private/access_vectors - LeafOS-Project/android_system_sepolicy - Gitiles

 #
 # Define common prefixes for access vectors
 #
 # common common_name { permission_name ... }


 #
 # Define a common prefix for file access vectors.
 #

 common file
 {
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	map
 	unlink
 	link
 	rename
 	execute
 	quotaon
 	mounton
 	audit_access
 	open
 	execmod
 	watch
 	watch_mount
 	watch_sb
 	watch_with_perm
 	watch_reads
 }


 #
 # Define a common prefix for socket access vectors.
 #

 common socket
 {
 # inherited from file
 	ioctl
 	read
 	write
 	create
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	append
 	map
 # socket-specific
 	bind
 	connect
 	listen
 	accept
 	getopt
 	setopt
 	shutdown
 	recvfrom
 	sendto
 	name_bind
 }

 #
 # Define a common prefix for ipc access vectors.
 #

 common ipc
 {
 	create
 	destroy
 	getattr
 	setattr
 	read
 	write
 	associate
 	unix_read
 	unix_write
 }

 #
 # Define a common for capability access vectors.
 #
 common cap
 {
 	# The capabilities are defined in include/linux/capability.h
 	# Capabilities >= 32 are defined in the cap2 common.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)

 	chown
 	dac_override
 	dac_read_search
 	fowner
 	fsetid
 	kill
 	setgid
 	setuid
 	setpcap
 	linux_immutable
 	net_bind_service
 	net_broadcast
 	net_admin
 	net_raw
 	ipc_lock
 	ipc_owner
 	sys_module
 	sys_rawio
 	sys_chroot
 	sys_ptrace
 	sys_pacct
 	sys_admin
 	sys_boot
 	sys_nice
 	sys_resource
 	sys_time
 	sys_tty_config
 	mknod
 	lease
 	audit_write
 	audit_control
 	setfcap
 }

 common cap2
 {
 	mac_override	# unused by SELinux
 	mac_admin
 	syslog
 	wake_alarm
 	block_suspend
 	audit_read
 	perfmon
 }

 #
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }


 #
 # Define the access vector interpretation for file-related objects.
 #

 class filesystem
 {
 	mount
 	remount
 	unmount
 	getattr
 	relabelfrom
 	relabelto
 	associate
 	quotamod
 	quotaget
 	watch
 }

 class dir
 inherits file
 {
 	add_name
 	remove_name
 	reparent
 	search
 	rmdir
 }

 class file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 }

 class anon_inode
 inherits file

 class lnk_file
 inherits file

 class chr_file
 inherits file
 {
 	execute_no_trans
 	entrypoint
 }

 class blk_file
 inherits file

 class sock_file
 inherits file

 class fifo_file
 inherits file

 class fd
 {
 	use
 }


 #
 # Define the access vector interpretation for network-related objects.
 #

 class socket
 inherits socket

 class tcp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 }

 class udp_socket
 inherits socket
 {
 	node_bind
 }

 class rawip_socket
 inherits socket
 {
 	node_bind
 }

 class node
 {
 	recvfrom
 	sendto
 }

 class netif
 {
 	ingress
 	egress
 }

 class netlink_socket
 inherits socket

 class packet_socket
 inherits socket

 class key_socket
 inherits socket

 class unix_stream_socket
 inherits socket
 {
 	connectto
 }

 class unix_dgram_socket
 inherits socket

 #
 # Define the access vector interpretation for process-related objects
 #

 class process
 {
 	fork
 	transition
 	sigchld # commonly granted from child to parent
 	sigkill # cannot be caught or ignored
 	sigstop # cannot be caught or ignored
 	signull # for kill(pid, 0)
 	signal  # all other signals
 	ptrace
 	getsched
 	setsched
 	getsession
 	getpgid
 	setpgid
 	getcap
 	setcap
 	share
 	getattr
 	setexec
 	setfscreate
 	noatsecure
 	siginh
 	setrlimit
 	rlimitinh
 	dyntransition
 	setcurrent
 	execmem
 	execstack
 	execheap
 	setkeycreate
 	setsockcreate
 	getrlimit
 }

 class process2
 {
 	nnp_transition
 	nosuid_transition
 }

 #
 # Define the access vector interpretation for ipc-related objects
 #

 class ipc
 inherits ipc

 class sem
 inherits ipc

 class msgq
 inherits ipc
 {
 	enqueue
 }

 class msg
 {
 	send
 	receive
 }

 class shm
 inherits ipc
 {
 	lock
 }


 #
 # Define the access vector interpretation for the security server.
 #

 class security
 {
 	compute_av
 	compute_create
 	compute_member
 	check_context
 	load_policy
 	compute_relabel
 	compute_user
 	setenforce     # was avc_toggle in system class
 	setbool
 	setsecparam
 	setcheckreqprot
 	read_policy
 	validate_trans
 }


 #
 # Define the access vector interpretation for system operations.
 #

 class system
 {
 	ipc_info
 	syslog_read
 	syslog_mod
 	syslog_console
 	module_request
 	module_load
 }

 #
 # Define the access vector interpretation for controlling capabilities
 #

 class capability
 inherits cap

 class capability2
 inherits cap2

 #
 # Extended Netlink classes
 #
 class netlink_route_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 	nlmsg_readpriv
 	nlmsg_getneigh
 }

 class netlink_tcpdiag_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_nflog_socket
 inherits socket

 class netlink_xfrm_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 }

 class netlink_selinux_socket
 inherits socket

 class netlink_audit_socket
 inherits socket
 {
 	nlmsg_read
 	nlmsg_write
 	nlmsg_relay
 	nlmsg_readpriv
 	nlmsg_tty_audit
 }

 class netlink_dnrt_socket
 inherits socket

 # Define the access vector interpretation for controlling
 # access to IPSec network data by association
 #
 class association
 {
 	sendto
 	recvfrom
 	setcontext
 	polmatch
 }

 # Updated Netlink class for KOBJECT_UEVENT family.
 class netlink_kobject_uevent_socket
 inherits socket

 class appletalk_socket
 inherits socket

 class packet
 {
 	send
 	recv
 	relabelto
 	forward_in
 	forward_out
 }

 class key
 {
 	view
 	read
 	write
 	search
 	link
 	setattr
 	create
 }

 class dccp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 }

 class memprotect
 {
 	mmap_zero
 }

 # network peer labels
 class peer
 {
 	recv
 }

 class kernel_service
 {
 	use_as_override
 	create_files_as
 }

 class tun_socket
 inherits socket
 {
 	attach_queue
 }

 class binder
 {
 	impersonate
 	call
 	set_context_mgr
 	transfer
 }

 class netlink_iscsi_socket
 inherits socket

 class netlink_fib_lookup_socket
 inherits socket

 class netlink_connector_socket
 inherits socket

 class netlink_netfilter_socket
 inherits socket

 class netlink_generic_socket
 inherits socket

 class netlink_scsitransport_socket
 inherits socket

 class netlink_rdma_socket
 inherits socket

 class netlink_crypto_socket
 inherits socket

 class infiniband_pkey
 {
 	access
 }

 class infiniband_endport
 {
 	manage_subnet
 }

 #
 # Define the access vector interpretation for controlling capabilities
 # in user namespaces
 #

 class cap_userns
 inherits cap

 class cap2_userns
 inherits cap2


 #
 # Define the access vector interpretation for the new socket classes
 # enabled by the extended_socket_class policy capability.
 #

 #
 # The next two classes were previously mapped to rawip_socket and therefore
 # have the same definition as rawip_socket (until further permissions
 # are defined).
 #
 class sctp_socket
 inherits socket
 {
 	node_bind
 	name_connect
 	association
 }

 class icmp_socket
 inherits socket
 {
 	node_bind
 }

 #
 # The remaining network socket classes were previously
 # mapped to the socket class and therefore have the
 # same definition as socket.
 #

 class ax25_socket
 inherits socket

 class ipx_socket
 inherits socket

 class netrom_socket
 inherits socket

 class atmpvc_socket
 inherits socket

 class x25_socket
 inherits socket

 class rose_socket
 inherits socket

 class decnet_socket
 inherits socket

 class atmsvc_socket
 inherits socket

 class rds_socket
 inherits socket

 class irda_socket
 inherits socket

 class pppox_socket
 inherits socket

 class llc_socket
 inherits socket

 class can_socket
 inherits socket

 class tipc_socket
 inherits socket

 class bluetooth_socket
 inherits socket

 class iucv_socket
 inherits socket

 class rxrpc_socket
 inherits socket

 class isdn_socket
 inherits socket

 class phonet_socket
 inherits socket

 class ieee802154_socket
 inherits socket

 class caif_socket
 inherits socket

 class alg_socket
 inherits socket

 class nfc_socket
 inherits socket

 class vsock_socket
 inherits socket

 class kcm_socket
 inherits socket

 class qipcrtr_socket
 inherits socket

 class smc_socket
 inherits socket

 class bpf
 {
 	map_create
 	map_read
 	map_write
 	prog_load
 	prog_run
 }

 class property_service
 {
 	set
 }

 class service_manager
 {
 	add
 	find
 	list
 }

 class hwservice_manager
 {
 	add
 	find
 	list
 }

 class keystore_key
 {
 	get_state
 	get
 	insert
 	delete
 	exist
 	list
 	reset
 	password
 	lock
 	unlock
 	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
 	add_auth
 	user_changed
 	gen_unique_id
 }

 class keystore2
 {
 	add_auth
 	change_password
 	change_user
 	clear_ns
 	clear_uid
 	delete_all_keys
 	early_boot_ended
 	get_attestation_key
 	get_auth_token
 	get_last_auth_time
 	get_state
 	list
 	lock
 	pull_metrics
 	report_off_body
 	reset
 	unlock
 }

 class keystore2_key
 {
 	convert_storage_key_to_ephemeral
 	delete
 	gen_unique_id
 	get_info
 	grant
 	manage_blob
 	rebind
 	req_forced_op
 	update
 	use
 	use_dev_id
 }

 class diced
 {
 	demote
 	demote_self
 	derive
 	get_attestation_chain
 	use_seal
 	use_sign
 }

 class drmservice {
 	consumeRights
 	setPlaybackStatus
 	openDecryptSession
 	closeDecryptSession
 	initializeDecryptUnit
 	decrypt
 	finalizeDecryptUnit
 	pread
 }

 class xdp_socket
 inherits socket

 class perf_event
 {
 	open
 	cpu
 	kernel
 	tracepoint
 	read
 	write
 }

 class lockdown
 {
 	integrity
 	confidentiality
 }

 class io_uring
 {
 	override_creds
 	sqpoll
 	cmd
 }
	#
	# Define common prefixes for access vectors
	#
	# common common_name { permission_name ... }


	#
	# Define a common prefix for file access vectors.
	#

	common file
	{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
	unlink
	link
	rename
	execute
	quotaon
	mounton
	audit_access
	open
	execmod
	watch
	watch_mount
	watch_sb
	watch_with_perm
	watch_reads
	}


	#
	# Define a common prefix for socket access vectors.
	#

	common socket
	{
	# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
	# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	name_bind
	}

	#
	# Define a common prefix for ipc access vectors.
	#

	common ipc
	{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
	}

	#
	# Define a common for capability access vectors.
	#
	common cap
	{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the cap2 common.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	audit_write
	audit_control
	setfcap
	}

	common cap2
	{
	mac_override # unused by SELinux
	mac_admin
	syslog
	wake_alarm
	block_suspend
	audit_read
	perfmon
	}

	#
	# Define the access vectors.
	#
	# class class_name [ inherits common_name ] { permission_name ... }


	#
	# Define the access vector interpretation for file-related objects.
	#

	class filesystem
	{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	associate
	quotamod
	quotaget
	watch
	}

	class dir
	inherits file
	{
	add_name
	remove_name
	reparent
	search
	rmdir
	}

	class file
	inherits file
	{
	execute_no_trans
	entrypoint
	}

	class anon_inode
	inherits file

	class lnk_file
	inherits file

	class chr_file
	inherits file
	{
	execute_no_trans
	entrypoint
	}

	class blk_file
	inherits file

	class sock_file
	inherits file

	class fifo_file
	inherits file

	class fd
	{
	use
	}


	#
	# Define the access vector interpretation for network-related objects.
	#

	class socket
	inherits socket

	class tcp_socket
	inherits socket
	{
	node_bind
	name_connect
	}

	class udp_socket
	inherits socket
	{
	node_bind
	}

	class rawip_socket
	inherits socket
	{
	node_bind
	}

	class node
	{
	recvfrom
	sendto
	}

	class netif
	{
	ingress
	egress
	}

	class netlink_socket
	inherits socket

	class packet_socket
	inherits socket

	class key_socket
	inherits socket

	class unix_stream_socket
	inherits socket
	{
	connectto
	}

	class unix_dgram_socket
	inherits socket

	#
	# Define the access vector interpretation for process-related objects
	#

	class process
	{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
	getrlimit
	}

	class process2
	{
	nnp_transition
	nosuid_transition
	}

	#
	# Define the access vector interpretation for ipc-related objects
	#

	class ipc
	inherits ipc

	class sem
	inherits ipc

	class msgq
	inherits ipc
	{
	enqueue
	}

	class msg
	{
	send
	receive
	}

	class shm
	inherits ipc
	{
	lock
	}


	#
	# Define the access vector interpretation for the security server.
	#

	class security
	{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
	read_policy
	validate_trans
	}


	#
	# Define the access vector interpretation for system operations.
	#

	class system
	{
	ipc_info
	syslog_read
	syslog_mod
	syslog_console
	module_request
	module_load
	}

	#
	# Define the access vector interpretation for controlling capabilities
	#

	class capability
	inherits cap

	class capability2
	inherits cap2

	#
	# Extended Netlink classes
	#
	class netlink_route_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	nlmsg_readpriv
	nlmsg_getneigh
	}

	class netlink_tcpdiag_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_nflog_socket
	inherits socket

	class netlink_xfrm_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	}

	class netlink_selinux_socket
	inherits socket

	class netlink_audit_socket
	inherits socket
	{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
	}

	class netlink_dnrt_socket
	inherits socket

	# Define the access vector interpretation for controlling
	# access to IPSec network data by association
	#
	class association
	{
	sendto
	recvfrom
	setcontext
	polmatch
	}

	# Updated Netlink class for KOBJECT_UEVENT family.
	class netlink_kobject_uevent_socket
	inherits socket

	class appletalk_socket
	inherits socket

	class packet
	{
	send
	recv
	relabelto
	forward_in
	forward_out
	}

	class key
	{
	view
	read
	write
	search
	link
	setattr
	create
	}

	class dccp_socket
	inherits socket
	{
	node_bind
	name_connect
	}

	class memprotect
	{
	mmap_zero
	}

	# network peer labels
	class peer
	{
	recv
	}

	class kernel_service
	{
	use_as_override
	create_files_as
	}

	class tun_socket
	inherits socket
	{
	attach_queue
	}

	class binder
	{
	impersonate
	call
	set_context_mgr
	transfer
	}

	class netlink_iscsi_socket
	inherits socket

	class netlink_fib_lookup_socket
	inherits socket

	class netlink_connector_socket
	inherits socket

	class netlink_netfilter_socket
	inherits socket

	class netlink_generic_socket
	inherits socket

	class netlink_scsitransport_socket
	inherits socket

	class netlink_rdma_socket
	inherits socket

	class netlink_crypto_socket
	inherits socket

	class infiniband_pkey
	{
	access
	}

	class infiniband_endport
	{
	manage_subnet
	}

	#
	# Define the access vector interpretation for controlling capabilities
	# in user namespaces
	#

	class cap_userns
	inherits cap

	class cap2_userns
	inherits cap2


	#
	# Define the access vector interpretation for the new socket classes
	# enabled by the extended_socket_class policy capability.
	#

	#
	# The next two classes were previously mapped to rawip_socket and therefore
	# have the same definition as rawip_socket (until further permissions
	# are defined).
	#
	class sctp_socket
	inherits socket
	{
	node_bind
	name_connect
	association
	}

	class icmp_socket
	inherits socket
	{
	node_bind
	}

	#
	# The remaining network socket classes were previously
	# mapped to the socket class and therefore have the
	# same definition as socket.
	#

	class ax25_socket
	inherits socket

	class ipx_socket
	inherits socket

	class netrom_socket
	inherits socket

	class atmpvc_socket
	inherits socket

	class x25_socket
	inherits socket

	class rose_socket
	inherits socket

	class decnet_socket
	inherits socket

	class atmsvc_socket
	inherits socket

	class rds_socket
	inherits socket

	class irda_socket
	inherits socket

	class pppox_socket
	inherits socket

	class llc_socket
	inherits socket

	class can_socket
	inherits socket

	class tipc_socket
	inherits socket

	class bluetooth_socket
	inherits socket

	class iucv_socket
	inherits socket

	class rxrpc_socket
	inherits socket

	class isdn_socket
	inherits socket

	class phonet_socket
	inherits socket

	class ieee802154_socket
	inherits socket

	class caif_socket
	inherits socket

	class alg_socket
	inherits socket

	class nfc_socket
	inherits socket

	class vsock_socket
	inherits socket

	class kcm_socket
	inherits socket

	class qipcrtr_socket
	inherits socket

	class smc_socket
	inherits socket

	class bpf
	{
	map_create
	map_read
	map_write
	prog_load
	prog_run
	}

	class property_service
	{
	set
	}

	class service_manager
	{
	add
	find
	list
	}

	class hwservice_manager
	{
	add
	find
	list
	}

	class keystore_key
	{
	get_state
	get
	insert
	delete
	exist
	list
	reset
	password
	lock
	unlock
	is_empty
	sign
	verify
	grant
	duplicate
	clear_uid
	add_auth
	user_changed
	gen_unique_id
	}

	class keystore2
	{
	add_auth
	change_password
	change_user
	clear_ns
	clear_uid
	delete_all_keys
	early_boot_ended
	get_attestation_key
	get_auth_token
	get_last_auth_time
	get_state
	list
	lock
	pull_metrics
	report_off_body
	reset
	unlock
	}

	class keystore2_key
	{
	convert_storage_key_to_ephemeral
	delete
	gen_unique_id
	get_info
	grant
	manage_blob
	rebind
	req_forced_op
	update
	use
	use_dev_id
	}

	class diced
	{
	demote
	demote_self
	derive
	get_attestation_chain
	use_seal
	use_sign
	}

	class drmservice {
	consumeRights
	setPlaybackStatus
	openDecryptSession
	closeDecryptSession
	initializeDecryptUnit
	decrypt
	finalizeDecryptUnit
	pread
	}

	class xdp_socket
	inherits socket

	class perf_event
	{
	open
	cpu
	kernel
	tracepoint
	read
	write
	}

	class lockdown
	{
	integrity
	confidentiality
	}

	class io_uring
	{
	override_creds
	sqpoll
	cmd
	}