1255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 2255e72915d4cbddceb435e13d81601755714e9fSE Android 3255e72915d4cbddceb435e13d81601755714e9fSE Android# 4255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the security object classes 5255e72915d4cbddceb435e13d81601755714e9fSE Android# 6255e72915d4cbddceb435e13d81601755714e9fSE Android 7255e72915d4cbddceb435e13d81601755714e9fSE Androidclass security 8255e72915d4cbddceb435e13d81601755714e9fSE Androidclass process 9255e72915d4cbddceb435e13d81601755714e9fSE Androidclass system 10255e72915d4cbddceb435e13d81601755714e9fSE Androidclass capability 11255e72915d4cbddceb435e13d81601755714e9fSE Android 12255e72915d4cbddceb435e13d81601755714e9fSE Android# file-related classes 13255e72915d4cbddceb435e13d81601755714e9fSE Androidclass filesystem 14255e72915d4cbddceb435e13d81601755714e9fSE Androidclass file 15255e72915d4cbddceb435e13d81601755714e9fSE Androidclass dir 16255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fd 17255e72915d4cbddceb435e13d81601755714e9fSE Androidclass lnk_file 18255e72915d4cbddceb435e13d81601755714e9fSE Androidclass chr_file 19255e72915d4cbddceb435e13d81601755714e9fSE Androidclass blk_file 20255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sock_file 21255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fifo_file 22255e72915d4cbddceb435e13d81601755714e9fSE Android 23255e72915d4cbddceb435e13d81601755714e9fSE Android# network-related classes 24255e72915d4cbddceb435e13d81601755714e9fSE Androidclass socket 25255e72915d4cbddceb435e13d81601755714e9fSE Androidclass tcp_socket 26255e72915d4cbddceb435e13d81601755714e9fSE Androidclass udp_socket 27255e72915d4cbddceb435e13d81601755714e9fSE Androidclass rawip_socket 28255e72915d4cbddceb435e13d81601755714e9fSE Androidclass node 29255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netif 30255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netlink_socket 31255e72915d4cbddceb435e13d81601755714e9fSE Androidclass packet_socket 32255e72915d4cbddceb435e13d81601755714e9fSE Androidclass key_socket 33255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_stream_socket 34255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_dgram_socket 35255e72915d4cbddceb435e13d81601755714e9fSE Android 36255e72915d4cbddceb435e13d81601755714e9fSE Android# sysv-ipc-related clases 37255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msg 38255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msgq 39255e72915d4cbddceb435e13d81601755714e9fSE Androidclass shm 40255e72915d4cbddceb435e13d81601755714e9fSE Androidclass ipc 41255e72915d4cbddceb435e13d81601755714e9fSE Android 42255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 43255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 44255e72915d4cbddceb435e13d81601755714e9fSE Android 45255e72915d4cbddceb435e13d81601755714e9fSE Android# 46255e72915d4cbddceb435e13d81601755714e9fSE Android# Define initial security identifiers 47255e72915d4cbddceb435e13d81601755714e9fSE Android# 48255e72915d4cbddceb435e13d81601755714e9fSE Android 49255e72915d4cbddceb435e13d81601755714e9fSE Androidsid kernel 50255e72915d4cbddceb435e13d81601755714e9fSE Android 51255e72915d4cbddceb435e13d81601755714e9fSE Android 52255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 53255e72915d4cbddceb435e13d81601755714e9fSE Android# 54255e72915d4cbddceb435e13d81601755714e9fSE Android# Define common prefixes for access vectors 55255e72915d4cbddceb435e13d81601755714e9fSE Android# 56255e72915d4cbddceb435e13d81601755714e9fSE Android# common common_name { permission_name ... } 57255e72915d4cbddceb435e13d81601755714e9fSE Android 58255e72915d4cbddceb435e13d81601755714e9fSE Android 59255e72915d4cbddceb435e13d81601755714e9fSE Android# 60255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for file access vectors. 61255e72915d4cbddceb435e13d81601755714e9fSE Android# 62255e72915d4cbddceb435e13d81601755714e9fSE Android 63255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon file 64255e72915d4cbddceb435e13d81601755714e9fSE Android{ 65255e72915d4cbddceb435e13d81601755714e9fSE Android ioctl 66255e72915d4cbddceb435e13d81601755714e9fSE Android read 67255e72915d4cbddceb435e13d81601755714e9fSE Android write 68255e72915d4cbddceb435e13d81601755714e9fSE Android create 69255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 70255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 71255e72915d4cbddceb435e13d81601755714e9fSE Android lock 72255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 73255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 74255e72915d4cbddceb435e13d81601755714e9fSE Android append 75255e72915d4cbddceb435e13d81601755714e9fSE Android unlink 76255e72915d4cbddceb435e13d81601755714e9fSE Android link 77255e72915d4cbddceb435e13d81601755714e9fSE Android rename 78255e72915d4cbddceb435e13d81601755714e9fSE Android execute 79255e72915d4cbddceb435e13d81601755714e9fSE Android swapon 80255e72915d4cbddceb435e13d81601755714e9fSE Android quotaon 81255e72915d4cbddceb435e13d81601755714e9fSE Android mounton 82255e72915d4cbddceb435e13d81601755714e9fSE Android} 83255e72915d4cbddceb435e13d81601755714e9fSE Android 84255e72915d4cbddceb435e13d81601755714e9fSE Android 85255e72915d4cbddceb435e13d81601755714e9fSE Android# 86255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for socket access vectors. 87255e72915d4cbddceb435e13d81601755714e9fSE Android# 88255e72915d4cbddceb435e13d81601755714e9fSE Android 89255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon socket 90255e72915d4cbddceb435e13d81601755714e9fSE Android{ 91255e72915d4cbddceb435e13d81601755714e9fSE Android# inherited from file 92255e72915d4cbddceb435e13d81601755714e9fSE Android ioctl 93255e72915d4cbddceb435e13d81601755714e9fSE Android read 94255e72915d4cbddceb435e13d81601755714e9fSE Android write 95255e72915d4cbddceb435e13d81601755714e9fSE Android create 96255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 97255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 98255e72915d4cbddceb435e13d81601755714e9fSE Android lock 99255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 100255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 101255e72915d4cbddceb435e13d81601755714e9fSE Android append 102255e72915d4cbddceb435e13d81601755714e9fSE Android# socket-specific 103255e72915d4cbddceb435e13d81601755714e9fSE Android bind 104255e72915d4cbddceb435e13d81601755714e9fSE Android connect 105255e72915d4cbddceb435e13d81601755714e9fSE Android listen 106255e72915d4cbddceb435e13d81601755714e9fSE Android accept 107255e72915d4cbddceb435e13d81601755714e9fSE Android getopt 108255e72915d4cbddceb435e13d81601755714e9fSE Android setopt 109255e72915d4cbddceb435e13d81601755714e9fSE Android shutdown 110255e72915d4cbddceb435e13d81601755714e9fSE Android recvfrom 111255e72915d4cbddceb435e13d81601755714e9fSE Android sendto 112255e72915d4cbddceb435e13d81601755714e9fSE Android recv_msg 113255e72915d4cbddceb435e13d81601755714e9fSE Android send_msg 114255e72915d4cbddceb435e13d81601755714e9fSE Android name_bind 115255e72915d4cbddceb435e13d81601755714e9fSE Android} 116255e72915d4cbddceb435e13d81601755714e9fSE Android 117255e72915d4cbddceb435e13d81601755714e9fSE Android# 118255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for ipc access vectors. 119255e72915d4cbddceb435e13d81601755714e9fSE Android# 120255e72915d4cbddceb435e13d81601755714e9fSE Android 121255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon ipc 122255e72915d4cbddceb435e13d81601755714e9fSE Android{ 123255e72915d4cbddceb435e13d81601755714e9fSE Android create 124255e72915d4cbddceb435e13d81601755714e9fSE Android destroy 125255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 126255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 127255e72915d4cbddceb435e13d81601755714e9fSE Android read 128255e72915d4cbddceb435e13d81601755714e9fSE Android write 129255e72915d4cbddceb435e13d81601755714e9fSE Android associate 130255e72915d4cbddceb435e13d81601755714e9fSE Android unix_read 131255e72915d4cbddceb435e13d81601755714e9fSE Android unix_write 132255e72915d4cbddceb435e13d81601755714e9fSE Android} 133255e72915d4cbddceb435e13d81601755714e9fSE Android 134255e72915d4cbddceb435e13d81601755714e9fSE Android# 135255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vectors. 136255e72915d4cbddceb435e13d81601755714e9fSE Android# 137255e72915d4cbddceb435e13d81601755714e9fSE Android# class class_name [ inherits common_name ] { permission_name ... } 138255e72915d4cbddceb435e13d81601755714e9fSE Android 139255e72915d4cbddceb435e13d81601755714e9fSE Android 140255e72915d4cbddceb435e13d81601755714e9fSE Android# 141255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for file-related objects. 142255e72915d4cbddceb435e13d81601755714e9fSE Android# 143255e72915d4cbddceb435e13d81601755714e9fSE Android 144255e72915d4cbddceb435e13d81601755714e9fSE Androidclass filesystem 145255e72915d4cbddceb435e13d81601755714e9fSE Android{ 146255e72915d4cbddceb435e13d81601755714e9fSE Android mount 147255e72915d4cbddceb435e13d81601755714e9fSE Android remount 148255e72915d4cbddceb435e13d81601755714e9fSE Android unmount 149255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 150255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 151255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 152255e72915d4cbddceb435e13d81601755714e9fSE Android transition 153255e72915d4cbddceb435e13d81601755714e9fSE Android associate 154255e72915d4cbddceb435e13d81601755714e9fSE Android quotamod 155255e72915d4cbddceb435e13d81601755714e9fSE Android quotaget 156255e72915d4cbddceb435e13d81601755714e9fSE Android} 157255e72915d4cbddceb435e13d81601755714e9fSE Android 158255e72915d4cbddceb435e13d81601755714e9fSE Androidclass dir 159255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 160255e72915d4cbddceb435e13d81601755714e9fSE Android{ 161255e72915d4cbddceb435e13d81601755714e9fSE Android add_name 162255e72915d4cbddceb435e13d81601755714e9fSE Android remove_name 163255e72915d4cbddceb435e13d81601755714e9fSE Android reparent 164255e72915d4cbddceb435e13d81601755714e9fSE Android search 165255e72915d4cbddceb435e13d81601755714e9fSE Android rmdir 166255e72915d4cbddceb435e13d81601755714e9fSE Android} 167255e72915d4cbddceb435e13d81601755714e9fSE Android 168255e72915d4cbddceb435e13d81601755714e9fSE Androidclass file 169255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 170255e72915d4cbddceb435e13d81601755714e9fSE Android{ 171255e72915d4cbddceb435e13d81601755714e9fSE Android execute_no_trans 172255e72915d4cbddceb435e13d81601755714e9fSE Android entrypoint 173255e72915d4cbddceb435e13d81601755714e9fSE Android} 174255e72915d4cbddceb435e13d81601755714e9fSE Android 175255e72915d4cbddceb435e13d81601755714e9fSE Androidclass lnk_file 176255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 177255e72915d4cbddceb435e13d81601755714e9fSE Android 178255e72915d4cbddceb435e13d81601755714e9fSE Androidclass chr_file 179255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 180255e72915d4cbddceb435e13d81601755714e9fSE Android 181255e72915d4cbddceb435e13d81601755714e9fSE Androidclass blk_file 182255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 183255e72915d4cbddceb435e13d81601755714e9fSE Android 184255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sock_file 185255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 186255e72915d4cbddceb435e13d81601755714e9fSE Android 187255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fifo_file 188255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 189255e72915d4cbddceb435e13d81601755714e9fSE Android 190255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fd 191255e72915d4cbddceb435e13d81601755714e9fSE Android{ 192255e72915d4cbddceb435e13d81601755714e9fSE Android use 193255e72915d4cbddceb435e13d81601755714e9fSE Android} 194255e72915d4cbddceb435e13d81601755714e9fSE Android 195255e72915d4cbddceb435e13d81601755714e9fSE Android 196255e72915d4cbddceb435e13d81601755714e9fSE Android# 197255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for network-related objects. 198255e72915d4cbddceb435e13d81601755714e9fSE Android# 199255e72915d4cbddceb435e13d81601755714e9fSE Android 200255e72915d4cbddceb435e13d81601755714e9fSE Androidclass socket 201255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 202255e72915d4cbddceb435e13d81601755714e9fSE Android 203255e72915d4cbddceb435e13d81601755714e9fSE Androidclass tcp_socket 204255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 205255e72915d4cbddceb435e13d81601755714e9fSE Android{ 206255e72915d4cbddceb435e13d81601755714e9fSE Android connectto 207255e72915d4cbddceb435e13d81601755714e9fSE Android newconn 208255e72915d4cbddceb435e13d81601755714e9fSE Android acceptfrom 209255e72915d4cbddceb435e13d81601755714e9fSE Android} 210255e72915d4cbddceb435e13d81601755714e9fSE Android 211255e72915d4cbddceb435e13d81601755714e9fSE Androidclass udp_socket 212255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 213255e72915d4cbddceb435e13d81601755714e9fSE Android 214255e72915d4cbddceb435e13d81601755714e9fSE Androidclass rawip_socket 215255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 216255e72915d4cbddceb435e13d81601755714e9fSE Android 217255e72915d4cbddceb435e13d81601755714e9fSE Androidclass node 218255e72915d4cbddceb435e13d81601755714e9fSE Android{ 219255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_recv 220255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_send 221255e72915d4cbddceb435e13d81601755714e9fSE Android udp_recv 222255e72915d4cbddceb435e13d81601755714e9fSE Android udp_send 223255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_recv 224255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_send 225255e72915d4cbddceb435e13d81601755714e9fSE Android enforce_dest 226255e72915d4cbddceb435e13d81601755714e9fSE Android} 227255e72915d4cbddceb435e13d81601755714e9fSE Android 228255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netif 229255e72915d4cbddceb435e13d81601755714e9fSE Android{ 230255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_recv 231255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_send 232255e72915d4cbddceb435e13d81601755714e9fSE Android udp_recv 233255e72915d4cbddceb435e13d81601755714e9fSE Android udp_send 234255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_recv 235255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_send 236255e72915d4cbddceb435e13d81601755714e9fSE Android} 237255e72915d4cbddceb435e13d81601755714e9fSE Android 238255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netlink_socket 239255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 240255e72915d4cbddceb435e13d81601755714e9fSE Android 241255e72915d4cbddceb435e13d81601755714e9fSE Androidclass packet_socket 242255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 243255e72915d4cbddceb435e13d81601755714e9fSE Android 244255e72915d4cbddceb435e13d81601755714e9fSE Androidclass key_socket 245255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 246255e72915d4cbddceb435e13d81601755714e9fSE Android 247255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_stream_socket 248255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 249255e72915d4cbddceb435e13d81601755714e9fSE Android{ 250255e72915d4cbddceb435e13d81601755714e9fSE Android connectto 251255e72915d4cbddceb435e13d81601755714e9fSE Android newconn 252255e72915d4cbddceb435e13d81601755714e9fSE Android acceptfrom 253255e72915d4cbddceb435e13d81601755714e9fSE Android} 254255e72915d4cbddceb435e13d81601755714e9fSE Android 255255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_dgram_socket 256255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 257255e72915d4cbddceb435e13d81601755714e9fSE Android 258255e72915d4cbddceb435e13d81601755714e9fSE Android 259255e72915d4cbddceb435e13d81601755714e9fSE Android# 260255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for process-related objects 261255e72915d4cbddceb435e13d81601755714e9fSE Android# 262255e72915d4cbddceb435e13d81601755714e9fSE Android 263255e72915d4cbddceb435e13d81601755714e9fSE Androidclass process 264255e72915d4cbddceb435e13d81601755714e9fSE Android{ 265255e72915d4cbddceb435e13d81601755714e9fSE Android fork 266255e72915d4cbddceb435e13d81601755714e9fSE Android transition 267255e72915d4cbddceb435e13d81601755714e9fSE Android sigchld # commonly granted from child to parent 268255e72915d4cbddceb435e13d81601755714e9fSE Android sigkill # cannot be caught or ignored 269255e72915d4cbddceb435e13d81601755714e9fSE Android sigstop # cannot be caught or ignored 270255e72915d4cbddceb435e13d81601755714e9fSE Android signull # for kill(pid, 0) 271255e72915d4cbddceb435e13d81601755714e9fSE Android signal # all other signals 272255e72915d4cbddceb435e13d81601755714e9fSE Android ptrace 273255e72915d4cbddceb435e13d81601755714e9fSE Android getsched 274255e72915d4cbddceb435e13d81601755714e9fSE Android setsched 275255e72915d4cbddceb435e13d81601755714e9fSE Android getsession 276255e72915d4cbddceb435e13d81601755714e9fSE Android getpgid 277255e72915d4cbddceb435e13d81601755714e9fSE Android setpgid 278255e72915d4cbddceb435e13d81601755714e9fSE Android getcap 279255e72915d4cbddceb435e13d81601755714e9fSE Android setcap 280255e72915d4cbddceb435e13d81601755714e9fSE Android share 281255e72915d4cbddceb435e13d81601755714e9fSE Android} 282255e72915d4cbddceb435e13d81601755714e9fSE Android 283255e72915d4cbddceb435e13d81601755714e9fSE Android 284255e72915d4cbddceb435e13d81601755714e9fSE Android# 285255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for ipc-related objects 286255e72915d4cbddceb435e13d81601755714e9fSE Android# 287255e72915d4cbddceb435e13d81601755714e9fSE Android 288255e72915d4cbddceb435e13d81601755714e9fSE Androidclass ipc 289255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 290255e72915d4cbddceb435e13d81601755714e9fSE Android 291255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msgq 292255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 293255e72915d4cbddceb435e13d81601755714e9fSE Android{ 294255e72915d4cbddceb435e13d81601755714e9fSE Android enqueue 295255e72915d4cbddceb435e13d81601755714e9fSE Android} 296255e72915d4cbddceb435e13d81601755714e9fSE Android 297255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msg 298255e72915d4cbddceb435e13d81601755714e9fSE Android{ 299255e72915d4cbddceb435e13d81601755714e9fSE Android send 300255e72915d4cbddceb435e13d81601755714e9fSE Android} 301255e72915d4cbddceb435e13d81601755714e9fSE Android 302255e72915d4cbddceb435e13d81601755714e9fSE Androidclass shm 303255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 304255e72915d4cbddceb435e13d81601755714e9fSE Android{ 305255e72915d4cbddceb435e13d81601755714e9fSE Android lock 306255e72915d4cbddceb435e13d81601755714e9fSE Android} 307255e72915d4cbddceb435e13d81601755714e9fSE Android 308255e72915d4cbddceb435e13d81601755714e9fSE Android 309255e72915d4cbddceb435e13d81601755714e9fSE Android# 310255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for the security server. 311255e72915d4cbddceb435e13d81601755714e9fSE Android# 312255e72915d4cbddceb435e13d81601755714e9fSE Android 313255e72915d4cbddceb435e13d81601755714e9fSE Androidclass security 314255e72915d4cbddceb435e13d81601755714e9fSE Android{ 315255e72915d4cbddceb435e13d81601755714e9fSE Android compute_av 316255e72915d4cbddceb435e13d81601755714e9fSE Android transition_sid 317255e72915d4cbddceb435e13d81601755714e9fSE Android member_sid 318255e72915d4cbddceb435e13d81601755714e9fSE Android sid_to_context 319255e72915d4cbddceb435e13d81601755714e9fSE Android context_to_sid 320255e72915d4cbddceb435e13d81601755714e9fSE Android load_policy 321255e72915d4cbddceb435e13d81601755714e9fSE Android get_sids 322255e72915d4cbddceb435e13d81601755714e9fSE Android change_sid 323255e72915d4cbddceb435e13d81601755714e9fSE Android get_user_sids 324255e72915d4cbddceb435e13d81601755714e9fSE Android} 325255e72915d4cbddceb435e13d81601755714e9fSE Android 326255e72915d4cbddceb435e13d81601755714e9fSE Android 327255e72915d4cbddceb435e13d81601755714e9fSE Android# 328255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for system operations. 329255e72915d4cbddceb435e13d81601755714e9fSE Android# 330255e72915d4cbddceb435e13d81601755714e9fSE Android 331255e72915d4cbddceb435e13d81601755714e9fSE Androidclass system 332255e72915d4cbddceb435e13d81601755714e9fSE Android{ 333255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_info 334255e72915d4cbddceb435e13d81601755714e9fSE Android avc_toggle 335255e72915d4cbddceb435e13d81601755714e9fSE Android nfsd_control 336255e72915d4cbddceb435e13d81601755714e9fSE Android bdflush 337255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_read 338255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_mod 339255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_console 340255e72915d4cbddceb435e13d81601755714e9fSE Android ichsid 341255e72915d4cbddceb435e13d81601755714e9fSE Android} 342255e72915d4cbddceb435e13d81601755714e9fSE Android 343255e72915d4cbddceb435e13d81601755714e9fSE Android# 344255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for controling capabilies 345255e72915d4cbddceb435e13d81601755714e9fSE Android# 346255e72915d4cbddceb435e13d81601755714e9fSE Android 347255e72915d4cbddceb435e13d81601755714e9fSE Androidclass capability 348255e72915d4cbddceb435e13d81601755714e9fSE Android{ 349255e72915d4cbddceb435e13d81601755714e9fSE Android # The capabilities are defined in include/linux/capability.h 350255e72915d4cbddceb435e13d81601755714e9fSE Android # Care should be taken to ensure that these are consistent with 351255e72915d4cbddceb435e13d81601755714e9fSE Android # those definitions. (Order matters) 352255e72915d4cbddceb435e13d81601755714e9fSE Android 353255e72915d4cbddceb435e13d81601755714e9fSE Android chown 354255e72915d4cbddceb435e13d81601755714e9fSE Android dac_override 355255e72915d4cbddceb435e13d81601755714e9fSE Android dac_read_search 356255e72915d4cbddceb435e13d81601755714e9fSE Android fowner 357255e72915d4cbddceb435e13d81601755714e9fSE Android fsetid 358255e72915d4cbddceb435e13d81601755714e9fSE Android kill 359255e72915d4cbddceb435e13d81601755714e9fSE Android setgid 360255e72915d4cbddceb435e13d81601755714e9fSE Android setuid 361255e72915d4cbddceb435e13d81601755714e9fSE Android setpcap 362255e72915d4cbddceb435e13d81601755714e9fSE Android linux_immutable 363255e72915d4cbddceb435e13d81601755714e9fSE Android net_bind_service 364255e72915d4cbddceb435e13d81601755714e9fSE Android net_broadcast 365255e72915d4cbddceb435e13d81601755714e9fSE Android net_admin 366255e72915d4cbddceb435e13d81601755714e9fSE Android net_raw 367255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_lock 368255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_owner 369255e72915d4cbddceb435e13d81601755714e9fSE Android sys_module 370255e72915d4cbddceb435e13d81601755714e9fSE Android sys_rawio 371255e72915d4cbddceb435e13d81601755714e9fSE Android sys_chroot 372255e72915d4cbddceb435e13d81601755714e9fSE Android sys_ptrace 373255e72915d4cbddceb435e13d81601755714e9fSE Android sys_pacct 374255e72915d4cbddceb435e13d81601755714e9fSE Android sys_admin 375255e72915d4cbddceb435e13d81601755714e9fSE Android sys_boot 376255e72915d4cbddceb435e13d81601755714e9fSE Android sys_nice 377255e72915d4cbddceb435e13d81601755714e9fSE Android sys_resource 378255e72915d4cbddceb435e13d81601755714e9fSE Android sys_time 379255e72915d4cbddceb435e13d81601755714e9fSE Android sys_tty_config 380255e72915d4cbddceb435e13d81601755714e9fSE Android mknod 381255e72915d4cbddceb435e13d81601755714e9fSE Android lease 382255e72915d4cbddceb435e13d81601755714e9fSE Android} 383255e72915d4cbddceb435e13d81601755714e9fSE Android 384255e72915d4cbddceb435e13d81601755714e9fSE Androidifdef(`enable_mls',` 385255e72915d4cbddceb435e13d81601755714e9fSE Androidsensitivity s0; 386255e72915d4cbddceb435e13d81601755714e9fSE Android 387255e72915d4cbddceb435e13d81601755714e9fSE Android# 388255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the ordering of the sensitivity levels (least to greatest) 389255e72915d4cbddceb435e13d81601755714e9fSE Android# 390255e72915d4cbddceb435e13d81601755714e9fSE Androiddominance { s0 } 391255e72915d4cbddceb435e13d81601755714e9fSE Android 392255e72915d4cbddceb435e13d81601755714e9fSE Android 393255e72915d4cbddceb435e13d81601755714e9fSE Android# 394255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the categories 395255e72915d4cbddceb435e13d81601755714e9fSE Android# 396255e72915d4cbddceb435e13d81601755714e9fSE Android# Each category has a name and zero or more aliases. 397255e72915d4cbddceb435e13d81601755714e9fSE Android# 398255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c0; category c1; category c2; category c3; 399255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c4; category c5; category c6; category c7; 400255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c8; category c9; category c10; category c11; 401255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c12; category c13; category c14; category c15; 402255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c16; category c17; category c18; category c19; 403255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c20; category c21; category c22; category c23; 404255e72915d4cbddceb435e13d81601755714e9fSE Android 405255e72915d4cbddceb435e13d81601755714e9fSE Androidlevel s0:c0.c23; 406255e72915d4cbddceb435e13d81601755714e9fSE Android 407255e72915d4cbddceb435e13d81601755714e9fSE Androidmlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 408255e72915d4cbddceb435e13d81601755714e9fSE Android ( h1 dom h2 ); 409255e72915d4cbddceb435e13d81601755714e9fSE Android') 410255e72915d4cbddceb435e13d81601755714e9fSE Android 411255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 412255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 413255e72915d4cbddceb435e13d81601755714e9fSE Android##################################### 414255e72915d4cbddceb435e13d81601755714e9fSE Android# TE RULES 415255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute domain; 416255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute system; 417255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute foo; 418255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute num; 419255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute num_exec; 420255e72915d4cbddceb435e13d81601755714e9fSE Androidattribute files; 421255e72915d4cbddceb435e13d81601755714e9fSE Android 422255e72915d4cbddceb435e13d81601755714e9fSE Androidtype net_foo_t, foo; 423255e72915d4cbddceb435e13d81601755714e9fSE Androidtype sys_foo_t, foo, system; 424255e72915d4cbddceb435e13d81601755714e9fSE Androidrole system_r types sys_foo_t; 425255e72915d4cbddceb435e13d81601755714e9fSE Android 426255e72915d4cbddceb435e13d81601755714e9fSE Androidtype user_t, domain; 427255e72915d4cbddceb435e13d81601755714e9fSE Androidrole user_r types user_t; 428255e72915d4cbddceb435e13d81601755714e9fSE Android 429255e72915d4cbddceb435e13d81601755714e9fSE Androidtype sysadm_t, domain, system; 430255e72915d4cbddceb435e13d81601755714e9fSE Androidrole sysadm_r types sysadm_t; 431255e72915d4cbddceb435e13d81601755714e9fSE Android 432255e72915d4cbddceb435e13d81601755714e9fSE Androidtype system_t, domain, system, foo; 433255e72915d4cbddceb435e13d81601755714e9fSE Androidrole system_r types { system_t sys_foo_t }; 434255e72915d4cbddceb435e13d81601755714e9fSE Android 435255e72915d4cbddceb435e13d81601755714e9fSE Androidtype file_t; 436255e72915d4cbddceb435e13d81601755714e9fSE Androidtype file_exec_t, files; 437255e72915d4cbddceb435e13d81601755714e9fSE Androidtype fs_t; 438255e72915d4cbddceb435e13d81601755714e9fSE Androidtype base_optional_1; 439255e72915d4cbddceb435e13d81601755714e9fSE Androidtype base_optional_2; 440255e72915d4cbddceb435e13d81601755714e9fSE Android 441255e72915d4cbddceb435e13d81601755714e9fSE Androidallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 442255e72915d4cbddceb435e13d81601755714e9fSE Android 443255e72915d4cbddceb435e13d81601755714e9fSE Androidoptional { 444255e72915d4cbddceb435e13d81601755714e9fSE Android require { 445255e72915d4cbddceb435e13d81601755714e9fSE Android type base_optional_1, base_optional_2; 446255e72915d4cbddceb435e13d81601755714e9fSE Android } 447255e72915d4cbddceb435e13d81601755714e9fSE Android allow base_optional_1 base_optional_2 : file { read write }; 448255e72915d4cbddceb435e13d81601755714e9fSE Android} 449255e72915d4cbddceb435e13d81601755714e9fSE Android 450255e72915d4cbddceb435e13d81601755714e9fSE Android##################################### 451255e72915d4cbddceb435e13d81601755714e9fSE Android# Role Allow 452255e72915d4cbddceb435e13d81601755714e9fSE Androidallow user_r sysadm_r; 453255e72915d4cbddceb435e13d81601755714e9fSE Android 454255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 455255e72915d4cbddceb435e13d81601755714e9fSE Android# Booleans 456255e72915d4cbddceb435e13d81601755714e9fSE Androidbool allow_ypbind true; 457255e72915d4cbddceb435e13d81601755714e9fSE Androidbool secure_mode false; 458255e72915d4cbddceb435e13d81601755714e9fSE Androidbool allow_execheap false; 459255e72915d4cbddceb435e13d81601755714e9fSE Androidbool allow_execmem true; 460255e72915d4cbddceb435e13d81601755714e9fSE Androidbool allow_execmod false; 461255e72915d4cbddceb435e13d81601755714e9fSE Androidbool allow_execstack true; 462255e72915d4cbddceb435e13d81601755714e9fSE Androidbool optional_bool_1 true; 463255e72915d4cbddceb435e13d81601755714e9fSE Androidbool optional_bool_2 false; 464255e72915d4cbddceb435e13d81601755714e9fSE Android 465255e72915d4cbddceb435e13d81601755714e9fSE Android##################################### 466255e72915d4cbddceb435e13d81601755714e9fSE Android# users 467255e72915d4cbddceb435e13d81601755714e9fSE Androidgen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 468255e72915d4cbddceb435e13d81601755714e9fSE Androidgen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 469255e72915d4cbddceb435e13d81601755714e9fSE Androidgen_user(joe,, user_r, s0, s0 - s0:c0.c23) 470255e72915d4cbddceb435e13d81601755714e9fSE Android 471255e72915d4cbddceb435e13d81601755714e9fSE Android##################################### 472255e72915d4cbddceb435e13d81601755714e9fSE Android# constraints 473255e72915d4cbddceb435e13d81601755714e9fSE Android 474255e72915d4cbddceb435e13d81601755714e9fSE Android 475255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 476255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "initial_sid_contexts" 477255e72915d4cbddceb435e13d81601755714e9fSE Android 478255e72915d4cbddceb435e13d81601755714e9fSE Androidsid kernel gen_context(system_u:system_r:sys_foo_t, s0) 479255e72915d4cbddceb435e13d81601755714e9fSE Android 480255e72915d4cbddceb435e13d81601755714e9fSE Android 481255e72915d4cbddceb435e13d81601755714e9fSE Android############################################ 482255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "fs_use" 483255e72915d4cbddceb435e13d81601755714e9fSE Android# 484255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 485255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 486255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 487255e72915d4cbddceb435e13d81601755714e9fSE Android 488255e72915d4cbddceb435e13d81601755714e9fSE Android 489255e72915d4cbddceb435e13d81601755714e9fSE Androidgenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 490255e72915d4cbddceb435e13d81601755714e9fSE Android 491255e72915d4cbddceb435e13d81601755714e9fSE Android 492255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 493255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "net_contexts" 494255e72915d4cbddceb435e13d81601755714e9fSE Android 495255e72915d4cbddceb435e13d81601755714e9fSE Android#portcon tcp 21 system_u:object_r:net_foo_t:s0 496255e72915d4cbddceb435e13d81601755714e9fSE Android 497255e72915d4cbddceb435e13d81601755714e9fSE Android#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 498255e72915d4cbddceb435e13d81601755714e9fSE Android 499255e72915d4cbddceb435e13d81601755714e9fSE Android# 500255e72915d4cbddceb435e13d81601755714e9fSE Android#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 501255e72915d4cbddceb435e13d81601755714e9fSE Android 502255e72915d4cbddceb435e13d81601755714e9fSE Androidnodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0) 503255e72915d4cbddceb435e13d81601755714e9fSE Android 504255e72915d4cbddceb435e13d81601755714e9fSE Android 505255e72915d4cbddceb435e13d81601755714e9fSE Android 506255e72915d4cbddceb435e13d81601755714e9fSE Android 507