diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2012-01-04 12:33:27 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2012-01-04 12:33:27 -0500 |
commit | 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 (patch) | |
tree | 70cf7ff792b5f782a2963f87c873b7a7ae926af4 /access_vectors | |
download | android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.tar.gz android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.tar.bz2 android_external_sepolicy-2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35.zip |
SE Android policy.
Diffstat (limited to 'access_vectors')
-rw-r--r-- | access_vectors | 882 |
1 files changed, 882 insertions, 0 deletions
diff --git a/access_vectors b/access_vectors new file mode 100644 index 0000000..90927e7 --- /dev/null +++ b/access_vectors @@ -0,0 +1,882 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common prefix for userspace database object access vectors. +# + +common database +{ + create + drop + getattr + setattr + relabelfrom + relabelto +} + +# +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir + open + audit_access + execmod +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class lnk_file +inherits file +{ + open + audit_access + execmod +} + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class blk_file +inherits file +{ + open + audit_access + execmod +} + +class sock_file +inherits file +{ + open + audit_access + execmod +} + +class fifo_file +inherits file +{ + open + audit_access + execmod +} + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest + dccp_recv + dccp_send + recvfrom + sendto +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + dccp_recv + dccp_send + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the capability2 class. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +class capability2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog +} + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class x_drawable +{ + create + destroy + read + write + blend + getattr + setattr + list_child + add_child + remove_child + list_property + get_property + set_property + manage + override + show + hide + send + receive +} + +class x_screen +{ + getattr + setattr + hide_cursor + show_cursor + saver_getattr + saver_setattr + saver_hide + saver_show +} + +class x_gc +{ + create + destroy + getattr + setattr + use +} + +class x_font +{ + create + destroy + getattr + add_glyph + remove_glyph + use +} + +class x_colormap +{ + create + destroy + read + write + getattr + add_color + remove_color + install + uninstall + use +} + +class x_property +{ + create + destroy + read + write + append + getattr + setattr +} + +class x_selection +{ + read + write + getattr + setattr +} + +class x_cursor +{ + create + destroy + read + write + getattr + setattr + use +} + +class x_client +{ + destroy + getattr + setattr + manage +} + +class x_device +inherits x_device + +class x_server +{ + getattr + setattr + record + debug + grab + manage +} + +class x_extension +{ + query + use +} + +class x_resource +{ + read + write +} + +class x_event +{ + send + receive +} + +class x_synthetic_event +{ + send + receive +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost + getserv + shmemserv +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + flow_in # deprecated + flow_out # deprecated + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class context +{ + translate + contains +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +class db_database +inherits database +{ + access + install_module + load_module + get_param # deprecated + set_param # deprecated +} + +class db_table +inherits database +{ + use # deprecated + select + update + insert + delete + lock +} + +class db_procedure +inherits database +{ + execute + entrypoint + install +} + +class db_column +inherits database +{ + use # deprecated + select + update + insert +} + +class db_tuple +{ + relabelfrom + relabelto + use # deprecated + select + update + insert + delete +} + +class db_blob +inherits database +{ + read + write + import + export +} + +# network peer labels +class peer +{ + recv +} + +class x_application_data +{ + paste + paste_after_confirm + copy +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device + +class db_schema +inherits database +{ + search + add_name + remove_name +} + +class db_view +inherits database +{ + expand +} + +class db_sequence +inherits database +{ + get_value + next_value + set_value +} + +class db_language +inherits database +{ + implement + execute +} + +class binder +{ + impersonate + call + set_context_mgr + transfer + receive +} + +class zygote +{ + specifyids + specifyrlimits + specifycapabilities + specifyinvokewith + specifyseinfo +} |