policy/flask/access_vectors

   1 #
   2 # Define common prefixes for access vectors
   3 #
   4 # common common_name { permission_name ... }
   5
   6
   7 #
   8 # Define a common prefix for file access vectors.
   9 #
  10
  11 common file
  12 {
  13         ioctl
  14         read
  15         write
  16         create
  17         getattr
  18         setattr
  19         lock
  20         relabelfrom
  21         relabelto
  22         append
  23         unlink
  24         link
  25         rename
  26         execute
  27         swapon
  28         quotaon
  29         mounton
  30 }
  31
  32
  33 #
  34 # Define a common prefix for socket access vectors.
  35 #
  36
  37 common socket
  38 {
  39 # inherited from file
  40         ioctl
  41         read
  42         write
  43         create
  44         getattr
  45         setattr
  46         lock
  47         relabelfrom
  48         relabelto
  49         append
  50 # socket-specific
  51         bind
  52         connect
  53         listen
  54         accept
  55         getopt
  56         setopt
  57         shutdown
  58         recvfrom
  59         sendto
  60         recv_msg
  61         send_msg
  62         name_bind
  63 }
  64
  65 #
  66 # Define a common prefix for ipc access vectors.
  67 #
  68
  69 common ipc
  70 {
  71         create
  72         destroy
  73         getattr
  74         setattr
  75         read
  76         write
  77         associate
  78         unix_read
  79         unix_write
  80 }
  81
  82 #
  83 #  Define a common prefix for userspace database object access vectors.
  84 #
  85
  86 common database
  87 {
  88         create
  89         drop
  90         getattr
  91         setattr
  92         relabelfrom
  93         relabelto
  94 }
  95
  96 #
  97 # Define the access vectors.
  98 #
  99 # class class_name [ inherits common_name ] { permission_name ... }
 100
 101
 102 #
 103 # Define the access vector interpretation for file-related objects.
 104 #
 105
 106 class filesystem
 107 {
 108         mount
 109         remount
 110         unmount
 111         getattr
 112         relabelfrom
 113         relabelto
 114         transition
 115         associate
 116         quotamod
 117         quotaget
 118 }
 119
 120 class dir
 121 inherits file
 122 {
 123         add_name
 124         remove_name
 125         reparent
 126         search
 127         rmdir
 128 }
 129
 130 class file
 131 inherits file
 132 {
 133         execute_no_trans
 134         entrypoint
 135         execmod
 136 }
 137
 138 class lnk_file
 139 inherits file
 140
 141 class chr_file
 142 inherits file
 143 {
 144         execute_no_trans
 145         entrypoint
 146         execmod
 147 }
 148
 149 class blk_file
 150 inherits file
 151
 152 class sock_file
 153 inherits file
 154
 155 class fifo_file
 156 inherits file
 157
 158 class fd
 159 {
 160         use
 161 }
 162
 163
 164 #
 165 # Define the access vector interpretation for network-related objects.
 166 #
 167
 168 class socket
 169 inherits socket
 170
 171 class tcp_socket
 172 inherits socket
 173 {
 174         connectto
 175         newconn
 176         acceptfrom
 177         node_bind
 178         name_connect
 179 }
 180
 181 class udp_socket
 182 inherits socket
 183 {
 184         node_bind
 185 }
 186
 187 class rawip_socket
 188 inherits socket
 189 {
 190         node_bind
 191 }
 192
 193 class node
 194 {
 195         tcp_recv
 196         tcp_send
 197         udp_recv
 198         udp_send
 199         rawip_recv
 200         rawip_send
 201         enforce_dest
 202         dccp_recv
 203         dccp_send
 204 }
 205
 206 class netif
 207 {
 208         tcp_recv
 209         tcp_send
 210         udp_recv
 211         udp_send
 212         rawip_recv
 213         rawip_send
 214         dccp_recv
 215         dccp_send
 216 }
 217
 218 class netlink_socket
 219 inherits socket
 220
 221 class packet_socket
 222 inherits socket
 223
 224 class key_socket
 225 inherits socket
 226
 227 class unix_stream_socket
 228 inherits socket
 229 {
 230         connectto
 231         newconn
 232         acceptfrom
 233 }
 234
 235 class unix_dgram_socket
 236 inherits socket
 237
 238
 239 #
 240 # Define the access vector interpretation for process-related objects
 241 #
 242
 243 class process
 244 {
 245         fork
 246         transition
 247         sigchld # commonly granted from child to parent
 248         sigkill # cannot be caught or ignored
 249         sigstop # cannot be caught or ignored
 250         signull # for kill(pid, 0)
 251         signal  # all other signals
 252         ptrace
 253         getsched
 254         setsched
 255         getsession
 256         getpgid
 257         setpgid
 258         getcap
 259         setcap
 260         share
 261         getattr
 262         setexec
 263         setfscreate
 264         noatsecure
 265         siginh
 266         setrlimit
 267         rlimitinh
 268         dyntransition
 269         setcurrent
 270         execmem
 271         execstack
 272         execheap
 273         setkeycreate
 274         setsockcreate
 275 }
 276
 277
 278 #
 279 # Define the access vector interpretation for ipc-related objects
 280 #
 281
 282 class ipc
 283 inherits ipc
 284
 285 class sem
 286 inherits ipc
 287
 288 class msgq
 289 inherits ipc
 290 {
 291         enqueue
 292 }
 293
 294 class msg
 295 {
 296         send
 297         receive
 298 }
 299
 300 class shm
 301 inherits ipc
 302 {
 303         lock
 304 }
 305
 306
 307 #
 308 # Define the access vector interpretation for the security server.
 309 #
 310
 311 class security
 312 {
 313         compute_av
 314         compute_create
 315         compute_member
 316         check_context
 317         load_policy
 318         compute_relabel
 319         compute_user
 320         setenforce     # was avc_toggle in system class
 321         setbool
 322         setsecparam
 323         setcheckreqprot
 324 }
 325
 326
 327 #
 328 # Define the access vector interpretation for system operations.
 329 #
 330
 331 class system
 332 {
 333         ipc_info
 334         syslog_read
 335         syslog_mod
 336         syslog_console
 337 }
 338
 339 #
 340 # Define the access vector interpretation for controling capabilies
 341 #
 342
 343 class capability
 344 {
 345         # The capabilities are defined in include/linux/capability.h
 346         # Care should be taken to ensure that these are consistent with
 347         # those definitions. (Order matters)
 348
 349         chown
 350         dac_override
 351         dac_read_search
 352         fowner
 353         fsetid
 354         kill
 355         setgid
 356         setuid
 357         setpcap
 358         linux_immutable
 359         net_bind_service
 360         net_broadcast
 361         net_admin
 362         net_raw
 363         ipc_lock
 364         ipc_owner
 365         sys_module
 366         sys_rawio
 367         sys_chroot
 368         sys_ptrace
 369         sys_pacct
 370         sys_admin
 371         sys_boot
 372         sys_nice
 373         sys_resource
 374         sys_time
 375         sys_tty_config
 376         mknod
 377         lease
 378         audit_write
 379         audit_control
 380 }
 381
 382
 383 #
 384 # Define the access vector interpretation for controlling
 385 # changes to passwd information.
 386 #
 387 class passwd
 388 {
 389         passwd  # change another user passwd
 390         chfn    # change another user finger info
 391         chsh    # change another user shell
 392         rootok  # pam_rootok check (skip auth)
 393         crontab # crontab on another user
 394 }
 395
 396 #
 397 # SE-X Windows stuff
 398 #
 399 class drawable
 400 {
 401         create
 402         destroy
 403         draw
 404         copy
 405         getattr
 406 }
 407
 408 class gc
 409 {
 410         create
 411         free
 412         getattr
 413         setattr
 414 }
 415
 416 class window
 417 {
 418         addchild
 419         create
 420         destroy
 421         map
 422         unmap
 423         chstack
 424         chproplist
 425         chprop
 426         listprop
 427         getattr
 428         setattr
 429         setfocus
 430         move
 431         chselection
 432         chparent
 433         ctrllife
 434         enumerate
 435         transparent
 436         mousemotion
 437         clientcomevent
 438         inputevent
 439         drawevent
 440         windowchangeevent
 441         windowchangerequest
 442         serverchangeevent
 443         extensionevent
 444 }
 445
 446 class font
 447 {
 448         load
 449         free
 450         getattr
 451         use
 452 }
 453
 454 class colormap
 455 {
 456         create
 457         free
 458         install
 459         uninstall
 460         list
 461         read
 462         store
 463         getattr
 464         setattr
 465 }
 466
 467 class property
 468 {
 469         create
 470         free
 471         read
 472         write
 473 }
 474
 475 class cursor
 476 {
 477         create
 478         createglyph
 479         free
 480         assign
 481         setattr
 482 }
 483
 484 class xclient
 485 {
 486         kill
 487 }
 488
 489 class xinput
 490 {
 491         lookup
 492         getattr
 493         setattr
 494         setfocus
 495         warppointer
 496         activegrab
 497         passivegrab
 498         ungrab
 499         bell
 500         mousemotion
 501         relabelinput
 502 }
 503
 504 class xserver
 505 {
 506         screensaver
 507         gethostlist
 508         sethostlist
 509         getfontpath
 510         setfontpath
 511         getattr
 512         grab
 513         ungrab
 514 }
 515
 516 class xextension
 517 {
 518         query
 519         use
 520 }
 521
 522 #
 523 # Define the access vector interpretation for controlling
 524 # PaX flags
 525 #
 526 class pax
 527 {
 528         pageexec        # Paging based non-executable pages
 529         emutramp        # Emulate trampolines
 530         mprotect        # Restrict mprotect()
 531         randmmap        # Randomize mmap() base
 532         randexec        # Randomize ET_EXEC base
 533         segmexec        # Segmentation based non-executable pages
 534 }
 535
 536 #
 537 # Extended Netlink classes
 538 #
 539 class netlink_route_socket
 540 inherits socket
 541 {
 542         nlmsg_read
 543         nlmsg_write
 544 }
 545
 546 class netlink_firewall_socket
 547 inherits socket
 548 {
 549         nlmsg_read
 550         nlmsg_write
 551 }
 552
 553 class netlink_tcpdiag_socket
 554 inherits socket
 555 {
 556         nlmsg_read
 557         nlmsg_write
 558 }
 559
 560 class netlink_nflog_socket
 561 inherits socket
 562
 563 class netlink_xfrm_socket
 564 inherits socket
 565 {
 566         nlmsg_read
 567         nlmsg_write
 568 }
 569
 570 class netlink_selinux_socket
 571 inherits socket
 572
 573 class netlink_audit_socket
 574 inherits socket
 575 {
 576         nlmsg_read
 577         nlmsg_write
 578         nlmsg_relay
 579         nlmsg_readpriv
 580 }
 581
 582 class netlink_ip6fw_socket
 583 inherits socket
 584 {
 585         nlmsg_read
 586         nlmsg_write
 587 }
 588
 589 class netlink_dnrt_socket
 590 inherits socket
 591
 592 # Define the access vector interpretation for controlling
 593 # access and communication through the D-BUS messaging
 594 # system.
 595 #
 596 class dbus
 597 {
 598         acquire_svc
 599         send_msg
 600 }
 601
 602 # Define the access vector interpretation for controlling
 603 # access through the name service cache daemon (nscd).
 604 #
 605 class nscd
 606 {
 607         getpwd
 608         getgrp
 609         gethost
 610         getstat
 611         admin
 612         shmempwd
 613         shmemgrp
 614         shmemhost
 615         getserv
 616         shmemserv
 617 }
 618
 619 # Define the access vector interpretation for controlling
 620 # access to IPSec network data by association
 621 #
 622 class association
 623 {
 624         sendto
 625         recvfrom
 626         setcontext
 627         polmatch
 628 }
 629
 630 # Updated Netlink class for KOBJECT_UEVENT family.
 631 class netlink_kobject_uevent_socket
 632 inherits socket
 633
 634 class appletalk_socket
 635 inherits socket
 636
 637 class packet
 638 {
 639         send
 640         recv
 641         relabelto
 642 }
 643
 644 class key
 645 {
 646         view
 647         read
 648         write
 649         search
 650         link
 651         setattr
 652         create
 653 }
 654
 655 class context
 656 {
 657         translate
 658         contains
 659 }
 660
 661 class dccp_socket
 662 inherits socket
 663 {
 664         node_bind
 665         name_connect
 666 }
 667
 668 class memprotect
 669 {
 670         mmap_zero
 671 }
 672
 673 class db_database
 674 inherits database
 675 {
 676         access
 677         install_module
 678         load_module
 679         get_param
 680         set_param
 681 }
 682
 683 class db_table
 684 inherits database
 685 {
 686         use
 687         select
 688         update
 689         insert
 690         delete
 691         lock
 692 }
 693
 694 class db_procedure
 695 inherits database
 696 {
 697         execute
 698         entrypoint
 699 }
 700
 701 class db_column
 702 inherits database
 703 {
 704         use
 705         select
 706         update
 707         insert
 708 }
 709
 710 class db_tuple
 711 {
 712         relabelfrom
 713         relabelto
 714         use
 715         select
 716         update
 717         insert
 718         delete
 719 }
 720
 721 class db_blob
 722 inherits database
 723 {
 724         read
 725         write
 726         import
 727         export
 728 }