2012-01-04 09:33:27 -08:00
|
|
|
#####################################
|
|
|
|
|
# Common groupings of object classes.
|
|
|
|
|
#
|
2017-11-09 14:51:26 -08:00
|
|
|
define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
|
|
|
|
|
define(`global_capability_class_set', `{ capability cap_userns }')
|
|
|
|
|
define(`global_capability2_class_set', `{ capability2 cap2_userns }')
|
2012-01-04 09:33:27 -08:00
|
|
|
|
|
|
|
|
define(`devfile_class_set', `{ chr_file blk_file }')
|
2012-10-03 09:55:28 -07:00
|
|
|
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
|
|
|
|
|
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
|
|
|
|
|
define(`dir_file_class_set', `{ dir file_class_set }')
|
2012-01-04 09:33:27 -08:00
|
|
|
|
2018-11-16 02:48:03 -08:00
|
|
|
define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
|
2012-01-04 09:33:27 -08:00
|
|
|
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
|
2018-11-01 19:39:44 -07:00
|
|
|
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
|
|
|
|
|
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
|
2019-01-17 14:44:29 -08:00
|
|
|
define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
|
2012-01-04 09:33:27 -08:00
|
|
|
|
|
|
|
|
define(`ipc_class_set', `{ sem msgq shm ipc }')
|
|
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
|
# Common groupings of permissions.
|
|
|
|
|
#
|
2017-07-10 06:32:10 -07:00
|
|
|
define(`x_file_perms', `{ getattr execute execute_no_trans map }')
|
2019-08-28 12:23:20 -07:00
|
|
|
define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
|
2017-07-10 06:32:10 -07:00
|
|
|
define(`w_file_perms', `{ open append write lock map }')
|
2012-01-04 09:33:27 -08:00
|
|
|
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
|
|
|
|
|
define(`ra_file_perms', `{ r_file_perms append }')
|
|
|
|
|
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
|
|
|
|
|
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
|
2015-03-26 18:18:03 -07:00
|
|
|
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
|
2012-01-04 09:33:27 -08:00
|
|
|
|
2019-08-28 12:23:20 -07:00
|
|
|
define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
|
2016-03-21 18:15:05 -07:00
|
|
|
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
|
2012-01-04 09:33:27 -08:00
|
|
|
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
|
|
|
|
|
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
|
2015-03-26 18:18:03 -07:00
|
|
|
define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
|
2012-01-04 09:33:27 -08:00
|
|
|
|
|
|
|
|
define(`r_ipc_perms', `{ getattr read associate unix_read }')
|
|
|
|
|
define(`w_ipc_perms', `{ write unix_write }')
|
|
|
|
|
define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
|
|
|
|
|
define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
|
2013-01-07 06:21:18 -08:00
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
|
# Common socket permission sets.
|
add map permission to rw_socket_perms
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific
files for which we need to ensure that every access is revalidated,
particularly useful for scenarios where we expect the file to be
relabeled at runtime in order to reflect state changes (e.g.
cross-domain solution, assured pipeline without data copying).
system/sepolicy commit 4397f08288890ef397697b4d6dbff596bdca14c8 added
the map permission to common file macros, to ensure that file access
would continue working even in the presence of a newer kernel. However,
that change did not affect socket access.
Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
mmap operations. This change adds the map permission to rw_socket_perms,
to ensure continued support for newer kernels.
This technically allows mmap even in cases where the socket family
doesn't support it (such as TCP and UDP sockets), but granting it
is harmless in those cases.
In particular, this fixes a bug in clatd, where the following error
would occur:
10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied
Test: policy compiles
Bug: 117791876
Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
2018-10-15 21:24:57 -07:00
|
|
|
define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
|
|
|
|
|
define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
|
2013-01-07 06:21:18 -08:00
|
|
|
define(`create_socket_perms', `{ create rw_socket_perms }')
|
2016-09-09 12:48:45 -07:00
|
|
|
define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
|
2014-02-24 07:48:03 -08:00
|
|
|
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
|
|
|
|
|
define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
|
