1*2d543d20SAndroid Build Coastguard Worker# FLASK 2*2d543d20SAndroid Build Coastguard Worker 3*2d543d20SAndroid Build Coastguard Worker# 4*2d543d20SAndroid Build Coastguard Worker# Define the security object classes 5*2d543d20SAndroid Build Coastguard Worker# 6*2d543d20SAndroid Build Coastguard Worker 7*2d543d20SAndroid Build Coastguard Workerclass security 8*2d543d20SAndroid Build Coastguard Workerclass process 9*2d543d20SAndroid Build Coastguard Workerclass system 10*2d543d20SAndroid Build Coastguard Workerclass capability 11*2d543d20SAndroid Build Coastguard Worker 12*2d543d20SAndroid Build Coastguard Worker# file-related classes 13*2d543d20SAndroid Build Coastguard Workerclass filesystem 14*2d543d20SAndroid Build Coastguard Workerclass file 15*2d543d20SAndroid Build Coastguard Workerclass dir 16*2d543d20SAndroid Build Coastguard Workerclass fd 17*2d543d20SAndroid Build Coastguard Workerclass lnk_file 18*2d543d20SAndroid Build Coastguard Workerclass chr_file 19*2d543d20SAndroid Build Coastguard Workerclass blk_file 20*2d543d20SAndroid Build Coastguard Workerclass sock_file 21*2d543d20SAndroid Build Coastguard Workerclass fifo_file 22*2d543d20SAndroid Build Coastguard Worker 23*2d543d20SAndroid Build Coastguard Worker# network-related classes 24*2d543d20SAndroid Build Coastguard Workerclass socket 25*2d543d20SAndroid Build Coastguard Workerclass tcp_socket 26*2d543d20SAndroid Build Coastguard Workerclass udp_socket 27*2d543d20SAndroid Build Coastguard Workerclass rawip_socket 28*2d543d20SAndroid Build Coastguard Workerclass node 29*2d543d20SAndroid Build Coastguard Workerclass netif 30*2d543d20SAndroid Build Coastguard Workerclass netlink_socket 31*2d543d20SAndroid Build Coastguard Workerclass packet_socket 32*2d543d20SAndroid Build Coastguard Workerclass key_socket 33*2d543d20SAndroid Build Coastguard Workerclass unix_stream_socket 34*2d543d20SAndroid Build Coastguard Workerclass unix_dgram_socket 35*2d543d20SAndroid Build Coastguard Worker 36*2d543d20SAndroid Build Coastguard Worker# sysv-ipc-related classes 37*2d543d20SAndroid Build Coastguard Workerclass msg 38*2d543d20SAndroid Build Coastguard Workerclass msgq 39*2d543d20SAndroid Build Coastguard Workerclass shm 40*2d543d20SAndroid Build Coastguard Workerclass ipc 41*2d543d20SAndroid Build Coastguard Worker 42*2d543d20SAndroid Build Coastguard Worker# FLASK 43*2d543d20SAndroid Build Coastguard Worker# FLASK 44*2d543d20SAndroid Build Coastguard Worker 45*2d543d20SAndroid Build Coastguard Worker# 46*2d543d20SAndroid Build Coastguard Worker# Define initial security identifiers 47*2d543d20SAndroid Build Coastguard Worker# 48*2d543d20SAndroid Build Coastguard Worker 49*2d543d20SAndroid Build Coastguard Workersid kernel 50*2d543d20SAndroid Build Coastguard Worker 51*2d543d20SAndroid Build Coastguard Worker 52*2d543d20SAndroid Build Coastguard Worker# FLASK 53*2d543d20SAndroid Build Coastguard Worker# 54*2d543d20SAndroid Build Coastguard Worker# Define common prefixes for access vectors 55*2d543d20SAndroid Build Coastguard Worker# 56*2d543d20SAndroid Build Coastguard Worker# common common_name { permission_name ... } 57*2d543d20SAndroid Build Coastguard Worker 58*2d543d20SAndroid Build Coastguard Worker 59*2d543d20SAndroid Build Coastguard Worker# 60*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for file access vectors. 61*2d543d20SAndroid Build Coastguard Worker# 62*2d543d20SAndroid Build Coastguard Worker 63*2d543d20SAndroid Build Coastguard Workercommon file 64*2d543d20SAndroid Build Coastguard Worker{ 65*2d543d20SAndroid Build Coastguard Worker ioctl 66*2d543d20SAndroid Build Coastguard Worker read 67*2d543d20SAndroid Build Coastguard Worker write 68*2d543d20SAndroid Build Coastguard Worker create 69*2d543d20SAndroid Build Coastguard Worker getattr 70*2d543d20SAndroid Build Coastguard Worker setattr 71*2d543d20SAndroid Build Coastguard Worker lock 72*2d543d20SAndroid Build Coastguard Worker relabelfrom 73*2d543d20SAndroid Build Coastguard Worker relabelto 74*2d543d20SAndroid Build Coastguard Worker append 75*2d543d20SAndroid Build Coastguard Worker unlink 76*2d543d20SAndroid Build Coastguard Worker link 77*2d543d20SAndroid Build Coastguard Worker rename 78*2d543d20SAndroid Build Coastguard Worker execute 79*2d543d20SAndroid Build Coastguard Worker swapon 80*2d543d20SAndroid Build Coastguard Worker quotaon 81*2d543d20SAndroid Build Coastguard Worker mounton 82*2d543d20SAndroid Build Coastguard Worker} 83*2d543d20SAndroid Build Coastguard Worker 84*2d543d20SAndroid Build Coastguard Worker 85*2d543d20SAndroid Build Coastguard Worker# 86*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for socket access vectors. 87*2d543d20SAndroid Build Coastguard Worker# 88*2d543d20SAndroid Build Coastguard Worker 89*2d543d20SAndroid Build Coastguard Workercommon socket 90*2d543d20SAndroid Build Coastguard Worker{ 91*2d543d20SAndroid Build Coastguard Worker# inherited from file 92*2d543d20SAndroid Build Coastguard Worker ioctl 93*2d543d20SAndroid Build Coastguard Worker read 94*2d543d20SAndroid Build Coastguard Worker write 95*2d543d20SAndroid Build Coastguard Worker create 96*2d543d20SAndroid Build Coastguard Worker getattr 97*2d543d20SAndroid Build Coastguard Worker setattr 98*2d543d20SAndroid Build Coastguard Worker lock 99*2d543d20SAndroid Build Coastguard Worker relabelfrom 100*2d543d20SAndroid Build Coastguard Worker relabelto 101*2d543d20SAndroid Build Coastguard Worker append 102*2d543d20SAndroid Build Coastguard Worker# socket-specific 103*2d543d20SAndroid Build Coastguard Worker bind 104*2d543d20SAndroid Build Coastguard Worker connect 105*2d543d20SAndroid Build Coastguard Worker listen 106*2d543d20SAndroid Build Coastguard Worker accept 107*2d543d20SAndroid Build Coastguard Worker getopt 108*2d543d20SAndroid Build Coastguard Worker setopt 109*2d543d20SAndroid Build Coastguard Worker shutdown 110*2d543d20SAndroid Build Coastguard Worker recvfrom 111*2d543d20SAndroid Build Coastguard Worker sendto 112*2d543d20SAndroid Build Coastguard Worker recv_msg 113*2d543d20SAndroid Build Coastguard Worker send_msg 114*2d543d20SAndroid Build Coastguard Worker name_bind 115*2d543d20SAndroid Build Coastguard Worker} 116*2d543d20SAndroid Build Coastguard Worker 117*2d543d20SAndroid Build Coastguard Worker# 118*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for ipc access vectors. 119*2d543d20SAndroid Build Coastguard Worker# 120*2d543d20SAndroid Build Coastguard Worker 121*2d543d20SAndroid Build Coastguard Workercommon ipc 122*2d543d20SAndroid Build Coastguard Worker{ 123*2d543d20SAndroid Build Coastguard Worker create 124*2d543d20SAndroid Build Coastguard Worker destroy 125*2d543d20SAndroid Build Coastguard Worker getattr 126*2d543d20SAndroid Build Coastguard Worker setattr 127*2d543d20SAndroid Build Coastguard Worker read 128*2d543d20SAndroid Build Coastguard Worker write 129*2d543d20SAndroid Build Coastguard Worker associate 130*2d543d20SAndroid Build Coastguard Worker unix_read 131*2d543d20SAndroid Build Coastguard Worker unix_write 132*2d543d20SAndroid Build Coastguard Worker} 133*2d543d20SAndroid Build Coastguard Worker 134*2d543d20SAndroid Build Coastguard Worker# 135*2d543d20SAndroid Build Coastguard Worker# Define the access vectors. 136*2d543d20SAndroid Build Coastguard Worker# 137*2d543d20SAndroid Build Coastguard Worker# class class_name [ inherits common_name ] { permission_name ... } 138*2d543d20SAndroid Build Coastguard Worker 139*2d543d20SAndroid Build Coastguard Worker 140*2d543d20SAndroid Build Coastguard Worker# 141*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for file-related objects. 142*2d543d20SAndroid Build Coastguard Worker# 143*2d543d20SAndroid Build Coastguard Worker 144*2d543d20SAndroid Build Coastguard Workerclass filesystem 145*2d543d20SAndroid Build Coastguard Worker{ 146*2d543d20SAndroid Build Coastguard Worker mount 147*2d543d20SAndroid Build Coastguard Worker remount 148*2d543d20SAndroid Build Coastguard Worker unmount 149*2d543d20SAndroid Build Coastguard Worker getattr 150*2d543d20SAndroid Build Coastguard Worker relabelfrom 151*2d543d20SAndroid Build Coastguard Worker relabelto 152*2d543d20SAndroid Build Coastguard Worker transition 153*2d543d20SAndroid Build Coastguard Worker associate 154*2d543d20SAndroid Build Coastguard Worker quotamod 155*2d543d20SAndroid Build Coastguard Worker quotaget 156*2d543d20SAndroid Build Coastguard Worker} 157*2d543d20SAndroid Build Coastguard Worker 158*2d543d20SAndroid Build Coastguard Workerclass dir 159*2d543d20SAndroid Build Coastguard Workerinherits file 160*2d543d20SAndroid Build Coastguard Worker{ 161*2d543d20SAndroid Build Coastguard Worker add_name 162*2d543d20SAndroid Build Coastguard Worker remove_name 163*2d543d20SAndroid Build Coastguard Worker reparent 164*2d543d20SAndroid Build Coastguard Worker search 165*2d543d20SAndroid Build Coastguard Worker rmdir 166*2d543d20SAndroid Build Coastguard Worker} 167*2d543d20SAndroid Build Coastguard Worker 168*2d543d20SAndroid Build Coastguard Workerclass file 169*2d543d20SAndroid Build Coastguard Workerinherits file 170*2d543d20SAndroid Build Coastguard Worker{ 171*2d543d20SAndroid Build Coastguard Worker execute_no_trans 172*2d543d20SAndroid Build Coastguard Worker entrypoint 173*2d543d20SAndroid Build Coastguard Worker} 174*2d543d20SAndroid Build Coastguard Worker 175*2d543d20SAndroid Build Coastguard Workerclass lnk_file 176*2d543d20SAndroid Build Coastguard Workerinherits file 177*2d543d20SAndroid Build Coastguard Worker 178*2d543d20SAndroid Build Coastguard Workerclass chr_file 179*2d543d20SAndroid Build Coastguard Workerinherits file 180*2d543d20SAndroid Build Coastguard Worker 181*2d543d20SAndroid Build Coastguard Workerclass blk_file 182*2d543d20SAndroid Build Coastguard Workerinherits file 183*2d543d20SAndroid Build Coastguard Worker 184*2d543d20SAndroid Build Coastguard Workerclass sock_file 185*2d543d20SAndroid Build Coastguard Workerinherits file 186*2d543d20SAndroid Build Coastguard Worker 187*2d543d20SAndroid Build Coastguard Workerclass fifo_file 188*2d543d20SAndroid Build Coastguard Workerinherits file 189*2d543d20SAndroid Build Coastguard Worker 190*2d543d20SAndroid Build Coastguard Workerclass fd 191*2d543d20SAndroid Build Coastguard Worker{ 192*2d543d20SAndroid Build Coastguard Worker use 193*2d543d20SAndroid Build Coastguard Worker} 194*2d543d20SAndroid Build Coastguard Worker 195*2d543d20SAndroid Build Coastguard Worker 196*2d543d20SAndroid Build Coastguard Worker# 197*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for network-related objects. 198*2d543d20SAndroid Build Coastguard Worker# 199*2d543d20SAndroid Build Coastguard Worker 200*2d543d20SAndroid Build Coastguard Workerclass socket 201*2d543d20SAndroid Build Coastguard Workerinherits socket 202*2d543d20SAndroid Build Coastguard Worker 203*2d543d20SAndroid Build Coastguard Workerclass tcp_socket 204*2d543d20SAndroid Build Coastguard Workerinherits socket 205*2d543d20SAndroid Build Coastguard Worker{ 206*2d543d20SAndroid Build Coastguard Worker connectto 207*2d543d20SAndroid Build Coastguard Worker newconn 208*2d543d20SAndroid Build Coastguard Worker acceptfrom 209*2d543d20SAndroid Build Coastguard Worker} 210*2d543d20SAndroid Build Coastguard Worker 211*2d543d20SAndroid Build Coastguard Workerclass udp_socket 212*2d543d20SAndroid Build Coastguard Workerinherits socket 213*2d543d20SAndroid Build Coastguard Worker 214*2d543d20SAndroid Build Coastguard Workerclass rawip_socket 215*2d543d20SAndroid Build Coastguard Workerinherits socket 216*2d543d20SAndroid Build Coastguard Worker 217*2d543d20SAndroid Build Coastguard Workerclass node 218*2d543d20SAndroid Build Coastguard Worker{ 219*2d543d20SAndroid Build Coastguard Worker tcp_recv 220*2d543d20SAndroid Build Coastguard Worker tcp_send 221*2d543d20SAndroid Build Coastguard Worker udp_recv 222*2d543d20SAndroid Build Coastguard Worker udp_send 223*2d543d20SAndroid Build Coastguard Worker rawip_recv 224*2d543d20SAndroid Build Coastguard Worker rawip_send 225*2d543d20SAndroid Build Coastguard Worker enforce_dest 226*2d543d20SAndroid Build Coastguard Worker} 227*2d543d20SAndroid Build Coastguard Worker 228*2d543d20SAndroid Build Coastguard Workerclass netif 229*2d543d20SAndroid Build Coastguard Worker{ 230*2d543d20SAndroid Build Coastguard Worker tcp_recv 231*2d543d20SAndroid Build Coastguard Worker tcp_send 232*2d543d20SAndroid Build Coastguard Worker udp_recv 233*2d543d20SAndroid Build Coastguard Worker udp_send 234*2d543d20SAndroid Build Coastguard Worker rawip_recv 235*2d543d20SAndroid Build Coastguard Worker rawip_send 236*2d543d20SAndroid Build Coastguard Worker} 237*2d543d20SAndroid Build Coastguard Worker 238*2d543d20SAndroid Build Coastguard Workerclass netlink_socket 239*2d543d20SAndroid Build Coastguard Workerinherits socket 240*2d543d20SAndroid Build Coastguard Worker 241*2d543d20SAndroid Build Coastguard Workerclass packet_socket 242*2d543d20SAndroid Build Coastguard Workerinherits socket 243*2d543d20SAndroid Build Coastguard Worker 244*2d543d20SAndroid Build Coastguard Workerclass key_socket 245*2d543d20SAndroid Build Coastguard Workerinherits socket 246*2d543d20SAndroid Build Coastguard Worker 247*2d543d20SAndroid Build Coastguard Workerclass unix_stream_socket 248*2d543d20SAndroid Build Coastguard Workerinherits socket 249*2d543d20SAndroid Build Coastguard Worker{ 250*2d543d20SAndroid Build Coastguard Worker connectto 251*2d543d20SAndroid Build Coastguard Worker newconn 252*2d543d20SAndroid Build Coastguard Worker acceptfrom 253*2d543d20SAndroid Build Coastguard Worker} 254*2d543d20SAndroid Build Coastguard Worker 255*2d543d20SAndroid Build Coastguard Workerclass unix_dgram_socket 256*2d543d20SAndroid Build Coastguard Workerinherits socket 257*2d543d20SAndroid Build Coastguard Worker 258*2d543d20SAndroid Build Coastguard Worker 259*2d543d20SAndroid Build Coastguard Worker# 260*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for process-related objects 261*2d543d20SAndroid Build Coastguard Worker# 262*2d543d20SAndroid Build Coastguard Worker 263*2d543d20SAndroid Build Coastguard Workerclass process 264*2d543d20SAndroid Build Coastguard Worker{ 265*2d543d20SAndroid Build Coastguard Worker fork 266*2d543d20SAndroid Build Coastguard Worker transition 267*2d543d20SAndroid Build Coastguard Worker sigchld # commonly granted from child to parent 268*2d543d20SAndroid Build Coastguard Worker sigkill # cannot be caught or ignored 269*2d543d20SAndroid Build Coastguard Worker sigstop # cannot be caught or ignored 270*2d543d20SAndroid Build Coastguard Worker signull # for kill(pid, 0) 271*2d543d20SAndroid Build Coastguard Worker signal # all other signals 272*2d543d20SAndroid Build Coastguard Worker ptrace 273*2d543d20SAndroid Build Coastguard Worker getsched 274*2d543d20SAndroid Build Coastguard Worker setsched 275*2d543d20SAndroid Build Coastguard Worker getsession 276*2d543d20SAndroid Build Coastguard Worker getpgid 277*2d543d20SAndroid Build Coastguard Worker setpgid 278*2d543d20SAndroid Build Coastguard Worker getcap 279*2d543d20SAndroid Build Coastguard Worker setcap 280*2d543d20SAndroid Build Coastguard Worker share 281*2d543d20SAndroid Build Coastguard Worker} 282*2d543d20SAndroid Build Coastguard Worker 283*2d543d20SAndroid Build Coastguard Worker 284*2d543d20SAndroid Build Coastguard Worker# 285*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for ipc-related objects 286*2d543d20SAndroid Build Coastguard Worker# 287*2d543d20SAndroid Build Coastguard Worker 288*2d543d20SAndroid Build Coastguard Workerclass ipc 289*2d543d20SAndroid Build Coastguard Workerinherits ipc 290*2d543d20SAndroid Build Coastguard Worker 291*2d543d20SAndroid Build Coastguard Workerclass msgq 292*2d543d20SAndroid Build Coastguard Workerinherits ipc 293*2d543d20SAndroid Build Coastguard Worker{ 294*2d543d20SAndroid Build Coastguard Worker enqueue 295*2d543d20SAndroid Build Coastguard Worker} 296*2d543d20SAndroid Build Coastguard Worker 297*2d543d20SAndroid Build Coastguard Workerclass msg 298*2d543d20SAndroid Build Coastguard Worker{ 299*2d543d20SAndroid Build Coastguard Worker send 300*2d543d20SAndroid Build Coastguard Worker} 301*2d543d20SAndroid Build Coastguard Worker 302*2d543d20SAndroid Build Coastguard Workerclass shm 303*2d543d20SAndroid Build Coastguard Workerinherits ipc 304*2d543d20SAndroid Build Coastguard Worker{ 305*2d543d20SAndroid Build Coastguard Worker lock 306*2d543d20SAndroid Build Coastguard Worker} 307*2d543d20SAndroid Build Coastguard Worker 308*2d543d20SAndroid Build Coastguard Worker 309*2d543d20SAndroid Build Coastguard Worker# 310*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for the security server. 311*2d543d20SAndroid Build Coastguard Worker# 312*2d543d20SAndroid Build Coastguard Worker 313*2d543d20SAndroid Build Coastguard Workerclass security 314*2d543d20SAndroid Build Coastguard Worker{ 315*2d543d20SAndroid Build Coastguard Worker compute_av 316*2d543d20SAndroid Build Coastguard Worker transition_sid 317*2d543d20SAndroid Build Coastguard Worker member_sid 318*2d543d20SAndroid Build Coastguard Worker sid_to_context 319*2d543d20SAndroid Build Coastguard Worker context_to_sid 320*2d543d20SAndroid Build Coastguard Worker load_policy 321*2d543d20SAndroid Build Coastguard Worker get_sids 322*2d543d20SAndroid Build Coastguard Worker change_sid 323*2d543d20SAndroid Build Coastguard Worker get_user_sids 324*2d543d20SAndroid Build Coastguard Worker} 325*2d543d20SAndroid Build Coastguard Worker 326*2d543d20SAndroid Build Coastguard Worker 327*2d543d20SAndroid Build Coastguard Worker# 328*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for system operations. 329*2d543d20SAndroid Build Coastguard Worker# 330*2d543d20SAndroid Build Coastguard Worker 331*2d543d20SAndroid Build Coastguard Workerclass system 332*2d543d20SAndroid Build Coastguard Worker{ 333*2d543d20SAndroid Build Coastguard Worker ipc_info 334*2d543d20SAndroid Build Coastguard Worker avc_toggle 335*2d543d20SAndroid Build Coastguard Worker nfsd_control 336*2d543d20SAndroid Build Coastguard Worker bdflush 337*2d543d20SAndroid Build Coastguard Worker syslog_read 338*2d543d20SAndroid Build Coastguard Worker syslog_mod 339*2d543d20SAndroid Build Coastguard Worker syslog_console 340*2d543d20SAndroid Build Coastguard Worker ichsid 341*2d543d20SAndroid Build Coastguard Worker} 342*2d543d20SAndroid Build Coastguard Worker 343*2d543d20SAndroid Build Coastguard Worker# 344*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for controlling capabilities 345*2d543d20SAndroid Build Coastguard Worker# 346*2d543d20SAndroid Build Coastguard Worker 347*2d543d20SAndroid Build Coastguard Workerclass capability 348*2d543d20SAndroid Build Coastguard Worker{ 349*2d543d20SAndroid Build Coastguard Worker # The capabilities are defined in include/linux/capability.h 350*2d543d20SAndroid Build Coastguard Worker # Care should be taken to ensure that these are consistent with 351*2d543d20SAndroid Build Coastguard Worker # those definitions. (Order matters) 352*2d543d20SAndroid Build Coastguard Worker 353*2d543d20SAndroid Build Coastguard Worker chown 354*2d543d20SAndroid Build Coastguard Worker dac_override 355*2d543d20SAndroid Build Coastguard Worker dac_read_search 356*2d543d20SAndroid Build Coastguard Worker fowner 357*2d543d20SAndroid Build Coastguard Worker fsetid 358*2d543d20SAndroid Build Coastguard Worker kill 359*2d543d20SAndroid Build Coastguard Worker setgid 360*2d543d20SAndroid Build Coastguard Worker setuid 361*2d543d20SAndroid Build Coastguard Worker setpcap 362*2d543d20SAndroid Build Coastguard Worker linux_immutable 363*2d543d20SAndroid Build Coastguard Worker net_bind_service 364*2d543d20SAndroid Build Coastguard Worker net_broadcast 365*2d543d20SAndroid Build Coastguard Worker net_admin 366*2d543d20SAndroid Build Coastguard Worker net_raw 367*2d543d20SAndroid Build Coastguard Worker ipc_lock 368*2d543d20SAndroid Build Coastguard Worker ipc_owner 369*2d543d20SAndroid Build Coastguard Worker sys_module 370*2d543d20SAndroid Build Coastguard Worker sys_rawio 371*2d543d20SAndroid Build Coastguard Worker sys_chroot 372*2d543d20SAndroid Build Coastguard Worker sys_ptrace 373*2d543d20SAndroid Build Coastguard Worker sys_pacct 374*2d543d20SAndroid Build Coastguard Worker sys_admin 375*2d543d20SAndroid Build Coastguard Worker sys_boot 376*2d543d20SAndroid Build Coastguard Worker sys_nice 377*2d543d20SAndroid Build Coastguard Worker sys_resource 378*2d543d20SAndroid Build Coastguard Worker sys_time 379*2d543d20SAndroid Build Coastguard Worker sys_tty_config 380*2d543d20SAndroid Build Coastguard Worker mknod 381*2d543d20SAndroid Build Coastguard Worker lease 382*2d543d20SAndroid Build Coastguard Worker} 383*2d543d20SAndroid Build Coastguard Worker 384*2d543d20SAndroid Build Coastguard Workerifdef(`enable_mls',` 385*2d543d20SAndroid Build Coastguard Workersensitivity s0; 386*2d543d20SAndroid Build Coastguard Worker 387*2d543d20SAndroid Build Coastguard Worker# 388*2d543d20SAndroid Build Coastguard Worker# Define the ordering of the sensitivity levels (least to greatest) 389*2d543d20SAndroid Build Coastguard Worker# 390*2d543d20SAndroid Build Coastguard Workerdominance { s0 } 391*2d543d20SAndroid Build Coastguard Worker 392*2d543d20SAndroid Build Coastguard Worker 393*2d543d20SAndroid Build Coastguard Worker# 394*2d543d20SAndroid Build Coastguard Worker# Define the categories 395*2d543d20SAndroid Build Coastguard Worker# 396*2d543d20SAndroid Build Coastguard Worker# Each category has a name and zero or more aliases. 397*2d543d20SAndroid Build Coastguard Worker# 398*2d543d20SAndroid Build Coastguard Workercategory c0; category c1; category c2; category c3; 399*2d543d20SAndroid Build Coastguard Workercategory c4; category c5; category c6; category c7; 400*2d543d20SAndroid Build Coastguard Workercategory c8; category c9; category c10; category c11; 401*2d543d20SAndroid Build Coastguard Workercategory c12; category c13; category c14; category c15; 402*2d543d20SAndroid Build Coastguard Workercategory c16; category c17; category c18; category c19; 403*2d543d20SAndroid Build Coastguard Workercategory c20; category c21; category c22; category c23; 404*2d543d20SAndroid Build Coastguard Worker 405*2d543d20SAndroid Build Coastguard Workerlevel s0:c0.c23; 406*2d543d20SAndroid Build Coastguard Worker 407*2d543d20SAndroid Build Coastguard Workermlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 408*2d543d20SAndroid Build Coastguard Worker ( h1 dom h2 ); 409*2d543d20SAndroid Build Coastguard Worker') 410*2d543d20SAndroid Build Coastguard Worker 411*2d543d20SAndroid Build Coastguard Worker#################################### 412*2d543d20SAndroid Build Coastguard Worker#################################### 413*2d543d20SAndroid Build Coastguard Worker##################################### 414*2d543d20SAndroid Build Coastguard Worker# TE RULES 415*2d543d20SAndroid Build Coastguard Workerattribute domain; 416*2d543d20SAndroid Build Coastguard Workerattribute system; 417*2d543d20SAndroid Build Coastguard Workerattribute foo; 418*2d543d20SAndroid Build Coastguard Workerattribute num; 419*2d543d20SAndroid Build Coastguard Workerattribute num_exec; 420*2d543d20SAndroid Build Coastguard Workerattribute files; 421*2d543d20SAndroid Build Coastguard Worker 422*2d543d20SAndroid Build Coastguard Workertype net_foo_t, foo; 423*2d543d20SAndroid Build Coastguard Workertype sys_foo_t, foo, system; 424*2d543d20SAndroid Build Coastguard Workerrole system_r; 425*2d543d20SAndroid Build Coastguard Workerrole system_r types sys_foo_t; 426*2d543d20SAndroid Build Coastguard Worker 427*2d543d20SAndroid Build Coastguard Workertype user_t, domain; 428*2d543d20SAndroid Build Coastguard Workerrole user_r; 429*2d543d20SAndroid Build Coastguard Workerrole user_r types user_t; 430*2d543d20SAndroid Build Coastguard Worker 431*2d543d20SAndroid Build Coastguard Workertype sysadm_t, domain, system; 432*2d543d20SAndroid Build Coastguard Workerrole sysadm_r; 433*2d543d20SAndroid Build Coastguard Workerrole sysadm_r types sysadm_t; 434*2d543d20SAndroid Build Coastguard Worker 435*2d543d20SAndroid Build Coastguard Workertype system_t, domain, system, foo; 436*2d543d20SAndroid Build Coastguard Workerrole system_r; 437*2d543d20SAndroid Build Coastguard Workerrole system_r types { system_t sys_foo_t }; 438*2d543d20SAndroid Build Coastguard Worker 439*2d543d20SAndroid Build Coastguard Workertype file_t; 440*2d543d20SAndroid Build Coastguard Workertype file_exec_t, files; 441*2d543d20SAndroid Build Coastguard Workertype fs_t; 442*2d543d20SAndroid Build Coastguard Workertype base_optional_1; 443*2d543d20SAndroid Build Coastguard Workertype base_optional_2; 444*2d543d20SAndroid Build Coastguard Worker 445*2d543d20SAndroid Build Coastguard Workerallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 446*2d543d20SAndroid Build Coastguard Worker 447*2d543d20SAndroid Build Coastguard Workeroptional { 448*2d543d20SAndroid Build Coastguard Worker require { 449*2d543d20SAndroid Build Coastguard Worker type base_optional_1, base_optional_2; 450*2d543d20SAndroid Build Coastguard Worker } 451*2d543d20SAndroid Build Coastguard Worker allow base_optional_1 base_optional_2 : file { read write }; 452*2d543d20SAndroid Build Coastguard Worker} 453*2d543d20SAndroid Build Coastguard Worker 454*2d543d20SAndroid Build Coastguard Worker##################################### 455*2d543d20SAndroid Build Coastguard Worker# Role Allow 456*2d543d20SAndroid Build Coastguard Workerallow user_r sysadm_r; 457*2d543d20SAndroid Build Coastguard Worker 458*2d543d20SAndroid Build Coastguard Worker#################################### 459*2d543d20SAndroid Build Coastguard Worker# Booleans 460*2d543d20SAndroid Build Coastguard Workerbool allow_ypbind true; 461*2d543d20SAndroid Build Coastguard Workerbool secure_mode false; 462*2d543d20SAndroid Build Coastguard Workerbool allow_execheap false; 463*2d543d20SAndroid Build Coastguard Workerbool allow_execmem true; 464*2d543d20SAndroid Build Coastguard Workerbool allow_execmod false; 465*2d543d20SAndroid Build Coastguard Workerbool allow_execstack true; 466*2d543d20SAndroid Build Coastguard Workerbool optional_bool_1 true; 467*2d543d20SAndroid Build Coastguard Workerbool optional_bool_2 false; 468*2d543d20SAndroid Build Coastguard Worker 469*2d543d20SAndroid Build Coastguard Worker##################################### 470*2d543d20SAndroid Build Coastguard Worker# users 471*2d543d20SAndroid Build Coastguard Workergen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 472*2d543d20SAndroid Build Coastguard Workergen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 473*2d543d20SAndroid Build Coastguard Workergen_user(joe,, user_r, s0, s0 - s0:c0.c23) 474*2d543d20SAndroid Build Coastguard Worker 475*2d543d20SAndroid Build Coastguard Worker##################################### 476*2d543d20SAndroid Build Coastguard Worker# constraints 477*2d543d20SAndroid Build Coastguard Worker 478*2d543d20SAndroid Build Coastguard Worker 479*2d543d20SAndroid Build Coastguard Worker#################################### 480*2d543d20SAndroid Build Coastguard Worker#line 1 "initial_sid_contexts" 481*2d543d20SAndroid Build Coastguard Worker 482*2d543d20SAndroid Build Coastguard Workersid kernel gen_context(system_u:system_r:sys_foo_t, s0) 483*2d543d20SAndroid Build Coastguard Worker 484*2d543d20SAndroid Build Coastguard Worker 485*2d543d20SAndroid Build Coastguard Worker############################################ 486*2d543d20SAndroid Build Coastguard Worker#line 1 "fs_use" 487*2d543d20SAndroid Build Coastguard Worker# 488*2d543d20SAndroid Build Coastguard Workerfs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 489*2d543d20SAndroid Build Coastguard Workerfs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 490*2d543d20SAndroid Build Coastguard Workerfs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 491*2d543d20SAndroid Build Coastguard Worker 492*2d543d20SAndroid Build Coastguard Worker 493*2d543d20SAndroid Build Coastguard Workergenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 494*2d543d20SAndroid Build Coastguard Worker 495*2d543d20SAndroid Build Coastguard Worker 496*2d543d20SAndroid Build Coastguard Worker#################################### 497*2d543d20SAndroid Build Coastguard Worker#line 1 "net_contexts" 498*2d543d20SAndroid Build Coastguard Worker 499*2d543d20SAndroid Build Coastguard Worker#portcon tcp 21 system_u:object_r:net_foo_t:s0 500*2d543d20SAndroid Build Coastguard Worker 501*2d543d20SAndroid Build Coastguard Worker#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 502*2d543d20SAndroid Build Coastguard Worker 503*2d543d20SAndroid Build Coastguard Worker# 504*2d543d20SAndroid Build Coastguard Worker#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 505*2d543d20SAndroid Build Coastguard Worker 506*2d543d20SAndroid Build Coastguard Workernodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0) 507*2d543d20SAndroid Build Coastguard Worker 508*2d543d20SAndroid Build Coastguard Worker 509*2d543d20SAndroid Build Coastguard Worker 510*2d543d20SAndroid Build Coastguard Worker 511