1255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 2255e72915d4cbddceb435e13d81601755714e9fSE Android 3255e72915d4cbddceb435e13d81601755714e9fSE Android# 4255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the security object classes 5255e72915d4cbddceb435e13d81601755714e9fSE Android# 6255e72915d4cbddceb435e13d81601755714e9fSE Android 7255e72915d4cbddceb435e13d81601755714e9fSE Androidclass security 8255e72915d4cbddceb435e13d81601755714e9fSE Androidclass process 9255e72915d4cbddceb435e13d81601755714e9fSE Androidclass system 10255e72915d4cbddceb435e13d81601755714e9fSE Androidclass capability 11255e72915d4cbddceb435e13d81601755714e9fSE Android 12255e72915d4cbddceb435e13d81601755714e9fSE Android# file-related classes 13255e72915d4cbddceb435e13d81601755714e9fSE Androidclass filesystem 14255e72915d4cbddceb435e13d81601755714e9fSE Androidclass file 15255e72915d4cbddceb435e13d81601755714e9fSE Androidclass dir 16255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fd 17255e72915d4cbddceb435e13d81601755714e9fSE Androidclass lnk_file 18255e72915d4cbddceb435e13d81601755714e9fSE Androidclass chr_file 19255e72915d4cbddceb435e13d81601755714e9fSE Androidclass blk_file 20255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sock_file 21255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fifo_file 22255e72915d4cbddceb435e13d81601755714e9fSE Android 23255e72915d4cbddceb435e13d81601755714e9fSE Android# network-related classes 24255e72915d4cbddceb435e13d81601755714e9fSE Androidclass socket 25255e72915d4cbddceb435e13d81601755714e9fSE Androidclass tcp_socket 26255e72915d4cbddceb435e13d81601755714e9fSE Androidclass udp_socket 27255e72915d4cbddceb435e13d81601755714e9fSE Androidclass rawip_socket 28255e72915d4cbddceb435e13d81601755714e9fSE Androidclass node 29255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netif 30255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netlink_socket 31255e72915d4cbddceb435e13d81601755714e9fSE Androidclass packet_socket 32255e72915d4cbddceb435e13d81601755714e9fSE Androidclass key_socket 33255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_stream_socket 34255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_dgram_socket 35255e72915d4cbddceb435e13d81601755714e9fSE Android 36255e72915d4cbddceb435e13d81601755714e9fSE Android# sysv-ipc-related clases 37255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sem 38255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msg 39255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msgq 40255e72915d4cbddceb435e13d81601755714e9fSE Androidclass shm 41255e72915d4cbddceb435e13d81601755714e9fSE Androidclass ipc 42255e72915d4cbddceb435e13d81601755714e9fSE Android 43255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 44255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 45255e72915d4cbddceb435e13d81601755714e9fSE Android 46255e72915d4cbddceb435e13d81601755714e9fSE Android# 47255e72915d4cbddceb435e13d81601755714e9fSE Android# Define initial security identifiers 48255e72915d4cbddceb435e13d81601755714e9fSE Android# 49255e72915d4cbddceb435e13d81601755714e9fSE Android 50255e72915d4cbddceb435e13d81601755714e9fSE Androidsid kernel 51255e72915d4cbddceb435e13d81601755714e9fSE Android 52255e72915d4cbddceb435e13d81601755714e9fSE Android 53255e72915d4cbddceb435e13d81601755714e9fSE Android# FLASK 54255e72915d4cbddceb435e13d81601755714e9fSE Android# 55255e72915d4cbddceb435e13d81601755714e9fSE Android# Define common prefixes for access vectors 56255e72915d4cbddceb435e13d81601755714e9fSE Android# 57255e72915d4cbddceb435e13d81601755714e9fSE Android# common common_name { permission_name ... } 58255e72915d4cbddceb435e13d81601755714e9fSE Android 59255e72915d4cbddceb435e13d81601755714e9fSE Android 60255e72915d4cbddceb435e13d81601755714e9fSE Android# 61255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for file access vectors. 62255e72915d4cbddceb435e13d81601755714e9fSE Android# 63255e72915d4cbddceb435e13d81601755714e9fSE Android 64255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon file 65255e72915d4cbddceb435e13d81601755714e9fSE Android{ 66255e72915d4cbddceb435e13d81601755714e9fSE Android ioctl 67255e72915d4cbddceb435e13d81601755714e9fSE Android read 68255e72915d4cbddceb435e13d81601755714e9fSE Android write 69255e72915d4cbddceb435e13d81601755714e9fSE Android create 70255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 71255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 72255e72915d4cbddceb435e13d81601755714e9fSE Android lock 73255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 74255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 75255e72915d4cbddceb435e13d81601755714e9fSE Android append 76255e72915d4cbddceb435e13d81601755714e9fSE Android unlink 77255e72915d4cbddceb435e13d81601755714e9fSE Android link 78255e72915d4cbddceb435e13d81601755714e9fSE Android rename 79255e72915d4cbddceb435e13d81601755714e9fSE Android execute 80255e72915d4cbddceb435e13d81601755714e9fSE Android swapon 81255e72915d4cbddceb435e13d81601755714e9fSE Android quotaon 82255e72915d4cbddceb435e13d81601755714e9fSE Android mounton 83255e72915d4cbddceb435e13d81601755714e9fSE Android} 84255e72915d4cbddceb435e13d81601755714e9fSE Android 85255e72915d4cbddceb435e13d81601755714e9fSE Android 86255e72915d4cbddceb435e13d81601755714e9fSE Android# 87255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for socket access vectors. 88255e72915d4cbddceb435e13d81601755714e9fSE Android# 89255e72915d4cbddceb435e13d81601755714e9fSE Android 90255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon socket 91255e72915d4cbddceb435e13d81601755714e9fSE Android{ 92255e72915d4cbddceb435e13d81601755714e9fSE Android# inherited from file 93255e72915d4cbddceb435e13d81601755714e9fSE Android ioctl 94255e72915d4cbddceb435e13d81601755714e9fSE Android read 95255e72915d4cbddceb435e13d81601755714e9fSE Android write 96255e72915d4cbddceb435e13d81601755714e9fSE Android create 97255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 98255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 99255e72915d4cbddceb435e13d81601755714e9fSE Android lock 100255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 101255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 102255e72915d4cbddceb435e13d81601755714e9fSE Android append 103255e72915d4cbddceb435e13d81601755714e9fSE Android# socket-specific 104255e72915d4cbddceb435e13d81601755714e9fSE Android bind 105255e72915d4cbddceb435e13d81601755714e9fSE Android connect 106255e72915d4cbddceb435e13d81601755714e9fSE Android listen 107255e72915d4cbddceb435e13d81601755714e9fSE Android accept 108255e72915d4cbddceb435e13d81601755714e9fSE Android getopt 109255e72915d4cbddceb435e13d81601755714e9fSE Android setopt 110255e72915d4cbddceb435e13d81601755714e9fSE Android shutdown 111255e72915d4cbddceb435e13d81601755714e9fSE Android recvfrom 112255e72915d4cbddceb435e13d81601755714e9fSE Android sendto 113255e72915d4cbddceb435e13d81601755714e9fSE Android recv_msg 114255e72915d4cbddceb435e13d81601755714e9fSE Android send_msg 115255e72915d4cbddceb435e13d81601755714e9fSE Android name_bind 116255e72915d4cbddceb435e13d81601755714e9fSE Android} 117255e72915d4cbddceb435e13d81601755714e9fSE Android 118255e72915d4cbddceb435e13d81601755714e9fSE Android# 119255e72915d4cbddceb435e13d81601755714e9fSE Android# Define a common prefix for ipc access vectors. 120255e72915d4cbddceb435e13d81601755714e9fSE Android# 121255e72915d4cbddceb435e13d81601755714e9fSE Android 122255e72915d4cbddceb435e13d81601755714e9fSE Androidcommon ipc 123255e72915d4cbddceb435e13d81601755714e9fSE Android{ 124255e72915d4cbddceb435e13d81601755714e9fSE Android create 125255e72915d4cbddceb435e13d81601755714e9fSE Android destroy 126255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 127255e72915d4cbddceb435e13d81601755714e9fSE Android setattr 128255e72915d4cbddceb435e13d81601755714e9fSE Android read 129255e72915d4cbddceb435e13d81601755714e9fSE Android write 130255e72915d4cbddceb435e13d81601755714e9fSE Android associate 131255e72915d4cbddceb435e13d81601755714e9fSE Android unix_read 132255e72915d4cbddceb435e13d81601755714e9fSE Android unix_write 133255e72915d4cbddceb435e13d81601755714e9fSE Android} 134255e72915d4cbddceb435e13d81601755714e9fSE Android 135255e72915d4cbddceb435e13d81601755714e9fSE Android# 136255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vectors. 137255e72915d4cbddceb435e13d81601755714e9fSE Android# 138255e72915d4cbddceb435e13d81601755714e9fSE Android# class class_name [ inherits common_name ] { permission_name ... } 139255e72915d4cbddceb435e13d81601755714e9fSE Android 140255e72915d4cbddceb435e13d81601755714e9fSE Android 141255e72915d4cbddceb435e13d81601755714e9fSE Android# 142255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for file-related objects. 143255e72915d4cbddceb435e13d81601755714e9fSE Android# 144255e72915d4cbddceb435e13d81601755714e9fSE Android 145255e72915d4cbddceb435e13d81601755714e9fSE Androidclass filesystem 146255e72915d4cbddceb435e13d81601755714e9fSE Android{ 147255e72915d4cbddceb435e13d81601755714e9fSE Android mount 148255e72915d4cbddceb435e13d81601755714e9fSE Android remount 149255e72915d4cbddceb435e13d81601755714e9fSE Android unmount 150255e72915d4cbddceb435e13d81601755714e9fSE Android getattr 151255e72915d4cbddceb435e13d81601755714e9fSE Android relabelfrom 152255e72915d4cbddceb435e13d81601755714e9fSE Android relabelto 153255e72915d4cbddceb435e13d81601755714e9fSE Android transition 154255e72915d4cbddceb435e13d81601755714e9fSE Android associate 155255e72915d4cbddceb435e13d81601755714e9fSE Android quotamod 156255e72915d4cbddceb435e13d81601755714e9fSE Android quotaget 157255e72915d4cbddceb435e13d81601755714e9fSE Android} 158255e72915d4cbddceb435e13d81601755714e9fSE Android 159255e72915d4cbddceb435e13d81601755714e9fSE Androidclass dir 160255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 161255e72915d4cbddceb435e13d81601755714e9fSE Android{ 162255e72915d4cbddceb435e13d81601755714e9fSE Android add_name 163255e72915d4cbddceb435e13d81601755714e9fSE Android remove_name 164255e72915d4cbddceb435e13d81601755714e9fSE Android reparent 165255e72915d4cbddceb435e13d81601755714e9fSE Android search 166255e72915d4cbddceb435e13d81601755714e9fSE Android rmdir 167255e72915d4cbddceb435e13d81601755714e9fSE Android} 168255e72915d4cbddceb435e13d81601755714e9fSE Android 169255e72915d4cbddceb435e13d81601755714e9fSE Androidclass file 170255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 171255e72915d4cbddceb435e13d81601755714e9fSE Android{ 172255e72915d4cbddceb435e13d81601755714e9fSE Android execute_no_trans 173255e72915d4cbddceb435e13d81601755714e9fSE Android entrypoint 174255e72915d4cbddceb435e13d81601755714e9fSE Android} 175255e72915d4cbddceb435e13d81601755714e9fSE Android 176255e72915d4cbddceb435e13d81601755714e9fSE Androidclass lnk_file 177255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 178255e72915d4cbddceb435e13d81601755714e9fSE Android 179255e72915d4cbddceb435e13d81601755714e9fSE Androidclass chr_file 180255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 181255e72915d4cbddceb435e13d81601755714e9fSE Android 182255e72915d4cbddceb435e13d81601755714e9fSE Androidclass blk_file 183255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 184255e72915d4cbddceb435e13d81601755714e9fSE Android 185255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sock_file 186255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 187255e72915d4cbddceb435e13d81601755714e9fSE Android 188255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fifo_file 189255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits file 190255e72915d4cbddceb435e13d81601755714e9fSE Android 191255e72915d4cbddceb435e13d81601755714e9fSE Androidclass fd 192255e72915d4cbddceb435e13d81601755714e9fSE Android{ 193255e72915d4cbddceb435e13d81601755714e9fSE Android use 194255e72915d4cbddceb435e13d81601755714e9fSE Android} 195255e72915d4cbddceb435e13d81601755714e9fSE Android 196255e72915d4cbddceb435e13d81601755714e9fSE Android 197255e72915d4cbddceb435e13d81601755714e9fSE Android# 198255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for network-related objects. 199255e72915d4cbddceb435e13d81601755714e9fSE Android# 200255e72915d4cbddceb435e13d81601755714e9fSE Android 201255e72915d4cbddceb435e13d81601755714e9fSE Androidclass socket 202255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 203255e72915d4cbddceb435e13d81601755714e9fSE Android 204255e72915d4cbddceb435e13d81601755714e9fSE Androidclass tcp_socket 205255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 206255e72915d4cbddceb435e13d81601755714e9fSE Android{ 207255e72915d4cbddceb435e13d81601755714e9fSE Android connectto 208255e72915d4cbddceb435e13d81601755714e9fSE Android newconn 209255e72915d4cbddceb435e13d81601755714e9fSE Android acceptfrom 210255e72915d4cbddceb435e13d81601755714e9fSE Android} 211255e72915d4cbddceb435e13d81601755714e9fSE Android 212255e72915d4cbddceb435e13d81601755714e9fSE Androidclass udp_socket 213255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 214255e72915d4cbddceb435e13d81601755714e9fSE Android 215255e72915d4cbddceb435e13d81601755714e9fSE Androidclass rawip_socket 216255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 217255e72915d4cbddceb435e13d81601755714e9fSE Android 218255e72915d4cbddceb435e13d81601755714e9fSE Androidclass node 219255e72915d4cbddceb435e13d81601755714e9fSE Android{ 220255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_recv 221255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_send 222255e72915d4cbddceb435e13d81601755714e9fSE Android udp_recv 223255e72915d4cbddceb435e13d81601755714e9fSE Android udp_send 224255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_recv 225255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_send 226255e72915d4cbddceb435e13d81601755714e9fSE Android enforce_dest 227255e72915d4cbddceb435e13d81601755714e9fSE Android} 228255e72915d4cbddceb435e13d81601755714e9fSE Android 229255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netif 230255e72915d4cbddceb435e13d81601755714e9fSE Android{ 231255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_recv 232255e72915d4cbddceb435e13d81601755714e9fSE Android tcp_send 233255e72915d4cbddceb435e13d81601755714e9fSE Android udp_recv 234255e72915d4cbddceb435e13d81601755714e9fSE Android udp_send 235255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_recv 236255e72915d4cbddceb435e13d81601755714e9fSE Android rawip_send 237255e72915d4cbddceb435e13d81601755714e9fSE Android} 238255e72915d4cbddceb435e13d81601755714e9fSE Android 239255e72915d4cbddceb435e13d81601755714e9fSE Androidclass netlink_socket 240255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 241255e72915d4cbddceb435e13d81601755714e9fSE Android 242255e72915d4cbddceb435e13d81601755714e9fSE Androidclass packet_socket 243255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 244255e72915d4cbddceb435e13d81601755714e9fSE Android 245255e72915d4cbddceb435e13d81601755714e9fSE Androidclass key_socket 246255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 247255e72915d4cbddceb435e13d81601755714e9fSE Android 248255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_stream_socket 249255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 250255e72915d4cbddceb435e13d81601755714e9fSE Android{ 251255e72915d4cbddceb435e13d81601755714e9fSE Android connectto 252255e72915d4cbddceb435e13d81601755714e9fSE Android newconn 253255e72915d4cbddceb435e13d81601755714e9fSE Android acceptfrom 254255e72915d4cbddceb435e13d81601755714e9fSE Android} 255255e72915d4cbddceb435e13d81601755714e9fSE Android 256255e72915d4cbddceb435e13d81601755714e9fSE Androidclass unix_dgram_socket 257255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits socket 258255e72915d4cbddceb435e13d81601755714e9fSE Android 259255e72915d4cbddceb435e13d81601755714e9fSE Android 260255e72915d4cbddceb435e13d81601755714e9fSE Android# 261255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for process-related objects 262255e72915d4cbddceb435e13d81601755714e9fSE Android# 263255e72915d4cbddceb435e13d81601755714e9fSE Android 264255e72915d4cbddceb435e13d81601755714e9fSE Androidclass process 265255e72915d4cbddceb435e13d81601755714e9fSE Android{ 266255e72915d4cbddceb435e13d81601755714e9fSE Android fork 267255e72915d4cbddceb435e13d81601755714e9fSE Android transition 268255e72915d4cbddceb435e13d81601755714e9fSE Android sigchld # commonly granted from child to parent 269255e72915d4cbddceb435e13d81601755714e9fSE Android sigkill # cannot be caught or ignored 270255e72915d4cbddceb435e13d81601755714e9fSE Android sigstop # cannot be caught or ignored 271255e72915d4cbddceb435e13d81601755714e9fSE Android signull # for kill(pid, 0) 272255e72915d4cbddceb435e13d81601755714e9fSE Android signal # all other signals 273255e72915d4cbddceb435e13d81601755714e9fSE Android ptrace 274255e72915d4cbddceb435e13d81601755714e9fSE Android getsched 275255e72915d4cbddceb435e13d81601755714e9fSE Android setsched 276255e72915d4cbddceb435e13d81601755714e9fSE Android getsession 277255e72915d4cbddceb435e13d81601755714e9fSE Android getpgid 278255e72915d4cbddceb435e13d81601755714e9fSE Android setpgid 279255e72915d4cbddceb435e13d81601755714e9fSE Android getcap 280255e72915d4cbddceb435e13d81601755714e9fSE Android setcap 281255e72915d4cbddceb435e13d81601755714e9fSE Android share 282255e72915d4cbddceb435e13d81601755714e9fSE Android} 283255e72915d4cbddceb435e13d81601755714e9fSE Android 284255e72915d4cbddceb435e13d81601755714e9fSE Android 285255e72915d4cbddceb435e13d81601755714e9fSE Android# 286255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for ipc-related objects 287255e72915d4cbddceb435e13d81601755714e9fSE Android# 288255e72915d4cbddceb435e13d81601755714e9fSE Android 289255e72915d4cbddceb435e13d81601755714e9fSE Androidclass ipc 290255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 291255e72915d4cbddceb435e13d81601755714e9fSE Android 292255e72915d4cbddceb435e13d81601755714e9fSE Androidclass sem 293255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 294255e72915d4cbddceb435e13d81601755714e9fSE Android 295255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msgq 296255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 297255e72915d4cbddceb435e13d81601755714e9fSE Android{ 298255e72915d4cbddceb435e13d81601755714e9fSE Android enqueue 299255e72915d4cbddceb435e13d81601755714e9fSE Android} 300255e72915d4cbddceb435e13d81601755714e9fSE Android 301255e72915d4cbddceb435e13d81601755714e9fSE Androidclass msg 302255e72915d4cbddceb435e13d81601755714e9fSE Android{ 303255e72915d4cbddceb435e13d81601755714e9fSE Android send 304255e72915d4cbddceb435e13d81601755714e9fSE Android receive 305255e72915d4cbddceb435e13d81601755714e9fSE Android} 306255e72915d4cbddceb435e13d81601755714e9fSE Android 307255e72915d4cbddceb435e13d81601755714e9fSE Androidclass shm 308255e72915d4cbddceb435e13d81601755714e9fSE Androidinherits ipc 309255e72915d4cbddceb435e13d81601755714e9fSE Android{ 310255e72915d4cbddceb435e13d81601755714e9fSE Android lock 311255e72915d4cbddceb435e13d81601755714e9fSE Android} 312255e72915d4cbddceb435e13d81601755714e9fSE Android 313255e72915d4cbddceb435e13d81601755714e9fSE Android 314255e72915d4cbddceb435e13d81601755714e9fSE Android# 315255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for the security server. 316255e72915d4cbddceb435e13d81601755714e9fSE Android# 317255e72915d4cbddceb435e13d81601755714e9fSE Android 318255e72915d4cbddceb435e13d81601755714e9fSE Androidclass security 319255e72915d4cbddceb435e13d81601755714e9fSE Android{ 320255e72915d4cbddceb435e13d81601755714e9fSE Android compute_av 321255e72915d4cbddceb435e13d81601755714e9fSE Android transition_sid 322255e72915d4cbddceb435e13d81601755714e9fSE Android member_sid 323255e72915d4cbddceb435e13d81601755714e9fSE Android sid_to_context 324255e72915d4cbddceb435e13d81601755714e9fSE Android context_to_sid 325255e72915d4cbddceb435e13d81601755714e9fSE Android load_policy 326255e72915d4cbddceb435e13d81601755714e9fSE Android get_sids 327255e72915d4cbddceb435e13d81601755714e9fSE Android change_sid 328255e72915d4cbddceb435e13d81601755714e9fSE Android get_user_sids 329255e72915d4cbddceb435e13d81601755714e9fSE Android} 330255e72915d4cbddceb435e13d81601755714e9fSE Android 331255e72915d4cbddceb435e13d81601755714e9fSE Android 332255e72915d4cbddceb435e13d81601755714e9fSE Android# 333255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for system operations. 334255e72915d4cbddceb435e13d81601755714e9fSE Android# 335255e72915d4cbddceb435e13d81601755714e9fSE Android 336255e72915d4cbddceb435e13d81601755714e9fSE Androidclass system 337255e72915d4cbddceb435e13d81601755714e9fSE Android{ 338255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_info 339255e72915d4cbddceb435e13d81601755714e9fSE Android avc_toggle 340255e72915d4cbddceb435e13d81601755714e9fSE Android nfsd_control 341255e72915d4cbddceb435e13d81601755714e9fSE Android bdflush 342255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_read 343255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_mod 344255e72915d4cbddceb435e13d81601755714e9fSE Android syslog_console 345255e72915d4cbddceb435e13d81601755714e9fSE Android ichsid 346255e72915d4cbddceb435e13d81601755714e9fSE Android} 347255e72915d4cbddceb435e13d81601755714e9fSE Android 348255e72915d4cbddceb435e13d81601755714e9fSE Android# 349255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the access vector interpretation for controling capabilies 350255e72915d4cbddceb435e13d81601755714e9fSE Android# 351255e72915d4cbddceb435e13d81601755714e9fSE Android 352255e72915d4cbddceb435e13d81601755714e9fSE Androidclass capability 353255e72915d4cbddceb435e13d81601755714e9fSE Android{ 354255e72915d4cbddceb435e13d81601755714e9fSE Android # The capabilities are defined in include/linux/capability.h 355255e72915d4cbddceb435e13d81601755714e9fSE Android # Care should be taken to ensure that these are consistent with 356255e72915d4cbddceb435e13d81601755714e9fSE Android # those definitions. (Order matters) 357255e72915d4cbddceb435e13d81601755714e9fSE Android 358255e72915d4cbddceb435e13d81601755714e9fSE Android chown 359255e72915d4cbddceb435e13d81601755714e9fSE Android dac_override 360255e72915d4cbddceb435e13d81601755714e9fSE Android dac_read_search 361255e72915d4cbddceb435e13d81601755714e9fSE Android fowner 362255e72915d4cbddceb435e13d81601755714e9fSE Android fsetid 363255e72915d4cbddceb435e13d81601755714e9fSE Android kill 364255e72915d4cbddceb435e13d81601755714e9fSE Android setgid 365255e72915d4cbddceb435e13d81601755714e9fSE Android setuid 366255e72915d4cbddceb435e13d81601755714e9fSE Android setpcap 367255e72915d4cbddceb435e13d81601755714e9fSE Android linux_immutable 368255e72915d4cbddceb435e13d81601755714e9fSE Android net_bind_service 369255e72915d4cbddceb435e13d81601755714e9fSE Android net_broadcast 370255e72915d4cbddceb435e13d81601755714e9fSE Android net_admin 371255e72915d4cbddceb435e13d81601755714e9fSE Android net_raw 372255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_lock 373255e72915d4cbddceb435e13d81601755714e9fSE Android ipc_owner 374255e72915d4cbddceb435e13d81601755714e9fSE Android sys_module 375255e72915d4cbddceb435e13d81601755714e9fSE Android sys_rawio 376255e72915d4cbddceb435e13d81601755714e9fSE Android sys_chroot 377255e72915d4cbddceb435e13d81601755714e9fSE Android sys_ptrace 378255e72915d4cbddceb435e13d81601755714e9fSE Android sys_pacct 379255e72915d4cbddceb435e13d81601755714e9fSE Android sys_admin 380255e72915d4cbddceb435e13d81601755714e9fSE Android sys_boot 381255e72915d4cbddceb435e13d81601755714e9fSE Android sys_nice 382255e72915d4cbddceb435e13d81601755714e9fSE Android sys_resource 383255e72915d4cbddceb435e13d81601755714e9fSE Android sys_time 384255e72915d4cbddceb435e13d81601755714e9fSE Android sys_tty_config 385255e72915d4cbddceb435e13d81601755714e9fSE Android mknod 386255e72915d4cbddceb435e13d81601755714e9fSE Android lease 387255e72915d4cbddceb435e13d81601755714e9fSE Android} 388255e72915d4cbddceb435e13d81601755714e9fSE Android 389255e72915d4cbddceb435e13d81601755714e9fSE Androidifdef(`enable_mls',` 390255e72915d4cbddceb435e13d81601755714e9fSE Androidsensitivity s0; 391255e72915d4cbddceb435e13d81601755714e9fSE Android 392255e72915d4cbddceb435e13d81601755714e9fSE Android# 393255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the ordering of the sensitivity levels (least to greatest) 394255e72915d4cbddceb435e13d81601755714e9fSE Android# 395255e72915d4cbddceb435e13d81601755714e9fSE Androiddominance { s0 } 396255e72915d4cbddceb435e13d81601755714e9fSE Android 397255e72915d4cbddceb435e13d81601755714e9fSE Android 398255e72915d4cbddceb435e13d81601755714e9fSE Android# 399255e72915d4cbddceb435e13d81601755714e9fSE Android# Define the categories 400255e72915d4cbddceb435e13d81601755714e9fSE Android# 401255e72915d4cbddceb435e13d81601755714e9fSE Android# Each category has a name and zero or more aliases. 402255e72915d4cbddceb435e13d81601755714e9fSE Android# 403255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c0; category c1; category c2; category c3; 404255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c4; category c5; category c6; category c7; 405255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c8; category c9; category c10; category c11; 406255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c12; category c13; category c14; category c15; 407255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c16; category c17; category c18; category c19; 408255e72915d4cbddceb435e13d81601755714e9fSE Androidcategory c20; category c21; category c22; category c23; 409255e72915d4cbddceb435e13d81601755714e9fSE Android 410255e72915d4cbddceb435e13d81601755714e9fSE Androidlevel s0:c0.c23; 411255e72915d4cbddceb435e13d81601755714e9fSE Android 412255e72915d4cbddceb435e13d81601755714e9fSE Androidmlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 413255e72915d4cbddceb435e13d81601755714e9fSE Android ( h1 dom h2 ); 414255e72915d4cbddceb435e13d81601755714e9fSE Android') 415255e72915d4cbddceb435e13d81601755714e9fSE Android 416255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 417255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 418255e72915d4cbddceb435e13d81601755714e9fSE Android##################################### 419255e72915d4cbddceb435e13d81601755714e9fSE Android 420255e72915d4cbddceb435e13d81601755714e9fSE Android#g_b stands for global base 421255e72915d4cbddceb435e13d81601755714e9fSE Android 422255e72915d4cbddceb435e13d81601755714e9fSE Androidtype g_b_type_1; 423255e72915d4cbddceb435e13d81601755714e9fSE Androidrole g_b_role_1 types g_b_type_1; 424255e72915d4cbddceb435e13d81601755714e9fSE Android 425255e72915d4cbddceb435e13d81601755714e9fSE Androidrole g_b_role_2 types g_b_type_1; 426255e72915d4cbddceb435e13d81601755714e9fSE Androidrole g_b_role_3 types g_b_type_1; 427255e72915d4cbddceb435e13d81601755714e9fSE Androidtype g_b_type_2; 428255e72915d4cbddceb435e13d81601755714e9fSE Android 429255e72915d4cbddceb435e13d81601755714e9fSE Androidoptional { 430255e72915d4cbddceb435e13d81601755714e9fSE Android require { 431255e72915d4cbddceb435e13d81601755714e9fSE Android type invalid_type; 432255e72915d4cbddceb435e13d81601755714e9fSE Android } 433255e72915d4cbddceb435e13d81601755714e9fSE Android allow g_b_role_2 g_b_role_3; 434255e72915d4cbddceb435e13d81601755714e9fSE Android role_transition g_b_role_2 g_b_type_2 g_b_role_3; 435255e72915d4cbddceb435e13d81601755714e9fSE Android} 436255e72915d4cbddceb435e13d81601755714e9fSE Android 437255e72915d4cbddceb435e13d81601755714e9fSE Android 438255e72915d4cbddceb435e13d81601755714e9fSE Androidgen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23) 439255e72915d4cbddceb435e13d81601755714e9fSE Android 440255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 441255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "initial_sid_contexts" 442255e72915d4cbddceb435e13d81601755714e9fSE Android 443255e72915d4cbddceb435e13d81601755714e9fSE Androidsid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0) 444255e72915d4cbddceb435e13d81601755714e9fSE Android 445255e72915d4cbddceb435e13d81601755714e9fSE Android 446255e72915d4cbddceb435e13d81601755714e9fSE Android############################################ 447255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "fs_use" 448255e72915d4cbddceb435e13d81601755714e9fSE Android# 449255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 450255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 451255e72915d4cbddceb435e13d81601755714e9fSE Androidfs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0); 452255e72915d4cbddceb435e13d81601755714e9fSE Android 453255e72915d4cbddceb435e13d81601755714e9fSE Android 454255e72915d4cbddceb435e13d81601755714e9fSE Androidgenfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0) 455255e72915d4cbddceb435e13d81601755714e9fSE Android 456255e72915d4cbddceb435e13d81601755714e9fSE Android 457255e72915d4cbddceb435e13d81601755714e9fSE Android#################################### 458255e72915d4cbddceb435e13d81601755714e9fSE Android#line 1 "net_contexts" 459255e72915d4cbddceb435e13d81601755714e9fSE Android 460255e72915d4cbddceb435e13d81601755714e9fSE Android#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0 461255e72915d4cbddceb435e13d81601755714e9fSE Android 462255e72915d4cbddceb435e13d81601755714e9fSE Android#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0 463255e72915d4cbddceb435e13d81601755714e9fSE Android 464255e72915d4cbddceb435e13d81601755714e9fSE Android# 465255e72915d4cbddceb435e13d81601755714e9fSE Android#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0 466255e72915d4cbddceb435e13d81601755714e9fSE Android 467255e72915d4cbddceb435e13d81601755714e9fSE Androidnodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0) 468255e72915d4cbddceb435e13d81601755714e9fSE Android 469255e72915d4cbddceb435e13d81601755714e9fSE Android 470255e72915d4cbddceb435e13d81601755714e9fSE Android 471255e72915d4cbddceb435e13d81601755714e9fSE Android 472