1*2d543d20SAndroid Build Coastguard Worker# handle_unknown deny 2*2d543d20SAndroid Build Coastguard Workerclass CLASS1 3*2d543d20SAndroid Build Coastguard Workerclass CLASS2 4*2d543d20SAndroid Build Coastguard Workerclass CLASS3 5*2d543d20SAndroid Build Coastguard Workerclass dir 6*2d543d20SAndroid Build Coastguard Workerclass file 7*2d543d20SAndroid Build Coastguard Workerclass process 8*2d543d20SAndroid Build Coastguard Workersid kernel 9*2d543d20SAndroid Build Coastguard Workercommon COMMON1 { CPERM1 } 10*2d543d20SAndroid Build Coastguard Workerclass CLASS1 { PERM1 ioctl } 11*2d543d20SAndroid Build Coastguard Workerclass CLASS2 inherits COMMON1 12*2d543d20SAndroid Build Coastguard Workerclass CLASS3 inherits COMMON1 { PERM1 } 13*2d543d20SAndroid Build Coastguard Workerdefault_user { CLASS1 } source; 14*2d543d20SAndroid Build Coastguard Workerdefault_role { CLASS2 } target; 15*2d543d20SAndroid Build Coastguard Workerdefault_type { CLASS3 } source; 16*2d543d20SAndroid Build Coastguard Workerpolicycap open_perms; 17*2d543d20SAndroid Build Coastguard Workerattribute ATTR1; 18*2d543d20SAndroid Build Coastguard Workerattribute ATTR2; 19*2d543d20SAndroid Build Coastguard Workerbool BOOL1 true; 20*2d543d20SAndroid Build Coastguard Workertype TYPE1; 21*2d543d20SAndroid Build Coastguard Workertype TYPE2; 22*2d543d20SAndroid Build Coastguard Workertype TYPE3; 23*2d543d20SAndroid Build Coastguard Workertype TYPE4; 24*2d543d20SAndroid Build Coastguard Workertypealias TYPE1 alias TYPEALIAS1; 25*2d543d20SAndroid Build Coastguard Workertypealias TYPE3 alias TYPEALIAS3A; 26*2d543d20SAndroid Build Coastguard Workertypealias TYPE3 alias TYPEALIAS3B; 27*2d543d20SAndroid Build Coastguard Workertypealias TYPE4 alias TYPEALIAS4; 28*2d543d20SAndroid Build Coastguard Workertypebounds TYPE4 TYPE3; 29*2d543d20SAndroid Build Coastguard Workertypeattribute TYPE4 ATTR2; 30*2d543d20SAndroid Build Coastguard Workerpermissive TYPE1; 31*2d543d20SAndroid Build Coastguard Workerallow TYPE1 self:CLASS1 { PERM1 }; 32*2d543d20SAndroid Build Coastguard Workerallow TYPE1 self:CLASS2 { CPERM1 }; 33*2d543d20SAndroid Build Coastguard Workerauditallow TYPE1 TYPE3:CLASS1 { PERM1 }; 34*2d543d20SAndroid Build Coastguard Workerauditallow TYPE2 TYPE3:CLASS1 { PERM1 }; 35*2d543d20SAndroid Build Coastguard Workerdontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 }; 36*2d543d20SAndroid Build Coastguard Workerdontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 }; 37*2d543d20SAndroid Build Coastguard Workerallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff }; 38*2d543d20SAndroid Build Coastguard Workerallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff }; 39*2d543d20SAndroid Build Coastguard Workerallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 }; 40*2d543d20SAndroid Build Coastguard Workerauditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 }; 41*2d543d20SAndroid Build Coastguard Workerdontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 }; 42*2d543d20SAndroid Build Coastguard Workertype_transition TYPE1 TYPE2:CLASS1 TYPE3; 43*2d543d20SAndroid Build Coastguard Workertype_member TYPE1 TYPE2:CLASS1 TYPE2; 44*2d543d20SAndroid Build Coastguard Workertype_change TYPE1 TYPE2:CLASS1 TYPE3; 45*2d543d20SAndroid Build Coastguard Workertype_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME"; 46*2d543d20SAndroid Build Coastguard Workertype_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME"; 47*2d543d20SAndroid Build Coastguard Workertype_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME"; 48*2d543d20SAndroid Build Coastguard Workertype_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME"; 49*2d543d20SAndroid Build Coastguard Workerif (BOOL1) { 50*2d543d20SAndroid Build Coastguard Worker} else { 51*2d543d20SAndroid Build Coastguard Worker allow TYPE1 self:CLASS1 { PERM1 ioctl }; 52*2d543d20SAndroid Build Coastguard Worker} 53*2d543d20SAndroid Build Coastguard Workerrole ROLE1; 54*2d543d20SAndroid Build Coastguard Workerrole ROLE2; 55*2d543d20SAndroid Build Coastguard Workerrole ROLE3; 56*2d543d20SAndroid Build Coastguard Workerrole ROLE1 types { TYPE1 }; 57*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1:CLASS1 ROLE2; 58*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1:process ROLE2; 59*2d543d20SAndroid Build Coastguard Workerallow ROLE1 ROLE2; 60*2d543d20SAndroid Build Coastguard Workeruser USER1 roles ROLE1; 61*2d543d20SAndroid Build Coastguard Workerconstrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 62*2d543d20SAndroid Build Coastguard Workervalidatetrans CLASS2 (u1 == u2 and t3 == ATTR1); 63*2d543d20SAndroid Build Coastguard Workersid kernel USER1:ROLE1:TYPE1 64*2d543d20SAndroid Build Coastguard Workerfs_use_xattr btrfs USER1:ROLE1:TYPE1; 65*2d543d20SAndroid Build Coastguard Workerfs_use_trans devpts USER1:ROLE1:TYPE1; 66*2d543d20SAndroid Build Coastguard Workerfs_use_task pipefs USER1:ROLE1:TYPE1; 67*2d543d20SAndroid Build Coastguard Workergenfscon proc "/" -d USER1:ROLE1:TYPE1 68*2d543d20SAndroid Build Coastguard Workergenfscon proc "/file1" -- USER1:ROLE1:TYPE1 69*2d543d20SAndroid Build Coastguard Workergenfscon proc "/path/to/file" USER1:ROLE1:TYPE1 70*2d543d20SAndroid Build Coastguard Workerportcon tcp 80 USER1:ROLE1:TYPE1 71*2d543d20SAndroid Build Coastguard Workerportcon udp 100-200 USER1:ROLE1:TYPE1 72*2d543d20SAndroid Build Coastguard Workernetifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1 73*2d543d20SAndroid Build Coastguard Workernodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1 74*2d543d20SAndroid Build Coastguard Workernodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1 75*2d543d20SAndroid Build Coastguard Workernodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1 76*2d543d20SAndroid Build Coastguard Workernodecon ff80:: ffff:: USER1:ROLE1:TYPE1 77*2d543d20SAndroid Build Coastguard Workeribpkeycon fe80:: 65535 USER1:ROLE1:TYPE1 78*2d543d20SAndroid Build Coastguard Workeribpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1 79*2d543d20SAndroid Build Coastguard Workeribendportcon mlx4_0 2 USER1:ROLE1:TYPE1 80*2d543d20SAndroid Build Coastguard Workeribendportcon mlx5_0 1 USER1:ROLE1:TYPE1 81