1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30	audit_access
31	open
32	execmod
33	watch
34	watch_mount
35	watch_sb
36	watch_with_perm
37	watch_reads
38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48	ioctl
49	read
50	write
51	create
52	getattr
53	setattr
54	lock
55	relabelfrom
56	relabelto
57	append
58	map
59# socket-specific
60	bind
61	connect
62	listen
63	accept
64	getopt
65	setopt
66	shutdown
67	recvfrom
68	sendto
69	name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78	create
79	destroy
80	getattr
81	setattr
82	read
83	write
84	associate
85	unix_read
86	unix_write
87}
88
89#
90# Define a common for capability access vectors.
91#
92common cap
93{
94	# The capabilities are defined in include/linux/capability.h
95	# Capabilities >= 32 are defined in the cap2 common.
96	# Care should be taken to ensure that these are consistent with
97	# those definitions. (Order matters)
98
99	chown
100	dac_override
101	dac_read_search
102	fowner
103	fsetid
104	kill
105	setgid
106	setuid
107	setpcap
108	linux_immutable
109	net_bind_service
110	net_broadcast
111	net_admin
112	net_raw
113	ipc_lock
114	ipc_owner
115	sys_module
116	sys_rawio
117	sys_chroot
118	sys_ptrace
119	sys_pacct
120	sys_admin
121	sys_boot
122	sys_nice
123	sys_resource
124	sys_time
125	sys_tty_config
126	mknod
127	lease
128	audit_write
129	audit_control
130	setfcap
131}
132
133common cap2
134{
135	mac_override	# unused by SELinux
136	mac_admin
137	syslog
138	wake_alarm
139	block_suspend
140	audit_read
141	perfmon
142}
143
144#
145# Define the access vectors.
146#
147# class class_name [ inherits common_name ] { permission_name ... }
148
149
150#
151# Define the access vector interpretation for file-related objects.
152#
153
154class filesystem
155{
156	mount
157	remount
158	unmount
159	getattr
160	relabelfrom
161	relabelto
162	associate
163	quotamod
164	quotaget
165	watch
166}
167
168class dir
169inherits file
170{
171	add_name
172	remove_name
173	reparent
174	search
175	rmdir
176}
177
178class file
179inherits file
180{
181	execute_no_trans
182	entrypoint
183}
184
185class anon_inode
186inherits file
187
188class lnk_file
189inherits file
190
191class chr_file
192inherits file
193{
194	execute_no_trans
195	entrypoint
196}
197
198class blk_file
199inherits file
200
201class sock_file
202inherits file
203
204class fifo_file
205inherits file
206
207class fd
208{
209	use
210}
211
212
213#
214# Define the access vector interpretation for network-related objects.
215#
216
217class socket
218inherits socket
219
220class tcp_socket
221inherits socket
222{
223	node_bind
224	name_connect
225}
226
227class udp_socket
228inherits socket
229{
230	node_bind
231}
232
233class rawip_socket
234inherits socket
235{
236	node_bind
237}
238
239class node
240{
241	recvfrom
242	sendto
243}
244
245class netif
246{
247	ingress
248	egress
249}
250
251class netlink_socket
252inherits socket
253
254class packet_socket
255inherits socket
256
257class key_socket
258inherits socket
259
260class unix_stream_socket
261inherits socket
262{
263	connectto
264}
265
266class unix_dgram_socket
267inherits socket
268
269#
270# Define the access vector interpretation for process-related objects
271#
272
273class process
274{
275	fork
276	transition
277	sigchld # commonly granted from child to parent
278	sigkill # cannot be caught or ignored
279	sigstop # cannot be caught or ignored
280	signull # for kill(pid, 0)
281	signal  # all other signals
282	ptrace
283	getsched
284	setsched
285	getsession
286	getpgid
287	setpgid
288	getcap
289	setcap
290	share
291	getattr
292	setexec
293	setfscreate
294	noatsecure
295	siginh
296	setrlimit
297	rlimitinh
298	dyntransition
299	setcurrent
300	execmem
301	execstack
302	execheap
303	setkeycreate
304	setsockcreate
305	getrlimit
306}
307
308class process2
309{
310	nnp_transition
311	nosuid_transition
312}
313
314#
315# Define the access vector interpretation for ipc-related objects
316#
317
318class ipc
319inherits ipc
320
321class sem
322inherits ipc
323
324class msgq
325inherits ipc
326{
327	enqueue
328}
329
330class msg
331{
332	send
333	receive
334}
335
336class shm
337inherits ipc
338{
339	lock
340}
341
342
343#
344# Define the access vector interpretation for the security server.
345#
346
347class security
348{
349	compute_av
350	compute_create
351	compute_member
352	check_context
353	load_policy
354	compute_relabel
355	compute_user
356	setenforce     # was avc_toggle in system class
357	setbool
358	setsecparam
359	setcheckreqprot
360	read_policy
361	validate_trans
362}
363
364
365#
366# Define the access vector interpretation for system operations.
367#
368
369class system
370{
371	ipc_info
372	syslog_read
373	syslog_mod
374	syslog_console
375	module_request
376	module_load
377}
378
379#
380# Define the access vector interpretation for controlling capabilities
381#
382
383class capability
384inherits cap
385
386class capability2
387inherits cap2
388
389#
390# Extended Netlink classes
391#
392class netlink_route_socket
393inherits socket
394{
395	nlmsg_read
396	nlmsg_write
397	nlmsg_readpriv
398}
399
400class netlink_tcpdiag_socket
401inherits socket
402{
403	nlmsg_read
404	nlmsg_write
405}
406
407class netlink_nflog_socket
408inherits socket
409
410class netlink_xfrm_socket
411inherits socket
412{
413	nlmsg_read
414	nlmsg_write
415}
416
417class netlink_selinux_socket
418inherits socket
419
420class netlink_audit_socket
421inherits socket
422{
423	nlmsg_read
424	nlmsg_write
425	nlmsg_relay
426	nlmsg_readpriv
427	nlmsg_tty_audit
428}
429
430class netlink_dnrt_socket
431inherits socket
432
433# Define the access vector interpretation for controlling
434# access to IPSec network data by association
435#
436class association
437{
438	sendto
439	recvfrom
440	setcontext
441	polmatch
442}
443
444# Updated Netlink class for KOBJECT_UEVENT family.
445class netlink_kobject_uevent_socket
446inherits socket
447
448class appletalk_socket
449inherits socket
450
451class packet
452{
453	send
454	recv
455	relabelto
456	forward_in
457	forward_out
458}
459
460class key
461{
462	view
463	read
464	write
465	search
466	link
467	setattr
468	create
469}
470
471class dccp_socket
472inherits socket
473{
474	node_bind
475	name_connect
476}
477
478class memprotect
479{
480	mmap_zero
481}
482
483# network peer labels
484class peer
485{
486	recv
487}
488
489class kernel_service
490{
491	use_as_override
492	create_files_as
493}
494
495class tun_socket
496inherits socket
497{
498	attach_queue
499}
500
501class binder
502{
503	impersonate
504	call
505	set_context_mgr
506	transfer
507}
508
509class netlink_iscsi_socket
510inherits socket
511
512class netlink_fib_lookup_socket
513inherits socket
514
515class netlink_connector_socket
516inherits socket
517
518class netlink_netfilter_socket
519inherits socket
520
521class netlink_generic_socket
522inherits socket
523
524class netlink_scsitransport_socket
525inherits socket
526
527class netlink_rdma_socket
528inherits socket
529
530class netlink_crypto_socket
531inherits socket
532
533class infiniband_pkey
534{
535	access
536}
537
538class infiniband_endport
539{
540	manage_subnet
541}
542
543#
544# Define the access vector interpretation for controlling capabilities
545# in user namespaces
546#
547
548class cap_userns
549inherits cap
550
551class cap2_userns
552inherits cap2
553
554
555#
556# Define the access vector interpretation for the new socket classes
557# enabled by the extended_socket_class policy capability.
558#
559
560#
561# The next two classes were previously mapped to rawip_socket and therefore
562# have the same definition as rawip_socket (until further permissions
563# are defined).
564#
565class sctp_socket
566inherits socket
567{
568	node_bind
569	name_connect
570	association
571}
572
573class icmp_socket
574inherits socket
575{
576	node_bind
577}
578
579#
580# The remaining network socket classes were previously
581# mapped to the socket class and therefore have the
582# same definition as socket.
583#
584
585class ax25_socket
586inherits socket
587
588class ipx_socket
589inherits socket
590
591class netrom_socket
592inherits socket
593
594class atmpvc_socket
595inherits socket
596
597class x25_socket
598inherits socket
599
600class rose_socket
601inherits socket
602
603class decnet_socket
604inherits socket
605
606class atmsvc_socket
607inherits socket
608
609class rds_socket
610inherits socket
611
612class irda_socket
613inherits socket
614
615class pppox_socket
616inherits socket
617
618class llc_socket
619inherits socket
620
621class can_socket
622inherits socket
623
624class tipc_socket
625inherits socket
626
627class bluetooth_socket
628inherits socket
629
630class iucv_socket
631inherits socket
632
633class rxrpc_socket
634inherits socket
635
636class isdn_socket
637inherits socket
638
639class phonet_socket
640inherits socket
641
642class ieee802154_socket
643inherits socket
644
645class caif_socket
646inherits socket
647
648class alg_socket
649inherits socket
650
651class nfc_socket
652inherits socket
653
654class vsock_socket
655inherits socket
656
657class kcm_socket
658inherits socket
659
660class qipcrtr_socket
661inherits socket
662
663class smc_socket
664inherits socket
665
666class bpf
667{
668	map_create
669	map_read
670	map_write
671	prog_load
672	prog_run
673}
674
675class property_service
676{
677	set
678}
679
680class service_manager
681{
682	add
683	find
684	list
685}
686
687class hwservice_manager
688{
689	add
690	find
691	list
692}
693
694class keystore_key
695{
696	get_state
697	get
698	insert
699	delete
700	exist
701	list
702	reset
703	password
704	lock
705	unlock
706	is_empty
707	sign
708	verify
709	grant
710	duplicate
711	clear_uid
712	add_auth
713	user_changed
714	gen_unique_id
715}
716
717class keystore2
718{
719	add_auth
720	change_password
721	change_user
722	clear_ns
723	clear_uid
724	early_boot_ended
725	get_auth_token
726	get_state
727	list
728	lock
729	pull_metrics
730	report_off_body
731	reset
732	unlock
733	delete_all_keys
734}
735
736class keystore2_key
737{
738	convert_storage_key_to_ephemeral
739	delete
740	gen_unique_id
741	get_info
742	grant
743	manage_blob
744	rebind
745	req_forced_op
746	update
747	use
748	use_dev_id
749}
750
751class drmservice {
752	consumeRights
753	setPlaybackStatus
754	openDecryptSession
755	closeDecryptSession
756	initializeDecryptUnit
757	decrypt
758	finalizeDecryptUnit
759	pread
760}
761
762class xdp_socket
763inherits socket
764
765class perf_event
766{
767	open
768	cpu
769	kernel
770	tracepoint
771	read
772	write
773}
774
775class lockdown
776{
777	integrity
778	confidentiality
779}
780