1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30 audit_access 31 open 32 execmod 33 watch 34 watch_mount 35 watch_sb 36 watch_with_perm 37 watch_reads 38} 39 40 41# 42# Define a common prefix for socket access vectors. 43# 44 45common socket 46{ 47# inherited from file 48 ioctl 49 read 50 write 51 create 52 getattr 53 setattr 54 lock 55 relabelfrom 56 relabelto 57 append 58 map 59# socket-specific 60 bind 61 connect 62 listen 63 accept 64 getopt 65 setopt 66 shutdown 67 recvfrom 68 sendto 69 name_bind 70} 71 72# 73# Define a common prefix for ipc access vectors. 74# 75 76common ipc 77{ 78 create 79 destroy 80 getattr 81 setattr 82 read 83 write 84 associate 85 unix_read 86 unix_write 87} 88 89# 90# Define a common for capability access vectors. 91# 92common cap 93{ 94 # The capabilities are defined in include/linux/capability.h 95 # Capabilities >= 32 are defined in the cap2 common. 96 # Care should be taken to ensure that these are consistent with 97 # those definitions. (Order matters) 98 99 chown 100 dac_override 101 dac_read_search 102 fowner 103 fsetid 104 kill 105 setgid 106 setuid 107 setpcap 108 linux_immutable 109 net_bind_service 110 net_broadcast 111 net_admin 112 net_raw 113 ipc_lock 114 ipc_owner 115 sys_module 116 sys_rawio 117 sys_chroot 118 sys_ptrace 119 sys_pacct 120 sys_admin 121 sys_boot 122 sys_nice 123 sys_resource 124 sys_time 125 sys_tty_config 126 mknod 127 lease 128 audit_write 129 audit_control 130 setfcap 131} 132 133common cap2 134{ 135 mac_override # unused by SELinux 136 mac_admin 137 syslog 138 wake_alarm 139 block_suspend 140 audit_read 141 perfmon 142} 143 144# 145# Define the access vectors. 146# 147# class class_name [ inherits common_name ] { permission_name ... } 148 149 150# 151# Define the access vector interpretation for file-related objects. 152# 153 154class filesystem 155{ 156 mount 157 remount 158 unmount 159 getattr 160 relabelfrom 161 relabelto 162 associate 163 quotamod 164 quotaget 165 watch 166} 167 168class dir 169inherits file 170{ 171 add_name 172 remove_name 173 reparent 174 search 175 rmdir 176} 177 178class file 179inherits file 180{ 181 execute_no_trans 182 entrypoint 183} 184 185class anon_inode 186inherits file 187 188class lnk_file 189inherits file 190 191class chr_file 192inherits file 193{ 194 execute_no_trans 195 entrypoint 196} 197 198class blk_file 199inherits file 200 201class sock_file 202inherits file 203 204class fifo_file 205inherits file 206 207class fd 208{ 209 use 210} 211 212 213# 214# Define the access vector interpretation for network-related objects. 215# 216 217class socket 218inherits socket 219 220class tcp_socket 221inherits socket 222{ 223 node_bind 224 name_connect 225} 226 227class udp_socket 228inherits socket 229{ 230 node_bind 231} 232 233class rawip_socket 234inherits socket 235{ 236 node_bind 237} 238 239class node 240{ 241 recvfrom 242 sendto 243} 244 245class netif 246{ 247 ingress 248 egress 249} 250 251class netlink_socket 252inherits socket 253 254class packet_socket 255inherits socket 256 257class key_socket 258inherits socket 259 260class unix_stream_socket 261inherits socket 262{ 263 connectto 264} 265 266class unix_dgram_socket 267inherits socket 268 269# 270# Define the access vector interpretation for process-related objects 271# 272 273class process 274{ 275 fork 276 transition 277 sigchld # commonly granted from child to parent 278 sigkill # cannot be caught or ignored 279 sigstop # cannot be caught or ignored 280 signull # for kill(pid, 0) 281 signal # all other signals 282 ptrace 283 getsched 284 setsched 285 getsession 286 getpgid 287 setpgid 288 getcap 289 setcap 290 share 291 getattr 292 setexec 293 setfscreate 294 noatsecure 295 siginh 296 setrlimit 297 rlimitinh 298 dyntransition 299 setcurrent 300 execmem 301 execstack 302 execheap 303 setkeycreate 304 setsockcreate 305 getrlimit 306} 307 308class process2 309{ 310 nnp_transition 311 nosuid_transition 312} 313 314# 315# Define the access vector interpretation for ipc-related objects 316# 317 318class ipc 319inherits ipc 320 321class sem 322inherits ipc 323 324class msgq 325inherits ipc 326{ 327 enqueue 328} 329 330class msg 331{ 332 send 333 receive 334} 335 336class shm 337inherits ipc 338{ 339 lock 340} 341 342 343# 344# Define the access vector interpretation for the security server. 345# 346 347class security 348{ 349 compute_av 350 compute_create 351 compute_member 352 check_context 353 load_policy 354 compute_relabel 355 compute_user 356 setenforce # was avc_toggle in system class 357 setbool 358 setsecparam 359 setcheckreqprot 360 read_policy 361 validate_trans 362} 363 364 365# 366# Define the access vector interpretation for system operations. 367# 368 369class system 370{ 371 ipc_info 372 syslog_read 373 syslog_mod 374 syslog_console 375 module_request 376 module_load 377} 378 379# 380# Define the access vector interpretation for controlling capabilities 381# 382 383class capability 384inherits cap 385 386class capability2 387inherits cap2 388 389# 390# Extended Netlink classes 391# 392class netlink_route_socket 393inherits socket 394{ 395 nlmsg_read 396 nlmsg_write 397 nlmsg_readpriv 398 nlmsg_getneigh 399} 400 401class netlink_tcpdiag_socket 402inherits socket 403{ 404 nlmsg_read 405 nlmsg_write 406} 407 408class netlink_nflog_socket 409inherits socket 410 411class netlink_xfrm_socket 412inherits socket 413{ 414 nlmsg_read 415 nlmsg_write 416} 417 418class netlink_selinux_socket 419inherits socket 420 421class netlink_audit_socket 422inherits socket 423{ 424 nlmsg_read 425 nlmsg_write 426 nlmsg_relay 427 nlmsg_readpriv 428 nlmsg_tty_audit 429} 430 431class netlink_dnrt_socket 432inherits socket 433 434# Define the access vector interpretation for controlling 435# access to IPSec network data by association 436# 437class association 438{ 439 sendto 440 recvfrom 441 setcontext 442 polmatch 443} 444 445# Updated Netlink class for KOBJECT_UEVENT family. 446class netlink_kobject_uevent_socket 447inherits socket 448 449class appletalk_socket 450inherits socket 451 452class packet 453{ 454 send 455 recv 456 relabelto 457 forward_in 458 forward_out 459} 460 461class key 462{ 463 view 464 read 465 write 466 search 467 link 468 setattr 469 create 470} 471 472class dccp_socket 473inherits socket 474{ 475 node_bind 476 name_connect 477} 478 479class memprotect 480{ 481 mmap_zero 482} 483 484# network peer labels 485class peer 486{ 487 recv 488} 489 490class kernel_service 491{ 492 use_as_override 493 create_files_as 494} 495 496class tun_socket 497inherits socket 498{ 499 attach_queue 500} 501 502class binder 503{ 504 impersonate 505 call 506 set_context_mgr 507 transfer 508} 509 510class netlink_iscsi_socket 511inherits socket 512 513class netlink_fib_lookup_socket 514inherits socket 515 516class netlink_connector_socket 517inherits socket 518 519class netlink_netfilter_socket 520inherits socket 521 522class netlink_generic_socket 523inherits socket 524 525class netlink_scsitransport_socket 526inherits socket 527 528class netlink_rdma_socket 529inherits socket 530 531class netlink_crypto_socket 532inherits socket 533 534class infiniband_pkey 535{ 536 access 537} 538 539class infiniband_endport 540{ 541 manage_subnet 542} 543 544# 545# Define the access vector interpretation for controlling capabilities 546# in user namespaces 547# 548 549class cap_userns 550inherits cap 551 552class cap2_userns 553inherits cap2 554 555 556# 557# Define the access vector interpretation for the new socket classes 558# enabled by the extended_socket_class policy capability. 559# 560 561# 562# The next two classes were previously mapped to rawip_socket and therefore 563# have the same definition as rawip_socket (until further permissions 564# are defined). 565# 566class sctp_socket 567inherits socket 568{ 569 node_bind 570 name_connect 571 association 572} 573 574class icmp_socket 575inherits socket 576{ 577 node_bind 578} 579 580# 581# The remaining network socket classes were previously 582# mapped to the socket class and therefore have the 583# same definition as socket. 584# 585 586class ax25_socket 587inherits socket 588 589class ipx_socket 590inherits socket 591 592class netrom_socket 593inherits socket 594 595class atmpvc_socket 596inherits socket 597 598class x25_socket 599inherits socket 600 601class rose_socket 602inherits socket 603 604class decnet_socket 605inherits socket 606 607class atmsvc_socket 608inherits socket 609 610class rds_socket 611inherits socket 612 613class irda_socket 614inherits socket 615 616class pppox_socket 617inherits socket 618 619class llc_socket 620inherits socket 621 622class can_socket 623inherits socket 624 625class tipc_socket 626inherits socket 627 628class bluetooth_socket 629inherits socket 630 631class iucv_socket 632inherits socket 633 634class rxrpc_socket 635inherits socket 636 637class isdn_socket 638inherits socket 639 640class phonet_socket 641inherits socket 642 643class ieee802154_socket 644inherits socket 645 646class caif_socket 647inherits socket 648 649class alg_socket 650inherits socket 651 652class nfc_socket 653inherits socket 654 655class vsock_socket 656inherits socket 657 658class kcm_socket 659inherits socket 660 661class qipcrtr_socket 662inherits socket 663 664class smc_socket 665inherits socket 666 667class bpf 668{ 669 map_create 670 map_read 671 map_write 672 prog_load 673 prog_run 674} 675 676class property_service 677{ 678 set 679} 680 681class service_manager 682{ 683 add 684 find 685 list 686} 687 688class hwservice_manager 689{ 690 add 691 find 692 list 693} 694 695class keystore_key 696{ 697 get_state 698 get 699 insert 700 delete 701 exist 702 list 703 reset 704 password 705 lock 706 unlock 707 is_empty 708 sign 709 verify 710 grant 711 duplicate 712 clear_uid 713 add_auth 714 user_changed 715 gen_unique_id 716} 717 718class keystore2 719{ 720 add_auth 721 change_password 722 change_user 723 clear_ns 724 clear_uid 725 delete_all_keys 726 early_boot_ended 727 get_attestation_key 728 get_auth_token 729 get_state 730 list 731 lock 732 pull_metrics 733 report_off_body 734 reset 735 unlock 736} 737 738class keystore2_key 739{ 740 convert_storage_key_to_ephemeral 741 delete 742 gen_unique_id 743 get_info 744 grant 745 manage_blob 746 rebind 747 req_forced_op 748 update 749 use 750 use_dev_id 751} 752 753class diced 754{ 755 demote 756 demote_self 757 derive 758 get_attestation_chain 759 use_seal 760 use_sign 761} 762 763class drmservice { 764 consumeRights 765 setPlaybackStatus 766 openDecryptSession 767 closeDecryptSession 768 initializeDecryptUnit 769 decrypt 770 finalizeDecryptUnit 771 pread 772} 773 774class xdp_socket 775inherits socket 776 777class perf_event 778{ 779 open 780 cpu 781 kernel 782 tracepoint 783 read 784 write 785} 786 787class lockdown 788{ 789 integrity 790 confidentiality 791} 792