xref: /aosp_15_r20/system/sepolicy/private/access_vectors (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30	audit_access
31	open
32	execmod
33	watch
34	watch_mount
35	watch_sb
36	watch_with_perm
37	watch_reads
38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48	ioctl
49	read
50	write
51	create
52	getattr
53	setattr
54	lock
55	relabelfrom
56	relabelto
57	append
58	map
59# socket-specific
60	bind
61	connect
62	listen
63	accept
64	getopt
65	setopt
66	shutdown
67	recvfrom
68	sendto
69	name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78	create
79	destroy
80	getattr
81	setattr
82	read
83	write
84	associate
85	unix_read
86	unix_write
87}
88
89#
90# Define a common for capability access vectors.
91#
92common cap
93{
94	# The capabilities are defined in include/linux/capability.h
95	# Capabilities >= 32 are defined in the cap2 common.
96	# Care should be taken to ensure that these are consistent with
97	# those definitions. (Order matters)
98
99	chown
100	dac_override
101	dac_read_search
102	fowner
103	fsetid
104	kill
105	setgid
106	setuid
107	setpcap
108	linux_immutable
109	net_bind_service
110	net_broadcast
111	net_admin
112	net_raw
113	ipc_lock
114	ipc_owner
115	sys_module
116	sys_rawio
117	sys_chroot
118	sys_ptrace
119	sys_pacct
120	sys_admin
121	sys_boot
122	sys_nice
123	sys_resource
124	sys_time
125	sys_tty_config
126	mknod
127	lease
128	audit_write
129	audit_control
130	setfcap
131}
132
133common cap2
134{
135	mac_override	# unused by SELinux
136	mac_admin
137	syslog
138	wake_alarm
139	block_suspend
140	audit_read
141	perfmon
142	starting_at_board_api(202504, `checkpoint_restore')
143	starting_at_board_api(202504, `bpf')
144}
145
146#
147# Define the access vectors.
148#
149# class class_name [ inherits common_name ] { permission_name ... }
150
151
152#
153# Define the access vector interpretation for file-related objects.
154#
155
156class filesystem
157{
158	mount
159	remount
160	unmount
161	getattr
162	relabelfrom
163	relabelto
164	associate
165	quotamod
166	quotaget
167	watch
168}
169
170class dir
171inherits file
172{
173	add_name
174	remove_name
175	reparent
176	search
177	rmdir
178}
179
180class file
181inherits file
182{
183	execute_no_trans
184	entrypoint
185}
186
187class anon_inode
188inherits file
189
190class lnk_file
191inherits file
192
193class chr_file
194inherits file
195{
196	execute_no_trans
197	entrypoint
198}
199
200class blk_file
201inherits file
202
203class sock_file
204inherits file
205
206class fifo_file
207inherits file
208
209class fd
210{
211	use
212}
213
214
215#
216# Define the access vector interpretation for network-related objects.
217#
218
219class socket
220inherits socket
221
222class tcp_socket
223inherits socket
224{
225	node_bind
226	name_connect
227}
228
229class udp_socket
230inherits socket
231{
232	node_bind
233}
234
235class rawip_socket
236inherits socket
237{
238	node_bind
239}
240
241class node
242{
243	recvfrom
244	sendto
245}
246
247class netif
248{
249	ingress
250	egress
251}
252
253class netlink_socket
254inherits socket
255
256class packet_socket
257inherits socket
258
259class key_socket
260inherits socket
261
262class unix_stream_socket
263inherits socket
264{
265	connectto
266}
267
268class unix_dgram_socket
269inherits socket
270
271#
272# Define the access vector interpretation for process-related objects
273#
274
275class process
276{
277	fork
278	transition
279	sigchld # commonly granted from child to parent
280	sigkill # cannot be caught or ignored
281	sigstop # cannot be caught or ignored
282	signull # for kill(pid, 0)
283	signal  # all other signals
284	ptrace
285	getsched
286	setsched
287	getsession
288	getpgid
289	setpgid
290	getcap
291	setcap
292	share
293	getattr
294	setexec
295	setfscreate
296	noatsecure
297	siginh
298	setrlimit
299	rlimitinh
300	dyntransition
301	setcurrent
302	execmem
303	execstack
304	execheap
305	setkeycreate
306	setsockcreate
307	getrlimit
308}
309
310class process2
311{
312	nnp_transition
313	nosuid_transition
314}
315
316#
317# Define the access vector interpretation for ipc-related objects
318#
319
320class ipc
321inherits ipc
322
323class sem
324inherits ipc
325
326class msgq
327inherits ipc
328{
329	enqueue
330}
331
332class msg
333{
334	send
335	receive
336}
337
338class shm
339inherits ipc
340{
341	lock
342}
343
344
345#
346# Define the access vector interpretation for the security server.
347#
348
349class security
350{
351	compute_av
352	compute_create
353	compute_member
354	check_context
355	load_policy
356	compute_relabel
357	compute_user
358	setenforce     # was avc_toggle in system class
359	setbool
360	setsecparam
361	setcheckreqprot
362	read_policy
363	validate_trans
364}
365
366
367#
368# Define the access vector interpretation for system operations.
369#
370
371class system
372{
373	ipc_info
374	syslog_read
375	syslog_mod
376	syslog_console
377	module_request
378	module_load
379}
380
381#
382# Define the access vector interpretation for controlling capabilities
383#
384
385class capability
386inherits cap
387
388class capability2
389inherits cap2
390
391#
392# Extended Netlink classes
393#
394class netlink_route_socket
395inherits socket
396{
397	nlmsg_read
398	nlmsg_write
399	nlmsg_readpriv
400	nlmsg_getneigh
401}
402
403class netlink_tcpdiag_socket
404inherits socket
405{
406	nlmsg_read
407	nlmsg_write
408}
409
410class netlink_nflog_socket
411inherits socket
412
413class netlink_xfrm_socket
414inherits socket
415{
416	nlmsg_read
417	nlmsg_write
418}
419
420class netlink_selinux_socket
421inherits socket
422
423class netlink_audit_socket
424inherits socket
425{
426	nlmsg_read
427	nlmsg_write
428	nlmsg_relay
429	nlmsg_readpriv
430	nlmsg_tty_audit
431}
432
433class netlink_dnrt_socket
434inherits socket
435
436# Define the access vector interpretation for controlling
437# access to IPSec network data by association
438#
439class association
440{
441	sendto
442	recvfrom
443	setcontext
444	polmatch
445}
446
447# Updated Netlink class for KOBJECT_UEVENT family.
448class netlink_kobject_uevent_socket
449inherits socket
450
451class appletalk_socket
452inherits socket
453
454class packet
455{
456	send
457	recv
458	relabelto
459	forward_in
460	forward_out
461}
462
463class key
464{
465	view
466	read
467	write
468	search
469	link
470	setattr
471	create
472}
473
474class dccp_socket
475inherits socket
476{
477	node_bind
478	name_connect
479}
480
481class memprotect
482{
483	mmap_zero
484}
485
486# network peer labels
487class peer
488{
489	recv
490}
491
492class kernel_service
493{
494	use_as_override
495	create_files_as
496}
497
498class tun_socket
499inherits socket
500{
501	attach_queue
502}
503
504class binder
505{
506	impersonate
507	call
508	set_context_mgr
509	transfer
510}
511
512class netlink_iscsi_socket
513inherits socket
514
515class netlink_fib_lookup_socket
516inherits socket
517
518class netlink_connector_socket
519inherits socket
520
521class netlink_netfilter_socket
522inherits socket
523
524class netlink_generic_socket
525inherits socket
526
527class netlink_scsitransport_socket
528inherits socket
529
530class netlink_rdma_socket
531inherits socket
532
533class netlink_crypto_socket
534inherits socket
535
536class infiniband_pkey
537{
538	access
539}
540
541class infiniband_endport
542{
543	manage_subnet
544}
545
546#
547# Define the access vector interpretation for controlling capabilities
548# in user namespaces
549#
550
551class cap_userns
552inherits cap
553
554class cap2_userns
555inherits cap2
556
557
558#
559# Define the access vector interpretation for the new socket classes
560# enabled by the extended_socket_class policy capability.
561#
562
563#
564# The next two classes were previously mapped to rawip_socket and therefore
565# have the same definition as rawip_socket (until further permissions
566# are defined).
567#
568class sctp_socket
569inherits socket
570{
571	node_bind
572	name_connect
573	association
574}
575
576class icmp_socket
577inherits socket
578{
579	node_bind
580}
581
582#
583# The remaining network socket classes were previously
584# mapped to the socket class and therefore have the
585# same definition as socket.
586#
587
588class ax25_socket
589inherits socket
590
591class ipx_socket
592inherits socket
593
594class netrom_socket
595inherits socket
596
597class atmpvc_socket
598inherits socket
599
600class x25_socket
601inherits socket
602
603class rose_socket
604inherits socket
605
606class decnet_socket
607inherits socket
608
609class atmsvc_socket
610inherits socket
611
612class rds_socket
613inherits socket
614
615class irda_socket
616inherits socket
617
618class pppox_socket
619inherits socket
620
621class llc_socket
622inherits socket
623
624class can_socket
625inherits socket
626
627class tipc_socket
628inherits socket
629
630class bluetooth_socket
631inherits socket
632
633class iucv_socket
634inherits socket
635
636class rxrpc_socket
637inherits socket
638
639class isdn_socket
640inherits socket
641
642class phonet_socket
643inherits socket
644
645class ieee802154_socket
646inherits socket
647
648class caif_socket
649inherits socket
650
651class alg_socket
652inherits socket
653
654class nfc_socket
655inherits socket
656
657class vsock_socket
658inherits socket
659
660class kcm_socket
661inherits socket
662
663class qipcrtr_socket
664inherits socket
665
666class smc_socket
667inherits socket
668
669class xdp_socket
670inherits socket
671
672class mctp_socket
673inherits socket
674
675class bpf
676{
677	map_create
678	map_read
679	map_write
680	prog_load
681	prog_run
682}
683
684class property_service
685{
686	set
687}
688
689class service_manager
690{
691	add
692	find
693	list
694}
695
696class hwservice_manager
697{
698	add
699	find
700	list
701}
702
703class keystore_key # No longer used
704{
705	get_state
706	get
707	insert
708	delete
709	exist
710	list
711	reset
712	password
713	lock
714	unlock
715	is_empty
716	sign
717	verify
718	grant
719	duplicate
720	clear_uid
721	add_auth
722	user_changed
723	gen_unique_id
724}
725
726class keystore2
727{
728	add_auth
729	change_password
730	change_user
731	clear_ns
732	clear_uid
733	delete_all_keys
734	early_boot_ended
735	get_attestation_key
736	get_auth_token
737	get_last_auth_time
738	get_state # No longer used
739	list
740	lock
741	pull_metrics
742	report_off_body # No longer used
743	reset
744	unlock
745}
746
747class keystore2_key
748{
749	convert_storage_key_to_ephemeral
750	delete
751	gen_unique_id
752	get_info
753	grant
754	manage_blob
755	rebind
756	req_forced_op
757	update
758	use
759	use_dev_id
760}
761
762class diced
763{
764	demote
765	demote_self
766	derive
767	get_attestation_chain
768	use_seal
769	use_sign
770}
771
772class drmservice {
773	consumeRights
774	setPlaybackStatus
775	openDecryptSession
776	closeDecryptSession
777	initializeDecryptUnit
778	decrypt
779	finalizeDecryptUnit
780	pread
781}
782
783class perf_event
784{
785	open
786	cpu
787	kernel
788	tracepoint
789	read
790	write
791}
792
793class lockdown
794{
795	integrity
796	confidentiality
797}
798
799class io_uring
800{
801	override_creds
802	sqpoll
803	cmd
804}
805
806class user_namespace
807{
808	create
809}
810
811class tee_service
812{
813	use
814}
815