564# are defined).
565#
566class sctp_socket
567inherits socket
568{
569	node_bind
570	name_connect
571	association
572}
573
574class icmp_socket
575inherits socket
576{
577	node_bind
578}
579
580#
581# The remaining network socket classes were previously
582# mapped to the socket class and therefore have the
583# same definition as socket.
584#
585
586class ax25_socket
587inherits socket
588
589class ipx_socket
590inherits socket
591
592class netrom_socket
593inherits socket
594
595class atmpvc_socket
596inherits socket
597
598class x25_socket
599inherits socket
600
601class rose_socket
602inherits socket
603
604class decnet_socket
605inherits socket
606
607class atmsvc_socket
608inherits socket
609
610class rds_socket
611inherits socket
612
613class irda_socket
614inherits socket
615
616class pppox_socket
617inherits socket
618
619class llc_socket
620inherits socket
621
622class can_socket
623inherits socket
624
625class tipc_socket
626inherits socket
627
628class bluetooth_socket
629inherits socket
630
631class iucv_socket
632inherits socket
633
634class rxrpc_socket
635inherits socket
636
637class isdn_socket
638inherits socket
639
640class phonet_socket
641inherits socket
642
643class ieee802154_socket
644inherits socket
645
646class caif_socket
647inherits socket
648
649class alg_socket
650inherits socket
651
652class nfc_socket
653inherits socket
654
655class vsock_socket
656inherits socket
657
658class kcm_socket
659inherits socket
660
661class qipcrtr_socket
662inherits socket
663
664class smc_socket
665inherits socket
666
667class bpf
668{
669	map_create
670	map_read
671	map_write
672	prog_load
673	prog_run
674}
675
676class property_service
677{
678	set
679}
680
681class service_manager
682{
683	add
684	find
685	list
686}
687
688class hwservice_manager
689{
690	add
691	find
692	list
693}
694
695class keystore_key
696{
697	get_state
698	get
699	insert
700	delete
701	exist
702	list
703	reset
704	password
705	lock
706	unlock
707	is_empty
708	sign
709	verify
710	grant
711	duplicate
712	clear_uid
713	add_auth
714	user_changed
715	gen_unique_id
716}
717
718class keystore2
719{
720	add_auth
721	change_password
722	change_user
723	clear_ns
724	clear_uid
725	delete_all_keys
726	early_boot_ended
727	get_attestation_key
728	get_auth_token
729	get_state
730	list
731	lock
732	pull_metrics
733	report_off_body
734	reset
735	unlock
736}
737
738class keystore2_key
739{
740	convert_storage_key_to_ephemeral
741	delete
742	gen_unique_id
743	get_info
744	grant
745	manage_blob
746	rebind
747	req_forced_op
748	update
749	use
750	use_dev_id
751}
752
753class diced
754{
755	demote
756	demote_self
757	derive
758	get_attestation_chain
759	use_seal
760	use_sign
761}
762
763class drmservice {
764	consumeRights
765	setPlaybackStatus
766	openDecryptSession
767	closeDecryptSession
768	initializeDecryptUnit
769	decrypt
770	finalizeDecryptUnit
771	pread
772}
773
774class xdp_socket
775inherits socket
776
777class perf_event
778{
779	open
780	cpu
781	kernel
782	tracepoint
783	read
784	write
785}
786
787class lockdown
788{
789	integrity
790	confidentiality
791}
792