1##################################### 2# domain_trans(olddomain, type, newdomain) 3# Allow a transition from olddomain to newdomain 4# upon executing a file labeled with type. 5# This only allows the transition; it does not 6# cause it to occur automatically - use domain_auto_trans 7# if that is what you want. 8# 9define(`domain_trans', ` 10# Old domain may exec the file and transition to the new domain. 11allow $1 $2:file { getattr open read execute }; 12allow $1 $3:process transition; 13# New domain is entered by executing the file. 14allow $3 $2:file { entrypoint read execute }; 15# New domain can send SIGCHLD to its caller. 16allow $3 $1:process sigchld; 17# Enable AT_SECURE, i.e. libc secure mode. 18dontaudit $1 $3:process noatsecure; 19# XXX dontaudit candidate but requires further study. 20allow $1 $3:process { siginh rlimitinh }; 21') 22 23##################################### 24# domain_auto_trans(olddomain, type, newdomain) 25# Automatically transition from olddomain to newdomain 26# upon executing a file labeled with type. 27# 28define(`domain_auto_trans', ` 29# Allow the necessary permissions. 30domain_trans($1,$2,$3) 31# Make the transition occur by default. 32type_transition $1 $2:process $3; 33') 34 35##################################### 36# file_type_trans(domain, dir_type, file_type) 37# Allow domain to create a file labeled file_type in a 38# directory labeled dir_type. 39# This only allows the transition; it does not 40# cause it to occur automatically - use file_type_auto_trans 41# if that is what you want. 42# 43define(`file_type_trans', ` 44# Allow the domain to add entries to the directory. 45allow $1 $2:dir ra_dir_perms; 46# Allow the domain to create the file. 47allow $1 $3:notdevfile_class_set create_file_perms; 48allow $1 $3:dir create_dir_perms; 49') 50 51##################################### 52# file_type_auto_trans(domain, dir_type, file_type) 53# Automatically label new files with file_type when 54# they are created by domain in directories labeled dir_type. 55# 56define(`file_type_auto_trans', ` 57# Allow the necessary permissions. 58file_type_trans($1, $2, $3) 59# Make the transition occur by default. 60type_transition $1 $2:dir $3; 61type_transition $1 $2:notdevfile_class_set $3; 62') 63 64##################################### 65# r_dir_file(domain, type) 66# Allow the specified domain to read directories, files 67# and symbolic links of the specified type. 68define(`r_dir_file', ` 69allow $1 $2:dir r_dir_perms; 70allow $1 $2:{ file lnk_file } r_file_perms; 71') 72 73##################################### 74# unconfined_domain(domain) 75# Allow the specified domain to do anything. 76# 77define(`unconfined_domain', ` 78typeattribute $1 mlstrustedsubject; 79typeattribute $1 unconfineddomain; 80') 81 82##################################### 83# tmpfs_domain(domain) 84# Define and allow access to a unique type for 85# this domain when creating tmpfs / shmem / ashmem files. 86define(`tmpfs_domain', ` 87type $1_tmpfs, file_type; 88type_transition $1 tmpfs:file $1_tmpfs; 89# Map with PROT_EXEC. 90allow $1 $1_tmpfs:file { read execute execmod }; 91') 92 93##################################### 94# init_daemon_domain(domain) 95# Set up a transition from init to the daemon domain 96# upon executing its binary. 97define(`init_daemon_domain', ` 98domain_auto_trans(init, $1_exec, $1) 99tmpfs_domain($1) 100') 101 102##################################### 103# app_domain(domain) 104# Allow a base set of permissions required for all apps. 105define(`app_domain', ` 106typeattribute $1 appdomain; 107# Label ashmem objects with our own unique type. 108tmpfs_domain($1) 109') 110 111##################################### 112# net_domain(domain) 113# Allow a base set of permissions required for network access. 114define(`net_domain', ` 115typeattribute $1 netdomain; 116') 117 118##################################### 119# bluetooth_domain(domain) 120# Allow a base set of permissions required for bluetooth access. 121define(`bluetooth_domain', ` 122typeattribute $1 bluetoothdomain; 123') 124 125##################################### 126# unix_socket_connect(clientdomain, socket, serverdomain) 127# Allow a local socket connection from clientdomain via 128# socket to serverdomain. 129define(`unix_socket_connect', ` 130allow $1 $2_socket:sock_file write; 131allow $1 $3:unix_stream_socket connectto; 132') 133 134##################################### 135# unix_socket_send(clientdomain, socket, serverdomain) 136# Allow a local socket send from clientdomain via 137# socket to serverdomain. 138define(`unix_socket_send', ` 139allow $1 $2_socket:sock_file write; 140allow $1 $3:unix_dgram_socket sendto; 141') 142 143##################################### 144# binder_use(domain) 145# Allow domain to use Binder IPC. 146define(`binder_use', ` 147# Get Binder references from the servicemanager. 148allow $1 servicemanager:binder call; 149# Transfer and receive own Binder references. 150allow $1 self:binder { transfer receive }; 151# Map /dev/ashmem with PROT_EXEC. 152allow $1 ashmem_device:chr_file execute; 153# rw access to /dev/binder and /dev/ashmem is presently granted to 154# all domains in domain.te. 155') 156 157##################################### 158# binder_call(clientdomain, serverdomain) 159# Allow clientdomain to perform binder IPC to serverdomain. 160define(`binder_call', ` 161# First we receive a Binder ref to the server, then we call it. 162allow $1 $2:binder { receive call }; 163# Receive and use open files from the server. 164allow $1 $2:fd use; 165') 166 167##################################### 168# binder_transfer(clientdomain, serverdomain) 169# Allow clientdomain to transfer Binder references created by serverdomain. 170define(`binder_transfer', ` 171allow $1 $2:binder transfer; 172') 173 174##################################### 175# binder_service(domain) 176# Mark a domain as being a Binder service domain. 177# Used to allow binder IPC to the various system services. 178define(`binder_service', ` 179typeattribute $1 binderservicedomain; 180') 181 182##################################### 183# selinux_check_access(domain) 184# Allow domain to check SELinux permissions via selinuxfs. 185define(`selinux_check_access', ` 186allow $1 selinuxfs:dir r_dir_perms; 187allow $1 selinuxfs:file rw_file_perms; 188allow $1 kernel:security compute_av; 189allow $1 self:netlink_selinux_socket *; 190') 191 192##################################### 193# selinux_check_context(domain) 194# Allow domain to check SELinux contexts via selinuxfs. 195define(`selinux_check_context', ` 196allow $1 selinuxfs:dir r_dir_perms; 197allow $1 selinuxfs:file rw_file_perms; 198allow $1 kernel:security check_context; 199') 200 201##################################### 202# selinux_getenforce(domain) 203# Allow domain to check whether SELinux is enforcing. 204define(`selinux_getenforce', ` 205allow $1 selinuxfs:dir r_dir_perms; 206allow $1 selinuxfs:file r_file_perms; 207') 208 209##################################### 210# selinux_setenforce(domain) 211# Allow domain to set SELinux to enforcing. 212define(`selinux_setenforce', ` 213allow $1 selinuxfs:dir r_dir_perms; 214allow $1 selinuxfs:file rw_file_perms; 215allow $1 kernel:security setenforce; 216') 217 218##################################### 219# selinux_setbool(domain) 220# Allow domain to set SELinux booleans. 221define(`selinux_setbool', ` 222allow $1 selinuxfs:dir r_dir_perms; 223allow $1 selinuxfs:file rw_file_perms; 224allow $1 kernel:security setbool; 225') 226