diff options
Diffstat (limited to 'access_vectors')
-rw-r--r-- | access_vectors | 620 |
1 files changed, 0 insertions, 620 deletions
diff --git a/access_vectors b/access_vectors deleted file mode 100644 index c38aa7b..0000000 --- a/access_vectors +++ /dev/null @@ -1,620 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir - open - audit_access - execmod -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod - open - audit_access -} - -class lnk_file -inherits file -{ - open - audit_access - execmod -} - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod - open - audit_access -} - -class blk_file -inherits file -{ - open - audit_access - execmod -} - -class sock_file -inherits file -{ - open - audit_access - execmod -} - -class fifo_file -inherits file -{ - open - audit_access - execmod -} - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest - dccp_recv - dccp_send - recvfrom - sendto -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - dccp_recv - dccp_send - ingress - egress -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap - setkeycreate - setsockcreate -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot - read_policy -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console - module_request -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} - -class capability2 -{ - mac_override # unused by SELinux - mac_admin # unused by SELinux - syslog - wake_alarm - block_suspend - audit_read -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv - nlmsg_tty_audit -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom - setcontext - polmatch -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket - -class appletalk_socket -inherits socket - -class packet -{ - send - recv - relabelto - flow_in # deprecated - flow_out # deprecated - forward_in - forward_out -} - -class key -{ - view - read - write - search - link - setattr - create -} - -class dccp_socket -inherits socket -{ - node_bind - name_connect -} - -class memprotect -{ - mmap_zero -} - -# network peer labels -class peer -{ - recv -} - -class kernel_service -{ - use_as_override - create_files_as -} - -class tun_socket -inherits socket -{ - attach_queue -} - -class binder -{ - impersonate - call - set_context_mgr - transfer -} - -class netlink_iscsi_socket -inherits socket - -class netlink_fib_lookup_socket -inherits socket - -class netlink_connector_socket -inherits socket - -class netlink_netfilter_socket -inherits socket - -class netlink_generic_socket -inherits socket - -class netlink_scsitransport_socket -inherits socket - -class netlink_rdma_socket -inherits socket - -class netlink_crypto_socket -inherits socket - -class property_service -{ - set -} - -class service_manager -{ - add - find - list -} - -class keystore_key -{ - get_state - get - insert - delete - exist - list - reset - password - lock - unlock - is_empty - sign - verify - grant - duplicate - clear_uid - add_auth - user_changed -} - -class debuggerd -{ - dump_tombstone - dump_backtrace -} - -class drmservice { - consumeRights - setPlaybackStatus - openDecryptSession - closeDecryptSession - initializeDecryptUnit - decrypt - finalizeDecryptUnit - pread -} |