1*2d543d20SAndroid Build Coastguard Worker# handle_unknown deny 2*2d543d20SAndroid Build Coastguard Workerclass CLASS1 3*2d543d20SAndroid Build Coastguard Workerclass CLASS2 4*2d543d20SAndroid Build Coastguard Workerclass CLASS3 5*2d543d20SAndroid Build Coastguard Workerclass dir 6*2d543d20SAndroid Build Coastguard Workerclass file 7*2d543d20SAndroid Build Coastguard Workerclass process 8*2d543d20SAndroid Build Coastguard Workersid kernel 9*2d543d20SAndroid Build Coastguard Workercommon COMMON1 { CPERM1 } 10*2d543d20SAndroid Build Coastguard Workerclass CLASS1 { PERM1 } 11*2d543d20SAndroid Build Coastguard Workerclass CLASS2 inherits COMMON1 12*2d543d20SAndroid Build Coastguard Workerclass CLASS3 inherits COMMON1 { PERM1 } 13*2d543d20SAndroid Build Coastguard Workerdefault_user { CLASS1 } source; 14*2d543d20SAndroid Build Coastguard Workerdefault_role { CLASS2 } target; 15*2d543d20SAndroid Build Coastguard Workerdefault_type { CLASS3 } source; 16*2d543d20SAndroid Build Coastguard Workerattribute ATTR1; 17*2d543d20SAndroid Build Coastguard Workerattribute ATTR2; 18*2d543d20SAndroid Build Coastguard Workerexpandattribute ATTR1 true; 19*2d543d20SAndroid Build Coastguard Workerexpandattribute ATTR2 false; 20*2d543d20SAndroid Build Coastguard Workertype TYPE1; 21*2d543d20SAndroid Build Coastguard Workertype TYPE2, ATTR1; 22*2d543d20SAndroid Build Coastguard Workertype TYPE3 alias { TYPEALIAS3A TYPEALIAS3B }; 23*2d543d20SAndroid Build Coastguard Workertype TYPE4 alias TYPEALIAS4, ATTR2; 24*2d543d20SAndroid Build Coastguard Workertypealias TYPE1 alias TYPEALIAS1; 25*2d543d20SAndroid Build Coastguard Workertypeattribute TYPE1 ATTR1; 26*2d543d20SAndroid Build Coastguard Workertypebounds TYPE4 TYPE3; 27*2d543d20SAndroid Build Coastguard Workerbool BOOL1 true; 28*2d543d20SAndroid Build Coastguard Workertunable TUNABLE1 false; 29*2d543d20SAndroid Build Coastguard Workertunable TUNABLE2 true; 30*2d543d20SAndroid Build Coastguard Workertype_transition TYPE1 TYPE2 : CLASS1 TYPE3; 31*2d543d20SAndroid Build Coastguard Workertype_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME"; 32*2d543d20SAndroid Build Coastguard Workertype_member TYPE1 TYPE2 : CLASS1 TYPE2; 33*2d543d20SAndroid Build Coastguard Workertype_change TYPE1 TYPE2 : CLASS1 TYPE3; 34*2d543d20SAndroid Build Coastguard Workerallow TYPE1 self : CLASS1 { PERM1 }; 35*2d543d20SAndroid Build Coastguard Workerauditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 }; 36*2d543d20SAndroid Build Coastguard Workerdontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 }; 37*2d543d20SAndroid Build Coastguard Workerneverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 }; 38*2d543d20SAndroid Build Coastguard Workerpermissive TYPE1; 39*2d543d20SAndroid Build Coastguard Workerattribute_role ROLE_ATTR1; 40*2d543d20SAndroid Build Coastguard Workerrole ROLE1; 41*2d543d20SAndroid Build Coastguard Workerrole ROLE3; 42*2d543d20SAndroid Build Coastguard Workerrole ROLE2, ROLE_ATTR1; 43*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1 ROLE2; 44*2d543d20SAndroid Build Coastguard Workerrole_transition ROLE1 TYPE1 : CLASS1 ROLE2; 45*2d543d20SAndroid Build Coastguard Workerallow ROLE1 ROLE2; 46*2d543d20SAndroid Build Coastguard Workerroleattribute ROLE3 ROLE_ATTR1; 47*2d543d20SAndroid Build Coastguard Workerrole ROLE1 types { TYPE1 }; 48*2d543d20SAndroid Build Coastguard Workerif ! BOOL1 { allow TYPE1 self: CLASS1 *; } 49*2d543d20SAndroid Build Coastguard Workerif TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; } 50*2d543d20SAndroid Build Coastguard Workeroptional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; } 51*2d543d20SAndroid Build Coastguard Workerpolicycap open_perms; 52*2d543d20SAndroid Build Coastguard Workeruser USER1 roles ROLE1; 53*2d543d20SAndroid Build Coastguard Workerconstrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 54*2d543d20SAndroid Build Coastguard Workervalidatetrans CLASS2 sameuser and t3 == ATTR1; 55*2d543d20SAndroid Build Coastguard Workersid kernel USER1:ROLE1:TYPE1 56*2d543d20SAndroid Build Coastguard Workerpirqcon 13 USER1:ROLE1:TYPE1 57*2d543d20SAndroid Build Coastguard Workeriomemcon 13 USER1:ROLE1:TYPE1 58*2d543d20SAndroid Build Coastguard Workeriomemcon 23-31 USER1:ROLE1:TYPE1 59*2d543d20SAndroid Build Coastguard Workerioportcon 13 USER1:ROLE1:TYPE1 60*2d543d20SAndroid Build Coastguard Workerioportcon 23-31 USER1:ROLE1:TYPE1 61*2d543d20SAndroid Build Coastguard Workerpcidevicecon 13 USER1:ROLE1:TYPE1 62*2d543d20SAndroid Build Coastguard Workerdevicetreecon "/path/to/device" USER1:ROLE1:TYPE1 63