1*2d543d20SAndroid Build Coastguard Worker# FLASK 2*2d543d20SAndroid Build Coastguard Worker 3*2d543d20SAndroid Build Coastguard Worker# 4*2d543d20SAndroid Build Coastguard Worker# Define the security object classes 5*2d543d20SAndroid Build Coastguard Worker# 6*2d543d20SAndroid Build Coastguard Worker 7*2d543d20SAndroid Build Coastguard Workerclass security 8*2d543d20SAndroid Build Coastguard Workerclass process 9*2d543d20SAndroid Build Coastguard Workerclass system 10*2d543d20SAndroid Build Coastguard Workerclass capability 11*2d543d20SAndroid Build Coastguard Worker 12*2d543d20SAndroid Build Coastguard Worker# file-related classes 13*2d543d20SAndroid Build Coastguard Workerclass filesystem 14*2d543d20SAndroid Build Coastguard Workerclass file 15*2d543d20SAndroid Build Coastguard Workerclass dir 16*2d543d20SAndroid Build Coastguard Workerclass fd 17*2d543d20SAndroid Build Coastguard Workerclass lnk_file 18*2d543d20SAndroid Build Coastguard Workerclass chr_file 19*2d543d20SAndroid Build Coastguard Workerclass blk_file 20*2d543d20SAndroid Build Coastguard Workerclass sock_file 21*2d543d20SAndroid Build Coastguard Workerclass fifo_file 22*2d543d20SAndroid Build Coastguard Worker 23*2d543d20SAndroid Build Coastguard Worker# network-related classes 24*2d543d20SAndroid Build Coastguard Workerclass socket 25*2d543d20SAndroid Build Coastguard Workerclass tcp_socket 26*2d543d20SAndroid Build Coastguard Workerclass udp_socket 27*2d543d20SAndroid Build Coastguard Workerclass rawip_socket 28*2d543d20SAndroid Build Coastguard Workerclass node 29*2d543d20SAndroid Build Coastguard Workerclass netif 30*2d543d20SAndroid Build Coastguard Workerclass netlink_socket 31*2d543d20SAndroid Build Coastguard Workerclass packet_socket 32*2d543d20SAndroid Build Coastguard Workerclass key_socket 33*2d543d20SAndroid Build Coastguard Workerclass unix_stream_socket 34*2d543d20SAndroid Build Coastguard Workerclass unix_dgram_socket 35*2d543d20SAndroid Build Coastguard Worker 36*2d543d20SAndroid Build Coastguard Worker# sysv-ipc-related classes 37*2d543d20SAndroid Build Coastguard Workerclass sem 38*2d543d20SAndroid Build Coastguard Workerclass msg 39*2d543d20SAndroid Build Coastguard Workerclass msgq 40*2d543d20SAndroid Build Coastguard Workerclass shm 41*2d543d20SAndroid Build Coastguard Workerclass ipc 42*2d543d20SAndroid Build Coastguard Worker 43*2d543d20SAndroid Build Coastguard Worker# FLASK 44*2d543d20SAndroid Build Coastguard Worker# FLASK 45*2d543d20SAndroid Build Coastguard Worker 46*2d543d20SAndroid Build Coastguard Worker# 47*2d543d20SAndroid Build Coastguard Worker# Define initial security identifiers 48*2d543d20SAndroid Build Coastguard Worker# 49*2d543d20SAndroid Build Coastguard Worker 50*2d543d20SAndroid Build Coastguard Workersid kernel 51*2d543d20SAndroid Build Coastguard Worker 52*2d543d20SAndroid Build Coastguard Worker 53*2d543d20SAndroid Build Coastguard Worker# FLASK 54*2d543d20SAndroid Build Coastguard Worker# 55*2d543d20SAndroid Build Coastguard Worker# Define common prefixes for access vectors 56*2d543d20SAndroid Build Coastguard Worker# 57*2d543d20SAndroid Build Coastguard Worker# common common_name { permission_name ... } 58*2d543d20SAndroid Build Coastguard Worker 59*2d543d20SAndroid Build Coastguard Worker 60*2d543d20SAndroid Build Coastguard Worker# 61*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for file access vectors. 62*2d543d20SAndroid Build Coastguard Worker# 63*2d543d20SAndroid Build Coastguard Worker 64*2d543d20SAndroid Build Coastguard Workercommon file 65*2d543d20SAndroid Build Coastguard Worker{ 66*2d543d20SAndroid Build Coastguard Worker ioctl 67*2d543d20SAndroid Build Coastguard Worker read 68*2d543d20SAndroid Build Coastguard Worker write 69*2d543d20SAndroid Build Coastguard Worker create 70*2d543d20SAndroid Build Coastguard Worker getattr 71*2d543d20SAndroid Build Coastguard Worker setattr 72*2d543d20SAndroid Build Coastguard Worker lock 73*2d543d20SAndroid Build Coastguard Worker relabelfrom 74*2d543d20SAndroid Build Coastguard Worker relabelto 75*2d543d20SAndroid Build Coastguard Worker append 76*2d543d20SAndroid Build Coastguard Worker unlink 77*2d543d20SAndroid Build Coastguard Worker link 78*2d543d20SAndroid Build Coastguard Worker rename 79*2d543d20SAndroid Build Coastguard Worker execute 80*2d543d20SAndroid Build Coastguard Worker swapon 81*2d543d20SAndroid Build Coastguard Worker quotaon 82*2d543d20SAndroid Build Coastguard Worker mounton 83*2d543d20SAndroid Build Coastguard Worker} 84*2d543d20SAndroid Build Coastguard Worker 85*2d543d20SAndroid Build Coastguard Worker 86*2d543d20SAndroid Build Coastguard Worker# 87*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for socket access vectors. 88*2d543d20SAndroid Build Coastguard Worker# 89*2d543d20SAndroid Build Coastguard Worker 90*2d543d20SAndroid Build Coastguard Workercommon socket 91*2d543d20SAndroid Build Coastguard Worker{ 92*2d543d20SAndroid Build Coastguard Worker# inherited from file 93*2d543d20SAndroid Build Coastguard Worker ioctl 94*2d543d20SAndroid Build Coastguard Worker read 95*2d543d20SAndroid Build Coastguard Worker write 96*2d543d20SAndroid Build Coastguard Worker create 97*2d543d20SAndroid Build Coastguard Worker getattr 98*2d543d20SAndroid Build Coastguard Worker setattr 99*2d543d20SAndroid Build Coastguard Worker lock 100*2d543d20SAndroid Build Coastguard Worker relabelfrom 101*2d543d20SAndroid Build Coastguard Worker relabelto 102*2d543d20SAndroid Build Coastguard Worker append 103*2d543d20SAndroid Build Coastguard Worker# socket-specific 104*2d543d20SAndroid Build Coastguard Worker bind 105*2d543d20SAndroid Build Coastguard Worker connect 106*2d543d20SAndroid Build Coastguard Worker listen 107*2d543d20SAndroid Build Coastguard Worker accept 108*2d543d20SAndroid Build Coastguard Worker getopt 109*2d543d20SAndroid Build Coastguard Worker setopt 110*2d543d20SAndroid Build Coastguard Worker shutdown 111*2d543d20SAndroid Build Coastguard Worker recvfrom 112*2d543d20SAndroid Build Coastguard Worker sendto 113*2d543d20SAndroid Build Coastguard Worker recv_msg 114*2d543d20SAndroid Build Coastguard Worker send_msg 115*2d543d20SAndroid Build Coastguard Worker name_bind 116*2d543d20SAndroid Build Coastguard Worker} 117*2d543d20SAndroid Build Coastguard Worker 118*2d543d20SAndroid Build Coastguard Worker# 119*2d543d20SAndroid Build Coastguard Worker# Define a common prefix for ipc access vectors. 120*2d543d20SAndroid Build Coastguard Worker# 121*2d543d20SAndroid Build Coastguard Worker 122*2d543d20SAndroid Build Coastguard Workercommon ipc 123*2d543d20SAndroid Build Coastguard Worker{ 124*2d543d20SAndroid Build Coastguard Worker create 125*2d543d20SAndroid Build Coastguard Worker destroy 126*2d543d20SAndroid Build Coastguard Worker getattr 127*2d543d20SAndroid Build Coastguard Worker setattr 128*2d543d20SAndroid Build Coastguard Worker read 129*2d543d20SAndroid Build Coastguard Worker write 130*2d543d20SAndroid Build Coastguard Worker associate 131*2d543d20SAndroid Build Coastguard Worker unix_read 132*2d543d20SAndroid Build Coastguard Worker unix_write 133*2d543d20SAndroid Build Coastguard Worker} 134*2d543d20SAndroid Build Coastguard Worker 135*2d543d20SAndroid Build Coastguard Worker# 136*2d543d20SAndroid Build Coastguard Worker# Define the access vectors. 137*2d543d20SAndroid Build Coastguard Worker# 138*2d543d20SAndroid Build Coastguard Worker# class class_name [ inherits common_name ] { permission_name ... } 139*2d543d20SAndroid Build Coastguard Worker 140*2d543d20SAndroid Build Coastguard Worker 141*2d543d20SAndroid Build Coastguard Worker# 142*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for file-related objects. 143*2d543d20SAndroid Build Coastguard Worker# 144*2d543d20SAndroid Build Coastguard Worker 145*2d543d20SAndroid Build Coastguard Workerclass filesystem 146*2d543d20SAndroid Build Coastguard Worker{ 147*2d543d20SAndroid Build Coastguard Worker mount 148*2d543d20SAndroid Build Coastguard Worker remount 149*2d543d20SAndroid Build Coastguard Worker unmount 150*2d543d20SAndroid Build Coastguard Worker getattr 151*2d543d20SAndroid Build Coastguard Worker relabelfrom 152*2d543d20SAndroid Build Coastguard Worker relabelto 153*2d543d20SAndroid Build Coastguard Worker transition 154*2d543d20SAndroid Build Coastguard Worker associate 155*2d543d20SAndroid Build Coastguard Worker quotamod 156*2d543d20SAndroid Build Coastguard Worker quotaget 157*2d543d20SAndroid Build Coastguard Worker} 158*2d543d20SAndroid Build Coastguard Worker 159*2d543d20SAndroid Build Coastguard Workerclass dir 160*2d543d20SAndroid Build Coastguard Workerinherits file 161*2d543d20SAndroid Build Coastguard Worker{ 162*2d543d20SAndroid Build Coastguard Worker add_name 163*2d543d20SAndroid Build Coastguard Worker remove_name 164*2d543d20SAndroid Build Coastguard Worker reparent 165*2d543d20SAndroid Build Coastguard Worker search 166*2d543d20SAndroid Build Coastguard Worker rmdir 167*2d543d20SAndroid Build Coastguard Worker} 168*2d543d20SAndroid Build Coastguard Worker 169*2d543d20SAndroid Build Coastguard Workerclass file 170*2d543d20SAndroid Build Coastguard Workerinherits file 171*2d543d20SAndroid Build Coastguard Worker{ 172*2d543d20SAndroid Build Coastguard Worker execute_no_trans 173*2d543d20SAndroid Build Coastguard Worker entrypoint 174*2d543d20SAndroid Build Coastguard Worker} 175*2d543d20SAndroid Build Coastguard Worker 176*2d543d20SAndroid Build Coastguard Workerclass lnk_file 177*2d543d20SAndroid Build Coastguard Workerinherits file 178*2d543d20SAndroid Build Coastguard Worker 179*2d543d20SAndroid Build Coastguard Workerclass chr_file 180*2d543d20SAndroid Build Coastguard Workerinherits file 181*2d543d20SAndroid Build Coastguard Worker 182*2d543d20SAndroid Build Coastguard Workerclass blk_file 183*2d543d20SAndroid Build Coastguard Workerinherits file 184*2d543d20SAndroid Build Coastguard Worker 185*2d543d20SAndroid Build Coastguard Workerclass sock_file 186*2d543d20SAndroid Build Coastguard Workerinherits file 187*2d543d20SAndroid Build Coastguard Worker 188*2d543d20SAndroid Build Coastguard Workerclass fifo_file 189*2d543d20SAndroid Build Coastguard Workerinherits file 190*2d543d20SAndroid Build Coastguard Worker 191*2d543d20SAndroid Build Coastguard Workerclass fd 192*2d543d20SAndroid Build Coastguard Worker{ 193*2d543d20SAndroid Build Coastguard Worker use 194*2d543d20SAndroid Build Coastguard Worker} 195*2d543d20SAndroid Build Coastguard Worker 196*2d543d20SAndroid Build Coastguard Worker 197*2d543d20SAndroid Build Coastguard Worker# 198*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for network-related objects. 199*2d543d20SAndroid Build Coastguard Worker# 200*2d543d20SAndroid Build Coastguard Worker 201*2d543d20SAndroid Build Coastguard Workerclass socket 202*2d543d20SAndroid Build Coastguard Workerinherits socket 203*2d543d20SAndroid Build Coastguard Worker 204*2d543d20SAndroid Build Coastguard Workerclass tcp_socket 205*2d543d20SAndroid Build Coastguard Workerinherits socket 206*2d543d20SAndroid Build Coastguard Worker{ 207*2d543d20SAndroid Build Coastguard Worker connectto 208*2d543d20SAndroid Build Coastguard Worker newconn 209*2d543d20SAndroid Build Coastguard Worker acceptfrom 210*2d543d20SAndroid Build Coastguard Worker} 211*2d543d20SAndroid Build Coastguard Worker 212*2d543d20SAndroid Build Coastguard Workerclass udp_socket 213*2d543d20SAndroid Build Coastguard Workerinherits socket 214*2d543d20SAndroid Build Coastguard Worker 215*2d543d20SAndroid Build Coastguard Workerclass rawip_socket 216*2d543d20SAndroid Build Coastguard Workerinherits socket 217*2d543d20SAndroid Build Coastguard Worker 218*2d543d20SAndroid Build Coastguard Workerclass node 219*2d543d20SAndroid Build Coastguard Worker{ 220*2d543d20SAndroid Build Coastguard Worker tcp_recv 221*2d543d20SAndroid Build Coastguard Worker tcp_send 222*2d543d20SAndroid Build Coastguard Worker udp_recv 223*2d543d20SAndroid Build Coastguard Worker udp_send 224*2d543d20SAndroid Build Coastguard Worker rawip_recv 225*2d543d20SAndroid Build Coastguard Worker rawip_send 226*2d543d20SAndroid Build Coastguard Worker enforce_dest 227*2d543d20SAndroid Build Coastguard Worker} 228*2d543d20SAndroid Build Coastguard Worker 229*2d543d20SAndroid Build Coastguard Workerclass netif 230*2d543d20SAndroid Build Coastguard Worker{ 231*2d543d20SAndroid Build Coastguard Worker tcp_recv 232*2d543d20SAndroid Build Coastguard Worker tcp_send 233*2d543d20SAndroid Build Coastguard Worker udp_recv 234*2d543d20SAndroid Build Coastguard Worker udp_send 235*2d543d20SAndroid Build Coastguard Worker rawip_recv 236*2d543d20SAndroid Build Coastguard Worker rawip_send 237*2d543d20SAndroid Build Coastguard Worker} 238*2d543d20SAndroid Build Coastguard Worker 239*2d543d20SAndroid Build Coastguard Workerclass netlink_socket 240*2d543d20SAndroid Build Coastguard Workerinherits socket 241*2d543d20SAndroid Build Coastguard Worker 242*2d543d20SAndroid Build Coastguard Workerclass packet_socket 243*2d543d20SAndroid Build Coastguard Workerinherits socket 244*2d543d20SAndroid Build Coastguard Worker 245*2d543d20SAndroid Build Coastguard Workerclass key_socket 246*2d543d20SAndroid Build Coastguard Workerinherits socket 247*2d543d20SAndroid Build Coastguard Worker 248*2d543d20SAndroid Build Coastguard Workerclass unix_stream_socket 249*2d543d20SAndroid Build Coastguard Workerinherits socket 250*2d543d20SAndroid Build Coastguard Worker{ 251*2d543d20SAndroid Build Coastguard Worker connectto 252*2d543d20SAndroid Build Coastguard Worker newconn 253*2d543d20SAndroid Build Coastguard Worker acceptfrom 254*2d543d20SAndroid Build Coastguard Worker} 255*2d543d20SAndroid Build Coastguard Worker 256*2d543d20SAndroid Build Coastguard Workerclass unix_dgram_socket 257*2d543d20SAndroid Build Coastguard Workerinherits socket 258*2d543d20SAndroid Build Coastguard Worker 259*2d543d20SAndroid Build Coastguard Worker 260*2d543d20SAndroid Build Coastguard Worker# 261*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for process-related objects 262*2d543d20SAndroid Build Coastguard Worker# 263*2d543d20SAndroid Build Coastguard Worker 264*2d543d20SAndroid Build Coastguard Workerclass process 265*2d543d20SAndroid Build Coastguard Worker{ 266*2d543d20SAndroid Build Coastguard Worker fork 267*2d543d20SAndroid Build Coastguard Worker transition 268*2d543d20SAndroid Build Coastguard Worker sigchld # commonly granted from child to parent 269*2d543d20SAndroid Build Coastguard Worker sigkill # cannot be caught or ignored 270*2d543d20SAndroid Build Coastguard Worker sigstop # cannot be caught or ignored 271*2d543d20SAndroid Build Coastguard Worker signull # for kill(pid, 0) 272*2d543d20SAndroid Build Coastguard Worker signal # all other signals 273*2d543d20SAndroid Build Coastguard Worker ptrace 274*2d543d20SAndroid Build Coastguard Worker getsched 275*2d543d20SAndroid Build Coastguard Worker setsched 276*2d543d20SAndroid Build Coastguard Worker getsession 277*2d543d20SAndroid Build Coastguard Worker getpgid 278*2d543d20SAndroid Build Coastguard Worker setpgid 279*2d543d20SAndroid Build Coastguard Worker getcap 280*2d543d20SAndroid Build Coastguard Worker setcap 281*2d543d20SAndroid Build Coastguard Worker share 282*2d543d20SAndroid Build Coastguard Worker} 283*2d543d20SAndroid Build Coastguard Worker 284*2d543d20SAndroid Build Coastguard Worker 285*2d543d20SAndroid Build Coastguard Worker# 286*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for ipc-related objects 287*2d543d20SAndroid Build Coastguard Worker# 288*2d543d20SAndroid Build Coastguard Worker 289*2d543d20SAndroid Build Coastguard Workerclass ipc 290*2d543d20SAndroid Build Coastguard Workerinherits ipc 291*2d543d20SAndroid Build Coastguard Worker 292*2d543d20SAndroid Build Coastguard Workerclass sem 293*2d543d20SAndroid Build Coastguard Workerinherits ipc 294*2d543d20SAndroid Build Coastguard Worker 295*2d543d20SAndroid Build Coastguard Workerclass msgq 296*2d543d20SAndroid Build Coastguard Workerinherits ipc 297*2d543d20SAndroid Build Coastguard Worker{ 298*2d543d20SAndroid Build Coastguard Worker enqueue 299*2d543d20SAndroid Build Coastguard Worker} 300*2d543d20SAndroid Build Coastguard Worker 301*2d543d20SAndroid Build Coastguard Workerclass msg 302*2d543d20SAndroid Build Coastguard Worker{ 303*2d543d20SAndroid Build Coastguard Worker send 304*2d543d20SAndroid Build Coastguard Worker receive 305*2d543d20SAndroid Build Coastguard Worker} 306*2d543d20SAndroid Build Coastguard Worker 307*2d543d20SAndroid Build Coastguard Workerclass shm 308*2d543d20SAndroid Build Coastguard Workerinherits ipc 309*2d543d20SAndroid Build Coastguard Worker{ 310*2d543d20SAndroid Build Coastguard Worker lock 311*2d543d20SAndroid Build Coastguard Worker} 312*2d543d20SAndroid Build Coastguard Worker 313*2d543d20SAndroid Build Coastguard Worker 314*2d543d20SAndroid Build Coastguard Worker# 315*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for the security server. 316*2d543d20SAndroid Build Coastguard Worker# 317*2d543d20SAndroid Build Coastguard Worker 318*2d543d20SAndroid Build Coastguard Workerclass security 319*2d543d20SAndroid Build Coastguard Worker{ 320*2d543d20SAndroid Build Coastguard Worker compute_av 321*2d543d20SAndroid Build Coastguard Worker transition_sid 322*2d543d20SAndroid Build Coastguard Worker member_sid 323*2d543d20SAndroid Build Coastguard Worker sid_to_context 324*2d543d20SAndroid Build Coastguard Worker context_to_sid 325*2d543d20SAndroid Build Coastguard Worker load_policy 326*2d543d20SAndroid Build Coastguard Worker get_sids 327*2d543d20SAndroid Build Coastguard Worker change_sid 328*2d543d20SAndroid Build Coastguard Worker get_user_sids 329*2d543d20SAndroid Build Coastguard Worker} 330*2d543d20SAndroid Build Coastguard Worker 331*2d543d20SAndroid Build Coastguard Worker 332*2d543d20SAndroid Build Coastguard Worker# 333*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for system operations. 334*2d543d20SAndroid Build Coastguard Worker# 335*2d543d20SAndroid Build Coastguard Worker 336*2d543d20SAndroid Build Coastguard Workerclass system 337*2d543d20SAndroid Build Coastguard Worker{ 338*2d543d20SAndroid Build Coastguard Worker ipc_info 339*2d543d20SAndroid Build Coastguard Worker avc_toggle 340*2d543d20SAndroid Build Coastguard Worker nfsd_control 341*2d543d20SAndroid Build Coastguard Worker bdflush 342*2d543d20SAndroid Build Coastguard Worker syslog_read 343*2d543d20SAndroid Build Coastguard Worker syslog_mod 344*2d543d20SAndroid Build Coastguard Worker syslog_console 345*2d543d20SAndroid Build Coastguard Worker ichsid 346*2d543d20SAndroid Build Coastguard Worker} 347*2d543d20SAndroid Build Coastguard Worker 348*2d543d20SAndroid Build Coastguard Worker# 349*2d543d20SAndroid Build Coastguard Worker# Define the access vector interpretation for controlling capabilities 350*2d543d20SAndroid Build Coastguard Worker# 351*2d543d20SAndroid Build Coastguard Worker 352*2d543d20SAndroid Build Coastguard Workerclass capability 353*2d543d20SAndroid Build Coastguard Worker{ 354*2d543d20SAndroid Build Coastguard Worker # The capabilities are defined in include/linux/capability.h 355*2d543d20SAndroid Build Coastguard Worker # Care should be taken to ensure that these are consistent with 356*2d543d20SAndroid Build Coastguard Worker # those definitions. (Order matters) 357*2d543d20SAndroid Build Coastguard Worker 358*2d543d20SAndroid Build Coastguard Worker chown 359*2d543d20SAndroid Build Coastguard Worker dac_override 360*2d543d20SAndroid Build Coastguard Worker dac_read_search 361*2d543d20SAndroid Build Coastguard Worker fowner 362*2d543d20SAndroid Build Coastguard Worker fsetid 363*2d543d20SAndroid Build Coastguard Worker kill 364*2d543d20SAndroid Build Coastguard Worker setgid 365*2d543d20SAndroid Build Coastguard Worker setuid 366*2d543d20SAndroid Build Coastguard Worker setpcap 367*2d543d20SAndroid Build Coastguard Worker linux_immutable 368*2d543d20SAndroid Build Coastguard Worker net_bind_service 369*2d543d20SAndroid Build Coastguard Worker net_broadcast 370*2d543d20SAndroid Build Coastguard Worker net_admin 371*2d543d20SAndroid Build Coastguard Worker net_raw 372*2d543d20SAndroid Build Coastguard Worker ipc_lock 373*2d543d20SAndroid Build Coastguard Worker ipc_owner 374*2d543d20SAndroid Build Coastguard Worker sys_module 375*2d543d20SAndroid Build Coastguard Worker sys_rawio 376*2d543d20SAndroid Build Coastguard Worker sys_chroot 377*2d543d20SAndroid Build Coastguard Worker sys_ptrace 378*2d543d20SAndroid Build Coastguard Worker sys_pacct 379*2d543d20SAndroid Build Coastguard Worker sys_admin 380*2d543d20SAndroid Build Coastguard Worker sys_boot 381*2d543d20SAndroid Build Coastguard Worker sys_nice 382*2d543d20SAndroid Build Coastguard Worker sys_resource 383*2d543d20SAndroid Build Coastguard Worker sys_time 384*2d543d20SAndroid Build Coastguard Worker sys_tty_config 385*2d543d20SAndroid Build Coastguard Worker mknod 386*2d543d20SAndroid Build Coastguard Worker lease 387*2d543d20SAndroid Build Coastguard Worker} 388*2d543d20SAndroid Build Coastguard Worker 389*2d543d20SAndroid Build Coastguard Workerifdef(`enable_mls',` 390*2d543d20SAndroid Build Coastguard Workersensitivity s0; 391*2d543d20SAndroid Build Coastguard Worker 392*2d543d20SAndroid Build Coastguard Worker# 393*2d543d20SAndroid Build Coastguard Worker# Define the ordering of the sensitivity levels (least to greatest) 394*2d543d20SAndroid Build Coastguard Worker# 395*2d543d20SAndroid Build Coastguard Workerdominance { s0 } 396*2d543d20SAndroid Build Coastguard Worker 397*2d543d20SAndroid Build Coastguard Worker 398*2d543d20SAndroid Build Coastguard Worker# 399*2d543d20SAndroid Build Coastguard Worker# Define the categories 400*2d543d20SAndroid Build Coastguard Worker# 401*2d543d20SAndroid Build Coastguard Worker# Each category has a name and zero or more aliases. 402*2d543d20SAndroid Build Coastguard Worker# 403*2d543d20SAndroid Build Coastguard Workercategory c0; category c1; category c2; category c3; 404*2d543d20SAndroid Build Coastguard Workercategory c4; category c5; category c6; category c7; 405*2d543d20SAndroid Build Coastguard Workercategory c8; category c9; category c10; category c11; 406*2d543d20SAndroid Build Coastguard Workercategory c12; category c13; category c14; category c15; 407*2d543d20SAndroid Build Coastguard Workercategory c16; category c17; category c18; category c19; 408*2d543d20SAndroid Build Coastguard Workercategory c20; category c21; category c22; category c23; 409*2d543d20SAndroid Build Coastguard Worker 410*2d543d20SAndroid Build Coastguard Workerlevel s0:c0.c23; 411*2d543d20SAndroid Build Coastguard Worker 412*2d543d20SAndroid Build Coastguard Workermlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 413*2d543d20SAndroid Build Coastguard Worker ( h1 dom h2 ); 414*2d543d20SAndroid Build Coastguard Worker') 415*2d543d20SAndroid Build Coastguard Worker 416*2d543d20SAndroid Build Coastguard Workertype enable_optional; 417*2d543d20SAndroid Build Coastguard Worker 418*2d543d20SAndroid Build Coastguard Worker# Alias tests 419*2d543d20SAndroid Build Coastguard Workertype alias_check_1_t; 420*2d543d20SAndroid Build Coastguard Workertype alias_check_2_t; 421*2d543d20SAndroid Build Coastguard Workertype alias_check_3_t; 422*2d543d20SAndroid Build Coastguard Worker 423*2d543d20SAndroid Build Coastguard Workertypealias alias_check_1_t alias alias_check_1_a; 424*2d543d20SAndroid Build Coastguard Worker 425*2d543d20SAndroid Build Coastguard Workeroptional { 426*2d543d20SAndroid Build Coastguard Worker require { 427*2d543d20SAndroid Build Coastguard Worker type alias_check_2_t; 428*2d543d20SAndroid Build Coastguard Worker } 429*2d543d20SAndroid Build Coastguard Worker typealias alias_check_2_t alias alias_check_2_a; 430*2d543d20SAndroid Build Coastguard Worker} 431*2d543d20SAndroid Build Coastguard Worker 432*2d543d20SAndroid Build Coastguard Workeroptional { 433*2d543d20SAndroid Build Coastguard Worker require { 434*2d543d20SAndroid Build Coastguard Worker type alias_check_3_a; 435*2d543d20SAndroid Build Coastguard Worker } 436*2d543d20SAndroid Build Coastguard Worker allow alias_check_3_a enable_optional:file read; 437*2d543d20SAndroid Build Coastguard Worker} 438*2d543d20SAndroid Build Coastguard Worker 439*2d543d20SAndroid Build Coastguard Worker######## 440*2d543d20SAndroid Build Coastguard Workertype fs_t; 441*2d543d20SAndroid Build Coastguard Workertype system_t; 442*2d543d20SAndroid Build Coastguard Workertype user_t; 443*2d543d20SAndroid Build Coastguard Workerrole system_r; 444*2d543d20SAndroid Build Coastguard Workerrole user_r; 445*2d543d20SAndroid Build Coastguard Workerrole sysadm_r; 446*2d543d20SAndroid Build Coastguard Workerrole system_r types system_t; 447*2d543d20SAndroid Build Coastguard Workerrole user_r types user_t; 448*2d543d20SAndroid Build Coastguard Workerrole sysadm_r types system_t; 449*2d543d20SAndroid Build Coastguard Worker#################################### 450*2d543d20SAndroid Build Coastguard Worker# Booleans 451*2d543d20SAndroid Build Coastguard Workerbool allow_ypbind true; 452*2d543d20SAndroid Build Coastguard Workerbool secure_mode false; 453*2d543d20SAndroid Build Coastguard Workerbool allow_execheap false; 454*2d543d20SAndroid Build Coastguard Workerbool allow_execmem true; 455*2d543d20SAndroid Build Coastguard Workerbool allow_execmod false; 456*2d543d20SAndroid Build Coastguard Workerbool allow_execstack true; 457*2d543d20SAndroid Build Coastguard Workerbool optional_bool_1 true; 458*2d543d20SAndroid Build Coastguard Workerbool optional_bool_2 false; 459*2d543d20SAndroid Build Coastguard Worker 460*2d543d20SAndroid Build Coastguard Worker##################################### 461*2d543d20SAndroid Build Coastguard Worker# users 462*2d543d20SAndroid Build Coastguard Workergen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 463*2d543d20SAndroid Build Coastguard Workergen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 464*2d543d20SAndroid Build Coastguard Workergen_user(joe,, user_r, s0, s0 - s0:c0.c23) 465*2d543d20SAndroid Build Coastguard Worker 466*2d543d20SAndroid Build Coastguard Worker##################################### 467*2d543d20SAndroid Build Coastguard Worker# constraints 468*2d543d20SAndroid Build Coastguard Worker 469*2d543d20SAndroid Build Coastguard Worker 470*2d543d20SAndroid Build Coastguard Worker#################################### 471*2d543d20SAndroid Build Coastguard Worker#line 1 "initial_sid_contexts" 472*2d543d20SAndroid Build Coastguard Worker 473*2d543d20SAndroid Build Coastguard Workersid kernel gen_context(system_u:system_r:system_t, s0) 474*2d543d20SAndroid Build Coastguard Worker 475*2d543d20SAndroid Build Coastguard Worker 476*2d543d20SAndroid Build Coastguard Worker############################################ 477*2d543d20SAndroid Build Coastguard Worker#line 1 "fs_use" 478*2d543d20SAndroid Build Coastguard Worker# 479*2d543d20SAndroid Build Coastguard Workerfs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 480*2d543d20SAndroid Build Coastguard Workerfs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 481*2d543d20SAndroid Build Coastguard Workerfs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 482*2d543d20SAndroid Build Coastguard Worker 483*2d543d20SAndroid Build Coastguard Worker 484*2d543d20SAndroid Build Coastguard Workergenfscon proc / gen_context(system_u:object_r:system_t, s0) 485*2d543d20SAndroid Build Coastguard Worker 486*2d543d20SAndroid Build Coastguard Worker 487*2d543d20SAndroid Build Coastguard Worker#################################### 488*2d543d20SAndroid Build Coastguard Worker#line 1 "net_contexts" 489*2d543d20SAndroid Build Coastguard Worker 490*2d543d20SAndroid Build Coastguard Worker#portcon tcp 21 system_u:object_r:net_foo_t:s0 491*2d543d20SAndroid Build Coastguard Worker 492*2d543d20SAndroid Build Coastguard Worker#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 493*2d543d20SAndroid Build Coastguard Worker 494*2d543d20SAndroid Build Coastguard Worker# 495*2d543d20SAndroid Build Coastguard Worker#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 496*2d543d20SAndroid Build Coastguard Worker 497*2d543d20SAndroid Build Coastguard Workernodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:system_t, s0) 498*2d543d20SAndroid Build Coastguard Worker 499*2d543d20SAndroid Build Coastguard Worker 500*2d543d20SAndroid Build Coastguard Worker 501*2d543d20SAndroid Build Coastguard Worker 502