• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint read execute };
15# New domain can send SIGCHLD to its caller.
16allow $3 $1:process sigchld;
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# unconfined_domain(domain)
75# Allow the specified domain to do anything.
76#
77define(`unconfined_domain', `
78typeattribute $1 mlstrustedsubject;
79typeattribute $1 unconfineddomain;
80')
81
82#####################################
83# tmpfs_domain(domain)
84# Define and allow access to a unique type for
85# this domain when creating tmpfs / shmem / ashmem files.
86define(`tmpfs_domain', `
87type $1_tmpfs, file_type;
88type_transition $1 tmpfs:file $1_tmpfs;
89# Map with PROT_EXEC.
90allow $1 $1_tmpfs:file { read execute execmod };
91')
92
93#####################################
94# init_daemon_domain(domain)
95# Set up a transition from init to the daemon domain
96# upon executing its binary.
97define(`init_daemon_domain', `
98domain_auto_trans(init, $1_exec, $1)
99tmpfs_domain($1)
100')
101
102#####################################
103# app_domain(domain)
104# Allow a base set of permissions required for all apps.
105define(`app_domain', `
106typeattribute $1 appdomain;
107# Label ashmem objects with our own unique type.
108tmpfs_domain($1)
109')
110
111#####################################
112# platform_app_domain(domain)
113# Allow permissions specific to platform apps.
114define(`platform_app_domain', `
115typeattribute $1 platformappdomain;
116typeattribute $1 mlstrustedsubject;
117')
118
119#####################################
120# net_domain(domain)
121# Allow a base set of permissions required for network access.
122define(`net_domain', `
123typeattribute $1 netdomain;
124')
125
126#####################################
127# bluetooth_domain(domain)
128# Allow a base set of permissions required for bluetooth access.
129define(`bluetooth_domain', `
130typeattribute $1 bluetoothdomain;
131')
132
133#####################################
134# unix_socket_connect(clientdomain, socket, serverdomain)
135# Allow a local socket connection from clientdomain via
136# socket to serverdomain.
137define(`unix_socket_connect', `
138allow $1 $2_socket:sock_file write;
139allow $1 $3:unix_stream_socket connectto;
140')
141
142#####################################
143# unix_socket_send(clientdomain, socket, serverdomain)
144# Allow a local socket send from clientdomain via
145# socket to serverdomain.
146define(`unix_socket_send', `
147allow $1 $2_socket:sock_file write;
148allow $1 $3:unix_dgram_socket sendto;
149')
150
151#####################################
152# binder_use(domain)
153# Allow domain to use Binder IPC.
154define(`binder_use', `
155# Get Binder references from the servicemanager.
156allow $1 servicemanager:binder call;
157# Transfer and receive own Binder references.
158allow $1 self:binder { transfer receive };
159# Map /dev/ashmem with PROT_EXEC.
160allow $1 ashmem_device:chr_file execute;
161# rw access to /dev/binder and /dev/ashmem is presently granted to
162# all domains in domain.te.
163')
164
165#####################################
166# binder_call(clientdomain, serverdomain)
167# Allow clientdomain to perform binder IPC to serverdomain.
168define(`binder_call', `
169# First we receive a Binder ref to the server, then we call it.
170allow $1 $2:binder { receive call };
171# Receive and use open files from the server.
172allow $1 $2:fd use;
173')
174
175#####################################
176# binder_transfer(clientdomain, serverdomain)
177# Allow clientdomain to transfer Binder references created by serverdomain.
178define(`binder_transfer', `
179allow $1 $2:binder transfer;
180')
181
182#####################################
183# binder_service(domain)
184# Mark a domain as being a Binder service domain.
185# Used to allow binder IPC to the various system services.
186define(`binder_service', `
187typeattribute $1 binderservicedomain;
188')
189
190#####################################
191# selinux_check_access(domain)
192# Allow domain to check SELinux permissions via selinuxfs.
193define(`selinux_check_access', `
194allow $1 selinuxfs:dir r_dir_perms;
195allow $1 selinuxfs:file rw_file_perms;
196allow $1 kernel:security compute_av;
197allow $1 self:netlink_selinux_socket *;
198')
199
200#####################################
201# selinux_check_context(domain)
202# Allow domain to check SELinux contexts via selinuxfs.
203define(`selinux_check_context', `
204allow $1 selinuxfs:dir r_dir_perms;
205allow $1 selinuxfs:file rw_file_perms;
206allow $1 kernel:security check_context;
207')
208
209#####################################
210# selinux_getenforce(domain)
211# Allow domain to check whether SELinux is enforcing.
212define(`selinux_getenforce', `
213allow $1 selinuxfs:dir r_dir_perms;
214allow $1 selinuxfs:file r_file_perms;
215')
216
217#####################################
218# selinux_setenforce(domain)
219# Allow domain to set SELinux to enforcing.
220define(`selinux_setenforce', `
221allow $1 selinuxfs:dir r_dir_perms;
222allow $1 selinuxfs:file rw_file_perms;
223allow $1 kernel:security setenforce;
224')
225
226#####################################
227# selinux_setbool(domain)
228# Allow domain to set SELinux booleans.
229define(`selinux_setbool', `
230allow $1 selinuxfs:dir r_dir_perms;
231allow $1 selinuxfs:file rw_file_perms;
232allow $1 kernel:security setbool;
233')
234