1<!-- Common Interface Language (CIL) Reference Guide --> 2 <!-- default_object_statements.xml --> 3 4 <sect1> 5 <title>Default Object Statements</title> 6 <para>These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.</para> 7 <sect2 id="defaultuser"> 8 <title>defaultuser</title> 9 <para>Allows the default user to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para> 10 <para><emphasis role="bold">Statement definition:</emphasis></para> 11 <programlisting><![CDATA[(defaultuser class_id default)]]></programlisting> 12 <para><emphasis role="bold">Where:</emphasis></para> 13 <informaltable frame="all"> 14 <tgroup cols="2"> 15 <colspec colwidth="2 *"/> 16 <colspec colwidth="6 *"/> 17 <tbody> 18 <row> 19 <entry> 20 <para><literal>defaultuser</literal></para> 21 </entry> 22 <entry> 23 <para>The <literal>defaultuser</literal> keyword.</para> 24 </entry> 25 </row> 26 <row> 27 <entry> 28 <para><literal>class_id</literal></para> 29 </entry> 30 <entry> 31 <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para> 32 </entry> 33 </row> 34 <row> 35 <entry> 36 <para><literal>default</literal></para> 37 </entry> 38 <entry> 39 <para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para> 40 </entry> 41 </row> 42 </tbody></tgroup> 43 </informaltable> 44 45 <para><emphasis role="bold">Example:</emphasis></para> 46 <para>When creating new <literal>binder</literal>, <literal>property_service</literal>, <literal>zygote</literal> or <literal>memprotect</literal> objects the <literal><link linkend="user">user</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para> 47 <programlisting><![CDATA[ 48(class binder (impersonate call set_context_mgr transfer receive)) 49(class property_service (set)) 50(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 51(class memprotect (mmap_zero)) 52 53(classmap android_classes (android)) 54(classmapping android_classes android (binder (all))) 55(classmapping android_classes android (property_service (set))) 56(classmapping android_classes android (zygote (not (specifycapabilities)))) 57 58(defaultuser (android_classes memprotect) source) 59 60; Will produce the following in the binary policy file: 61;; default_user binder source; 62;; default_user zygote source; 63;; default_user property_service source; 64;; default_user memprotect source;]]> 65 </programlisting> 66 </sect2> 67 68 <sect2 id="defaultrole"> 69 <title>defaultrole</title> 70 <para>Allows the default role to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para> 71 <programlisting><![CDATA[(defaultrole class_id default)]]></programlisting> 72 <para><emphasis role="bold">Where:</emphasis></para> 73 <informaltable frame="all"> 74 <tgroup cols="2"> 75 <colspec colwidth="2 *"/> 76 <colspec colwidth="6 *"/> 77 <tbody> 78 <row> 79 <entry> 80 <para><literal>defaultrole</literal></para> 81 </entry> 82 <entry> 83 <para>The <literal>defaultrole</literal> keyword.</para> 84 </entry> 85 </row> 86 <row> 87 <entry> 88 <para><literal>class_id</literal></para> 89 </entry> 90 <entry> 91 <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para> 92 </entry> 93 </row> 94 <row> 95 <entry> 96 <para><literal>default</literal></para> 97 </entry> 98 <entry> 99 <para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para> 100 </entry> 101 </row> 102 </tbody></tgroup> 103 </informaltable> 104 105 <para><emphasis role="bold">Example:</emphasis></para> 106 <para>When creating new <literal>binder</literal>, <literal>property_service</literal> or <literal>zygote</literal> objects the <literal><link linkend="role">role</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para> 107 <programlisting><![CDATA[ 108(class binder (impersonate call set_context_mgr transfer receive)) 109(class property_service (set)) 110(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 111 112(defaultrole (binder property_service zygote) target) 113 114; Will produce the following in the binary policy file: 115;; default_role binder target; 116;; default_role zygote target; 117;; default_role property_service target;]]> 118 </programlisting> 119 </sect2> 120 121 <sect2 id="defaulttype"> 122 <title>defaulttype</title> 123 <para>Allows the default type to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 28.</para> 124 <para><emphasis role="bold">Statement definition:</emphasis></para> 125 <programlisting><![CDATA[(defaulttype class_id default)]]></programlisting> 126 <para><emphasis role="bold">Where:</emphasis></para> 127 <informaltable frame="all"> 128 <tgroup cols="2"> 129 <colspec colwidth="2 *"/> 130 <colspec colwidth="6 *"/> 131 <tbody> 132 <row> 133 <entry> 134 <para><literal>defaulttype</literal></para> 135 </entry> 136 <entry> 137 <para>The <literal>defaulttype</literal> keyword.</para> 138 </entry> 139 </row> 140 <row> 141 <entry> 142 <para><literal>class_id</literal></para> 143 </entry> 144 <entry> 145 <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para> 146 </entry> 147 </row> 148 <row> 149 <entry> 150 <para><literal>default</literal></para> 151 </entry> 152 <entry> 153 <para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para> 154 </entry> 155 </row> 156 </tbody></tgroup> 157 </informaltable> 158 159 <para><emphasis role="bold">Example:</emphasis></para> 160 <para>When creating a new <literal>socket</literal> object, the <literal><link linkend="type">type</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para> 161 <programlisting><![CDATA[(defaulttype socket source)]]></programlisting> 162 </sect2> 163 164 <sect2 id="defaultrange"> 165 <title>defaultrange</title> 166 <para>Allows the default level or range to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para> 167 <para><emphasis role="bold">Statement definition:</emphasis></para> 168 <programlisting><![CDATA[(defaultrange class_id default range)]]></programlisting> 169 <para><emphasis role="bold">Where:</emphasis></para> 170 <informaltable frame="all"> 171 <tgroup cols="2"> 172 <colspec colwidth="2 *"/> 173 <colspec colwidth="6 *"/> 174 <tbody> 175 <row> 176 <entry> 177 <para><literal>defaultrange</literal></para> 178 </entry> 179 <entry> 180 <para>The <literal>defaultrange</literal> keyword.</para> 181 </entry> 182 </row> 183 <row> 184 <entry> 185 <para><literal>class_id</literal></para> 186 </entry> 187 <entry> 188 <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para> 189 </entry> 190 </row> 191 <row> 192 <entry> 193 <para><literal>default</literal></para> 194 </entry> 195 <entry> 196 <para>A keyword of either <literal>source</literal> or <literal>target</literal>.</para> 197 </entry> 198 </row> 199 <row> 200 <entry> 201 <para><literal>range</literal></para> 202 </entry> 203 <entry> 204 <para>A keyword of either <literal>low</literal>, <literal>high</literal> or <literal>low-high</literal>.</para> 205 </entry> 206 </row> 207 </tbody></tgroup> 208 </informaltable> 209 210 <para><emphasis role="bold">Example:</emphasis></para> 211 <para>When creating a new <literal>file</literal> object, the appropriate <literal><link linkend="levelrange">range</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para> 212 <programlisting><![CDATA[(defaultrange file target low_high)]]></programlisting> 213 </sect2> 214 215 </sect1> 216