1##################################### 2# domain_trans(olddomain, type, newdomain) 3# Allow a transition from olddomain to newdomain 4# upon executing a file labeled with type. 5# This only allows the transition; it does not 6# cause it to occur automatically - use domain_auto_trans 7# if that is what you want. 8# 9define(`domain_trans', ` 10# Old domain may exec the file and transition to the new domain. 11allow $1 $2:file { getattr open read execute }; 12allow $1 $3:process transition; 13# New domain is entered by executing the file. 14allow $3 $2:file { entrypoint read execute }; 15# New domain can send SIGCHLD to its caller. 16allow $3 $1:process sigchld; 17# Enable AT_SECURE, i.e. libc secure mode. 18dontaudit $1 $3:process noatsecure; 19# XXX dontaudit candidate but requires further study. 20allow $1 $3:process { siginh rlimitinh }; 21') 22 23##################################### 24# domain_auto_trans(olddomain, type, newdomain) 25# Automatically transition from olddomain to newdomain 26# upon executing a file labeled with type. 27# 28define(`domain_auto_trans', ` 29# Allow the necessary permissions. 30domain_trans($1,$2,$3) 31# Make the transition occur by default. 32type_transition $1 $2:process $3; 33') 34 35##################################### 36# file_type_trans(domain, dir_type, file_type) 37# Allow domain to create a file labeled file_type in a 38# directory labeled dir_type. 39# This only allows the transition; it does not 40# cause it to occur automatically - use file_type_auto_trans 41# if that is what you want. 42# 43define(`file_type_trans', ` 44# Allow the domain to add entries to the directory. 45allow $1 $2:dir ra_dir_perms; 46# Allow the domain to create the file. 47allow $1 $3:notdevfile_class_set create_file_perms; 48allow $1 $3:dir create_dir_perms; 49') 50 51##################################### 52# file_type_auto_trans(domain, dir_type, file_type) 53# Automatically label new files with file_type when 54# they are created by domain in directories labeled dir_type. 55# 56define(`file_type_auto_trans', ` 57# Allow the necessary permissions. 58file_type_trans($1, $2, $3) 59# Make the transition occur by default. 60type_transition $1 $2:dir $3; 61type_transition $1 $2:notdevfile_class_set $3; 62') 63 64##################################### 65# r_dir_file(domain, type) 66# Allow the specified domain to read directories, files 67# and symbolic links of the specified type. 68define(`r_dir_file', ` 69allow $1 $2:dir r_dir_perms; 70allow $1 $2:{ file lnk_file } r_file_perms; 71') 72 73##################################### 74# unconfined_domain(domain) 75# Allow the specified domain to do anything. 76# 77define(`unconfined_domain', ` 78typeattribute $1 mlstrustedsubject; 79typeattribute $1 unconfineddomain; 80') 81 82##################################### 83# tmpfs_domain(domain) 84# Define and allow access to a unique type for 85# this domain when creating tmpfs / shmem / ashmem files. 86define(`tmpfs_domain', ` 87type $1_tmpfs, file_type; 88type_transition $1 tmpfs:file $1_tmpfs; 89# Map with PROT_EXEC. 90allow $1 $1_tmpfs:file { read execute execmod }; 91') 92 93##################################### 94# init_daemon_domain(domain) 95# Set up a transition from init to the daemon domain 96# upon executing its binary. 97define(`init_daemon_domain', ` 98domain_auto_trans(init, $1_exec, $1) 99tmpfs_domain($1) 100') 101 102##################################### 103# app_domain(domain) 104# Allow a base set of permissions required for all apps. 105define(`app_domain', ` 106typeattribute $1 appdomain; 107# Label ashmem objects with our own unique type. 108tmpfs_domain($1) 109') 110 111##################################### 112# platform_app_domain(domain) 113# Allow permissions specific to platform apps. 114define(`platform_app_domain', ` 115typeattribute $1 platformappdomain; 116typeattribute $1 mlstrustedsubject; 117') 118 119##################################### 120# net_domain(domain) 121# Allow a base set of permissions required for network access. 122define(`net_domain', ` 123typeattribute $1 netdomain; 124') 125 126##################################### 127# bluetooth_domain(domain) 128# Allow a base set of permissions required for bluetooth access. 129define(`bluetooth_domain', ` 130typeattribute $1 bluetoothdomain; 131') 132 133##################################### 134# unix_socket_connect(clientdomain, socket, serverdomain) 135# Allow a local socket connection from clientdomain via 136# socket to serverdomain. 137define(`unix_socket_connect', ` 138allow $1 $2_socket:sock_file write; 139allow $1 $3:unix_stream_socket connectto; 140') 141 142##################################### 143# unix_socket_send(clientdomain, socket, serverdomain) 144# Allow a local socket send from clientdomain via 145# socket to serverdomain. 146define(`unix_socket_send', ` 147allow $1 $2_socket:sock_file write; 148allow $1 $3:unix_dgram_socket sendto; 149') 150 151##################################### 152# binder_use(domain) 153# Allow domain to use Binder IPC. 154define(`binder_use', ` 155# Get Binder references from the servicemanager. 156allow $1 servicemanager:binder call; 157# Transfer and receive own Binder references. 158allow $1 self:binder { transfer receive }; 159# Map /dev/ashmem with PROT_EXEC. 160allow $1 ashmem_device:chr_file execute; 161# rw access to /dev/binder and /dev/ashmem is presently granted to 162# all domains in domain.te. 163') 164 165##################################### 166# binder_call(clientdomain, serverdomain) 167# Allow clientdomain to perform binder IPC to serverdomain. 168define(`binder_call', ` 169# First we receive a Binder ref to the server, then we call it. 170allow $1 $2:binder { receive call }; 171# Receive and use open files from the server. 172allow $1 $2:fd use; 173') 174 175##################################### 176# binder_transfer(clientdomain, serverdomain) 177# Allow clientdomain to transfer Binder references created by serverdomain. 178define(`binder_transfer', ` 179allow $1 $2:binder transfer; 180') 181 182##################################### 183# binder_service(domain) 184# Mark a domain as being a Binder service domain. 185# Used to allow binder IPC to the various system services. 186define(`binder_service', ` 187typeattribute $1 binderservicedomain; 188') 189 190##################################### 191# selinux_check_access(domain) 192# Allow domain to check SELinux permissions via selinuxfs. 193define(`selinux_check_access', ` 194allow $1 selinuxfs:dir r_dir_perms; 195allow $1 selinuxfs:file rw_file_perms; 196allow $1 kernel:security compute_av; 197allow $1 self:netlink_selinux_socket *; 198') 199 200##################################### 201# selinux_check_context(domain) 202# Allow domain to check SELinux contexts via selinuxfs. 203define(`selinux_check_context', ` 204allow $1 selinuxfs:dir r_dir_perms; 205allow $1 selinuxfs:file rw_file_perms; 206allow $1 kernel:security check_context; 207') 208 209##################################### 210# selinux_getenforce(domain) 211# Allow domain to check whether SELinux is enforcing. 212define(`selinux_getenforce', ` 213allow $1 selinuxfs:dir r_dir_perms; 214allow $1 selinuxfs:file r_file_perms; 215') 216 217##################################### 218# selinux_setenforce(domain) 219# Allow domain to set SELinux to enforcing. 220define(`selinux_setenforce', ` 221allow $1 selinuxfs:dir r_dir_perms; 222allow $1 selinuxfs:file rw_file_perms; 223allow $1 kernel:security setenforce; 224') 225 226##################################### 227# selinux_setbool(domain) 228# Allow domain to set SELinux booleans. 229define(`selinux_setbool', ` 230allow $1 selinuxfs:dir r_dir_perms; 231allow $1 selinuxfs:file rw_file_perms; 232allow $1 kernel:security setbool; 233') 234