2012-01-04 18:33:27 +01:00
|
|
|
# FLASK
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Define the security object classes
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Classes marked as userspace are classes
|
|
|
|
|
# for userspace object managers
|
|
|
|
|
|
|
|
|
|
class security
|
|
|
|
|
class process
|
|
|
|
|
class system
|
|
|
|
|
class capability
|
|
|
|
|
|
|
|
|
|
# file-related classes
|
|
|
|
|
class filesystem
|
|
|
|
|
class file
|
|
|
|
|
class dir
|
|
|
|
|
class fd
|
|
|
|
|
class lnk_file
|
|
|
|
|
class chr_file
|
|
|
|
|
class blk_file
|
|
|
|
|
class sock_file
|
|
|
|
|
class fifo_file
|
|
|
|
|
|
|
|
|
|
# network-related classes
|
|
|
|
|
class socket
|
|
|
|
|
class tcp_socket
|
|
|
|
|
class udp_socket
|
|
|
|
|
class rawip_socket
|
|
|
|
|
class node
|
|
|
|
|
class netif
|
|
|
|
|
class netlink_socket
|
|
|
|
|
class packet_socket
|
|
|
|
|
class key_socket
|
|
|
|
|
class unix_stream_socket
|
|
|
|
|
class unix_dgram_socket
|
|
|
|
|
|
|
|
|
|
# sysv-ipc-related classes
|
|
|
|
|
class sem
|
|
|
|
|
class msg
|
|
|
|
|
class msgq
|
|
|
|
|
class shm
|
|
|
|
|
class ipc
|
|
|
|
|
|
|
|
|
|
# extended netlink sockets
|
|
|
|
|
class netlink_route_socket
|
|
|
|
|
class netlink_tcpdiag_socket
|
|
|
|
|
class netlink_nflog_socket
|
|
|
|
|
class netlink_xfrm_socket
|
|
|
|
|
class netlink_selinux_socket
|
|
|
|
|
class netlink_audit_socket
|
|
|
|
|
class netlink_dnrt_socket
|
|
|
|
|
|
|
|
|
|
# IPSec association
|
|
|
|
|
class association
|
|
|
|
|
|
|
|
|
|
# Updated Netlink class for KOBJECT_UEVENT family.
|
|
|
|
|
class netlink_kobject_uevent_socket
|
|
|
|
|
|
|
|
|
|
class appletalk_socket
|
|
|
|
|
|
|
|
|
|
class packet
|
|
|
|
|
|
|
|
|
|
# Kernel access key retention
|
|
|
|
|
class key
|
|
|
|
|
|
|
|
|
|
class dccp_socket
|
|
|
|
|
|
|
|
|
|
class memprotect
|
|
|
|
|
|
|
|
|
|
# network peer labels
|
|
|
|
|
class peer
|
|
|
|
|
|
|
|
|
|
# Capabilities >= 32
|
|
|
|
|
class capability2
|
|
|
|
|
|
|
|
|
|
# kernel services that need to override task security, e.g. cachefiles
|
|
|
|
|
class kernel_service
|
|
|
|
|
|
|
|
|
|
class tun_socket
|
|
|
|
|
|
|
|
|
|
class binder
|
|
|
|
|
|
2015-05-21 22:17:26 +02:00
|
|
|
# Updated netlink classes for more recent netlink protocols.
|
|
|
|
|
class netlink_iscsi_socket
|
|
|
|
|
class netlink_fib_lookup_socket
|
|
|
|
|
class netlink_connector_socket
|
|
|
|
|
class netlink_netfilter_socket
|
|
|
|
|
class netlink_generic_socket
|
|
|
|
|
class netlink_scsitransport_socket
|
|
|
|
|
class netlink_rdma_socket
|
|
|
|
|
class netlink_crypto_socket
|
|
|
|
|
|
2018-11-02 03:39:44 +01:00
|
|
|
# Infiniband
|
|
|
|
|
class infiniband_pkey
|
|
|
|
|
class infiniband_endport
|
|
|
|
|
|
2016-04-27 15:42:57 +02:00
|
|
|
# Capability checks when on a non-init user namespace
|
|
|
|
|
class cap_userns
|
|
|
|
|
class cap2_userns
|
|
|
|
|
|
2016-12-08 19:35:27 +01:00
|
|
|
# New socket classes introduced by extended_socket_class policy capability.
|
|
|
|
|
# These two were previously mapped to rawip_socket.
|
|
|
|
|
class sctp_socket
|
|
|
|
|
class icmp_socket
|
|
|
|
|
# These were previously mapped to socket.
|
|
|
|
|
class ax25_socket
|
|
|
|
|
class ipx_socket
|
|
|
|
|
class netrom_socket
|
|
|
|
|
class atmpvc_socket
|
|
|
|
|
class x25_socket
|
|
|
|
|
class rose_socket
|
|
|
|
|
class decnet_socket
|
|
|
|
|
class atmsvc_socket
|
|
|
|
|
class rds_socket
|
|
|
|
|
class irda_socket
|
|
|
|
|
class pppox_socket
|
|
|
|
|
class llc_socket
|
|
|
|
|
class can_socket
|
|
|
|
|
class tipc_socket
|
|
|
|
|
class bluetooth_socket
|
|
|
|
|
class iucv_socket
|
|
|
|
|
class rxrpc_socket
|
|
|
|
|
class isdn_socket
|
|
|
|
|
class phonet_socket
|
|
|
|
|
class ieee802154_socket
|
|
|
|
|
class caif_socket
|
|
|
|
|
class alg_socket
|
|
|
|
|
class nfc_socket
|
|
|
|
|
class vsock_socket
|
|
|
|
|
class kcm_socket
|
|
|
|
|
class qipcrtr_socket
|
2017-05-17 18:06:49 +02:00
|
|
|
class smc_socket
|
2016-12-08 19:35:27 +01:00
|
|
|
|
2018-09-07 19:48:55 +02:00
|
|
|
class process2
|
|
|
|
|
|
2018-11-02 03:39:44 +01:00
|
|
|
class bpf
|
|
|
|
|
|
|
|
|
|
class xdp_socket
|
|
|
|
|
|
2012-04-04 16:11:16 +02:00
|
|
|
# Property service
|
|
|
|
|
class property_service # userspace
|
|
|
|
|
|
2014-06-06 00:52:02 +02:00
|
|
|
# Service manager
|
|
|
|
|
class service_manager # userspace
|
|
|
|
|
|
2017-04-06 18:24:41 +02:00
|
|
|
# hardware service manager # userspace
|
|
|
|
|
class hwservice_manager
|
|
|
|
|
|
2014-06-17 23:58:52 +02:00
|
|
|
# Keystore Key
|
|
|
|
|
class keystore_key # userspace
|
|
|
|
|
|
2014-07-02 21:42:59 +02:00
|
|
|
class drmservice # userspace
|
2012-01-04 18:33:27 +01:00
|
|
|
# FLASK
|
