1*2d543d20SAndroid Build Coastguard Worker# handle_unknown deny 2*2d543d20SAndroid Build Coastguard Workerclass CLASS1 3*2d543d20SAndroid Build Coastguard Workerclass CLASS2 4*2d543d20SAndroid Build Coastguard Workerclass CLASS3 5*2d543d20SAndroid Build Coastguard Workerclass dir 6*2d543d20SAndroid Build Coastguard Workerclass file 7*2d543d20SAndroid Build Coastguard Workerclass process 8*2d543d20SAndroid Build Coastguard Workersid kernel 9*2d543d20SAndroid Build Coastguard Workercommon COMMON1 { CPERM1 } 10*2d543d20SAndroid Build Coastguard Workerclass CLASS1 { PERM1 ioctl } 11*2d543d20SAndroid Build Coastguard Workerclass CLASS2 inherits COMMON1 12*2d543d20SAndroid Build Coastguard Workerclass CLASS3 inherits COMMON1 { PERM1 } 13*2d543d20SAndroid Build Coastguard Workerdefault_user { CLASS1 } source; 14*2d543d20SAndroid Build Coastguard Workerdefault_role { CLASS2 } target; 15*2d543d20SAndroid Build Coastguard Workerdefault_type { CLASS3 } source; 16*2d543d20SAndroid Build Coastguard Workersensitivity s0; 17*2d543d20SAndroid Build Coastguard Workersensitivity s1; 18*2d543d20SAndroid Build Coastguard Workersensitivity s2 alias SENSALIAS; 19*2d543d20SAndroid Build Coastguard Workerdominance { s0 s1 SENSALIAS } 20*2d543d20SAndroid Build Coastguard Workercategory c0; 21*2d543d20SAndroid Build Coastguard Workercategory c1 alias CATALIAS; 22*2d543d20SAndroid Build Coastguard Workerlevel s0:c0; 23*2d543d20SAndroid Build Coastguard Workerlevel s1:c0,c1; 24*2d543d20SAndroid Build Coastguard Workerlevel s2; 25*2d543d20SAndroid Build Coastguard Workermlsconstrain CLASS1 { PERM1 } l1 == l2; 26*2d543d20SAndroid Build Coastguard Workermlsvalidatetrans CLASS1 r1 domby r2 and l1 incomp h2; 27*2d543d20SAndroid Build Coastguard Workerpolicycap open_perms; 28*2d543d20SAndroid Build Coastguard Workerattribute ATTR1; 29*2d543d20SAndroid Build Coastguard Workerattribute ATTR2; 30*2d543d20SAndroid Build Coastguard Workerexpandattribute ATTR1 true; 31*2d543d20SAndroid Build Coastguard Workerexpandattribute ATTR2 false; 32*2d543d20SAndroid Build Coastguard Workertype TYPE1; 33*2d543d20SAndroid Build Coastguard Workertype TYPE2, ATTR1; 34*2d543d20SAndroid Build Coastguard Workertype TYPE3 alias { TYPEALIAS3A TYPEALIAS3B }; 35*2d543d20SAndroid Build Coastguard Workertype TYPE4 alias TYPEALIAS4, ATTR2; 36*2d543d20SAndroid Build Coastguard Workertypealias TYPE1 alias TYPEALIAS1; 37*2d543d20SAndroid Build Coastguard Workertypeattribute TYPE1 ATTR1; 38*2d543d20SAndroid Build Coastguard Workertypebounds TYPE4 TYPE3; 39*2d543d20SAndroid Build Coastguard Workerbool BOOL1 true; 40*2d543d20SAndroid Build Coastguard Workertunable TUNABLE1 false; 41*2d543d20SAndroid Build Coastguard Workertunable TUNABLE2 true; 42*2d543d20SAndroid Build Coastguard Workertype_transition TYPE1 TYPE2 : CLASS1 TYPE3; 43*2d543d20SAndroid Build Coastguard Workertype_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME"; 44*2d543d20SAndroid Build Coastguard Workertype_member TYPE1 TYPE2 : CLASS1 TYPE2; 45*2d543d20SAndroid Build Coastguard Workertype_change TYPE1 TYPE2 : CLASS1 TYPE3; 46*2d543d20SAndroid Build Coastguard Workerrange_transition TYPE1 TYPE2 : CLASS1 s1:c0.c1; 47*2d543d20SAndroid Build Coastguard Workerallow TYPE1 self : CLASS1 { PERM1 }; 48*2d543d20SAndroid Build Coastguard Workerauditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 }; 49*2d543d20SAndroid Build Coastguard Workerdontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 }; 50*2d543d20SAndroid Build Coastguard Workerneverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 }; 51*2d543d20SAndroid Build Coastguard Workerallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1; 52*2d543d20SAndroid Build Coastguard Workerauditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2; 53*2d543d20SAndroid Build Coastguard Workerdontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3; 54*2d543d20SAndroid Build Coastguard Workerneverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4; 55*2d543d20SAndroid Build Coastguard Workerpermissive TYPE1; 56*2d543d20SAndroid Build Coastguard Workerattribute_role ROLE_ATTR1; 57*2d543d20SAndroid Build Coastguard Workerrole ROLE1; 58*2d543d20SAndroid Build Coastguard Workerrole ROLE3; 59*2d543d20SAndroid Build Coastguard Workerrole ROLE2, ROLE_ATTR1; 60*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1 ROLE2; 61*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1 : CLASS1 ROLE2; 62*2d543d20SAndroid Build Coastguard Workerallow ROLE1 ROLE2; 63*2d543d20SAndroid Build Coastguard Workerroleattribute ROLE3 ROLE_ATTR1; 64*2d543d20SAndroid Build Coastguard Workerrole ROLE1 types { TYPE1 }; 65*2d543d20SAndroid Build Coastguard Workerif ! BOOL1 { allow TYPE1 self: CLASS1 *; } 66*2d543d20SAndroid Build Coastguard Workerif TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; } 67*2d543d20SAndroid Build Coastguard Workeroptional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; } 68*2d543d20SAndroid Build Coastguard Workeruser USER1 roles ROLE1 level s0 range s0 - s1:c0.c1; 69*2d543d20SAndroid Build Coastguard Workerconstrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 70*2d543d20SAndroid Build Coastguard Worker# sameuser will be turned into (u1 == u2) 71*2d543d20SAndroid Build Coastguard Workervalidatetrans CLASS2 sameuser and t3 == ATTR1; 72*2d543d20SAndroid Build Coastguard Workersid kernel USER1:ROLE1:TYPE1:s0 - s1:c0.c1 73*2d543d20SAndroid Build Coastguard Worker# fscon statements are not dumped 74*2d543d20SAndroid Build Coastguard Workerfscon 2 3 USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0 75*2d543d20SAndroid Build Coastguard Workerfs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0.CATALIAS; 76*2d543d20SAndroid Build Coastguard Workerfs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0; 77*2d543d20SAndroid Build Coastguard Workerfs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1; 78*2d543d20SAndroid Build Coastguard Worker# paths will be turned into quoted strings 79*2d543d20SAndroid Build Coastguard Workergenfscon proc / -d USER1:ROLE1:TYPE1:s0 80*2d543d20SAndroid Build Coastguard Workergenfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 81*2d543d20SAndroid Build Coastguard Workergenfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 82*2d543d20SAndroid Build Coastguard Workerportcon tcp 80 USER1:ROLE1:TYPE1:s0 83*2d543d20SAndroid Build Coastguard Workerportcon udp 100-200 USER1:ROLE1:TYPE1:s0 84*2d543d20SAndroid Build Coastguard Workernetifcon lo USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0 85*2d543d20SAndroid Build Coastguard Workernodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 86*2d543d20SAndroid Build Coastguard Workernodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 87*2d543d20SAndroid Build Coastguard Worker# hex numbers will be turned in decimal ones 88*2d543d20SAndroid Build Coastguard Workeribpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1:s0 89*2d543d20SAndroid Build Coastguard Workeribpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1:s0 90*2d543d20SAndroid Build Coastguard Workeribendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 91*2d543d20SAndroid Build Coastguard Workeribendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 92