• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Access Vector Rules
2===================
3
4allow
5-----
6
7Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class ([`validatetrans`](cil_constraint_statements.md#validatetrans) or [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)) or source, target class and permissions ([`constrain`](cil_constraint_statements.md#constrain) or [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) statements).
8
9**Rule definition:**
10
11    (allow source_id target_id|self classpermissionset_id ...)
12
13**Where:**
14
15<table>
16<colgroup>
17<col width="27%" />
18<col width="72%" />
19</colgroup>
20<tbody>
21<tr class="odd">
22<td align="left"><p><code>allow</code></p></td>
23<td align="left"><p>The <code>allow</code> keyword.</p></td>
24</tr>
25<tr class="even">
26<td align="left"><p><code>source_id</code></p></td>
27<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
28</tr>
29<tr class="odd">
30<td align="left"><p><code>target_id</code></p></td>
31<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
32<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
33</tr>
34<tr class="even">
35<td align="left"><p><code>classpermissionset_id</code></p></td>
36<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
37</tr>
38</tbody>
39</table>
40
41**Examples:**
42
43These examples show a selection of possible permutations of [`allow`](cil_access_vector_rules.md#allow) rules:
44
45    (class binder (impersonate call set_context_mgr transfer receive))
46    (class property_service (set))
47    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
48
49    (classpermission cps_zygote)
50    (classpermissionset cps_zygote (zygote (not (specifyids))))
51
52    (classmap android_classes (set_1 set_2 set_3))
53
54    (classmapping android_classes set_1 (binder (all)))
55    (classmapping android_classes set_1 (property_service (set)))
56    (classmapping android_classes set_1 (zygote (not (specifycapabilities))))
57
58    (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
59    (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
60
61    (classmapping android_classes set_3 cps_zygote)
62    (classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
63
64    (block av_rules
65        (type type_1)
66        (type type_2)
67        (type type_3)
68        (type type_4)
69        (type type_5)
70
71        (typeattribute all_types)
72        (typeattributeset all_types (all))
73
74    ; These examples have named and anonymous classpermissionset's and
75    ; classmap/classmapping statements
76        (allow type_1 self (property_service (set)))          ; anonymous
77        (allow type_2 self (zygote (specifyids)))             ; anonymous
78        (allow type_3 self cps_zygote)                        ; named
79        (allow type_4 self (android_classes (set_3)))         ; classmap/classmapping
80        (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping
81
82    ;; This rule will cause the build to fail unless --disable-neverallow
83    ;    (neverallow type_5 all_types (property_service (set)))
84        (allow type_5 type_5 (property_service (set)))
85        (allow type_1 all_types (property_service (set)))
86    )
87
88auditallow
89----------
90
91Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event.
92
93**Rule definition:**
94
95    (auditallow source_id target_id|self classpermissionset_id ...)
96
97**Where:**
98
99<table>
100<colgroup>
101<col width="29%" />
102<col width="70%" />
103</colgroup>
104<tbody>
105<tr class="odd">
106<td align="left"><p><code>auditallow</code></p></td>
107<td align="left"><p>The <code>auditallow</code> keyword.</p></td>
108</tr>
109<tr class="even">
110<td align="left"><p><code>source_id</code></p></td>
111<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
112</tr>
113<tr class="odd">
114<td align="left"><p><code>target_id</code></p></td>
115<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
116<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
117</tr>
118<tr class="even">
119<td align="left"><p><code>classpermissionset_id</code></p></td>
120<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
121</tr>
122</tbody>
123</table>
124
125**Example:**
126
127This example will log an audit event whenever the corresponding [`allow`](cil_access_vector_rules.md#allow) rule grants access to the specified permissions:
128
129    (allow release_app.process secmark_demo.browser_packet (packet (send recv append bind)))
130
131    (auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
132
133
134dontaudit
135---------
136
137Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
138
139Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
140
141**Rule definition:**
142
143    (dontaudit source_id target_id|self classpermissionset_id ...)
144
145**Where:**
146
147<table>
148<colgroup>
149<col width="27%" />
150<col width="72%" />
151</colgroup>
152<tbody>
153<tr class="odd">
154<td align="left"><p><code>dontaudit</code></p></td>
155<td align="left"><p>The <code>dontaudit</code> keyword.</p></td>
156</tr>
157<tr class="even">
158<td align="left"><p><code>source_id</code></p></td>
159<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
160</tr>
161<tr class="odd">
162<td align="left"><p><code>target_id</code></p></td>
163<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
164<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
165</tr>
166<tr class="even">
167<td align="left"><p><code>classpermissionset_id</code></p></td>
168<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
169</tr>
170</tbody>
171</table>
172
173**Example:**
174
175This example will not audit the denied access:
176
177    (dontaudit zygote.process self (capability (fsetid)))
178
179neverallow
180----------
181
182Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified.
183
184Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags.
185
186**Rule definition:**
187
188    (neverallow source_id target_id|self classpermissionset_id ...)
189
190**Where:**
191
192<table>
193<colgroup>
194<col width="27%" />
195<col width="72%" />
196</colgroup>
197<tbody>
198<tr class="odd">
199<td align="left"><p><code>neverallow</code></p></td>
200<td align="left"><p>The <code>neverallow</code> keyword.</p></td>
201</tr>
202<tr class="even">
203<td align="left"><p><code>source_id</code></p></td>
204<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
205</tr>
206<tr class="odd">
207<td align="left"><p><code>target_id</code></p></td>
208<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
209<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
210</tr>
211<tr class="even">
212<td align="left"><p><code>classpermissionset_id</code></p></td>
213<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
214</tr>
215</tbody>
216</table>
217
218**Example:**
219
220This example will not compile as `type_3` is not allowed to be a source type for the [`allow`](cil_access_vector_rules.md#allow) rule:
221
222    (class property_service (set))
223
224    (block av_rules
225        (type type_1)
226        (type type_2)
227        (type type_3)
228        (typeattribute all_types)
229        (typeattributeset all_types ((all)))
230
231        (neverallow type_3 all_types (property_service (set)))
232        ; This rule will fail compilation:
233        (allow type_3 self (property_service (set)))
234    )
235
236allowx
237------
238
239Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx).
240
241**Rule definition:**
242
243    (allowx source_id target_id|self permissionx_id)
244
245**Where:**
246
247<table>
248<colgroup>
249<col width="27%" />
250<col width="72%" />
251</colgroup>
252<tbody>
253<tr class="odd">
254<td align="left"><p><code>allowx</code></p></td>
255<td align="left"><p>The <code>allowx</code> keyword.</p></td>
256</tr>
257<tr class="even">
258<td align="left"><p><code>source_id</code></p></td>
259<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p></td>
260</tr>
261<tr class="odd">
262<td align="left"><p><code>target_id</code></p></td>
263<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code>, or <code>typeattribute</code> identifier.</p>
264<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
265</tr>
266<tr class="even">
267<td align="left"><p><code>permissionx_id</code></p></td>
268<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
269</tr>
270</tbody>
271</table>
272
273**Examples:**
274
275These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules:
276
277    (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
278
279    (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
280    (allowx type_3 type_4 ioctl_nodebug)
281
282
283
284auditallowx
285-----------
286
287Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event.
288
289**Rule definition:**
290
291    (auditallowx source_id target_id|self permissionx_id)
292
293**Where:**
294
295<table>
296<colgroup>
297<col width="27%" />
298<col width="72%" />
299</colgroup>
300<tbody>
301<tr class="odd">
302<td align="left"><p><code>auditallowx</code></p></td>
303<td align="left"><p>The <code>auditallowx</code> keyword.</p></td>
304</tr>
305<tr class="even">
306<td align="left"><p><code>source_id</code></p></td>
307<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
308</tr>
309<tr class="odd">
310<td align="left"><p><code>target_id</code></p></td>
311<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
312<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
313</tr>
314<tr class="even">
315<td align="left"><p><code>permissionx_id</code></p></td>
316<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
317</tr>
318</tbody>
319</table>
320
321**Examples:**
322
323This example will log an audit event whenever the corresponding [`allowx`](cil_access_vector_rules.md#allowx) rule grants access to the specified extended permissions:
324
325    (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
326
327    (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010)))
328
329
330dontauditx
331----------
332
333Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
334
335Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
336
337**Rule definition:**
338
339    (dontauditx source_id target_id|self permissionx_id)
340
341**Where:**
342
343<table>
344<colgroup>
345<col width="27%" />
346<col width="72%" />
347</colgroup>
348<tbody>
349<tr class="odd">
350<td align="left"><p><code>dontauditx</code></p></td>
351<td align="left"><p>The <code>dontauditx</code> keyword.</p></td>
352</tr>
353<tr class="even">
354<td align="left"><p><code>source_id</code></p></td>
355<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
356</tr>
357<tr class="odd">
358<td align="left"><p><code>target_id</code></p></td>
359<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
360<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
361</tr>
362<tr class="even">
363<td align="left"><p><code>permissionx_id</code></p></td>
364<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
365</tr>
366</tbody>
367</table>
368
369**Examples:**
370
371This example will not audit the denied access:
372
373    (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
374
375
376neverallowx
377----------
378Never allow access rights defined for extended permissions. This is a compiler enforced action that will stop compilation until the offending rules are modified.
379
380Note that these rules can be over-ridden by the CIL compiler command line parameter `-N` or `--disable-neverallow` flags.
381
382**Rule definition:**
383
384    (neverallowx source_id target_id|self permissionx_id)
385
386**Where:**
387
388<table>
389<colgroup>
390<col width="27%" />
391<col width="72%" />
392</colgroup>
393<tbody>
394<tr class="odd">
395<td align="left"><p><code>neverallows</code></p></td>
396<td align="left"><p>The <code>neverallowx</code> keyword.</p></td>
397</tr>
398<tr class="even">
399<td align="left"><p><code>source_id</code></p></td>
400<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
401</tr>
402<tr class="odd">
403<td align="left"><p><code>target_id</code></p></td>
404<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
405<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
406</tr>
407<tr class="even">
408<td align="left"><p><code>permissionx_id</code></p></td>
409<td align="left"><p>A single named or anonymous <code>permissionx</code>.</p></td>
410</tr>
411</tbody>
412</table>
413
414**Examples:**
415
416This example will not compile as `type_3` is not allowed to be a source type and ioctl range for the [`allowx`](cil_access_vector_rules.md#allowx) rule:
417
418	(class property_service (ioctl))
419	(block av_rules
420		(type type_1)
421		(type type_2)
422		(type type_3)
423		(typeattribute all_types)
424		(typeattributeset all_types ((all)))
425		(neverallowx type_3 all_types (ioctl property_service (range 0x2000 0x20FF)))
426		; This rule will fail compilation:
427		(allowx type_3 self (ioctl property_service (0x20A0)))
428	)
429