platform_system_sepolicy/private/security_classes

# FLASK

#
# Define the security object classes
#

# Classes marked as userspace are classes
# for userspace object managers

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class anon_inode
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

# extended netlink sockets
class netlink_route_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_dnrt_socket

# IPSec association
class association

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket

class appletalk_socket

class packet

# Kernel access key retention
class key

class dccp_socket

class memprotect

# network peer labels
class peer

# Capabilities >= 32
class capability2

# kernel services that need to override task security, e.g. cachefiles
class kernel_service

class tun_socket

class binder

# Updated netlink classes for more recent netlink protocols.
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket

# Infiniband
class infiniband_pkey
class infiniband_endport

# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns

# New socket classes introduced by extended_socket_class policy capability.
# These two were previously mapped to rawip_socket.
class sctp_socket
class icmp_socket
# These were previously mapped to socket.
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket

class process2

class bpf

class xdp_socket

class perf_event

class io_uring

# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown

# Property service
class property_service          # userspace

# Service manager
class service_manager           # userspace

# hardware service manager      # userspace
class hwservice_manager

# Legacy Keystore key permissions
class keystore_key              # userspace

# Keystore 2.0 permissions
class keystore2                 # userspace

# Keystore 2.0 key permissions
class keystore2_key             # userspace

# Diced permissions
class diced                     # userspace

class drmservice                # userspace
# FLASK
SE Android policy. 2012-01-04 18:33:27 +01:00			`# FLASK`

			`#`
			`# Define the security object classes`
			`#`

			`# Classes marked as userspace are classes`
			`# for userspace object managers`

			`class security`
			`class process`
			`class system`
			`class capability`

			`# file-related classes`
			`class filesystem`
			`class file`
Add SELinux policy for using userfaultfd ART runtime will be using userfaultfd for a new heap compaction algorithm. After enabling userfaultfd in android kernels (with SELinux support), the feature needs policy that allows { create ioctl read } operations on userfaultfd file descriptors. Bug: 160737021 Test: Manually tested by exercising userfaultfd ops in ART Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e 2021-03-11 20:32:47 +01:00			`class anon_inode`
SE Android policy. 2012-01-04 18:33:27 +01:00			`class dir`
			`class fd`
			`class lnk_file`
			`class chr_file`
			`class blk_file`
			`class sock_file`
			`class fifo_file`

			`# network-related classes`
			`class socket`
			`class tcp_socket`
			`class udp_socket`
			`class rawip_socket`
			`class node`
			`class netif`
			`class netlink_socket`
			`class packet_socket`
			`class key_socket`
			`class unix_stream_socket`
			`class unix_dgram_socket`

			`# sysv-ipc-related classes`
			`class sem`
			`class msg`
			`class msgq`
			`class shm`
			`class ipc`

			`# extended netlink sockets`
			`class netlink_route_socket`
			`class netlink_tcpdiag_socket`
			`class netlink_nflog_socket`
			`class netlink_xfrm_socket`
			`class netlink_selinux_socket`
			`class netlink_audit_socket`
			`class netlink_dnrt_socket`

			`# IPSec association`
			`class association`

			`# Updated Netlink class for KOBJECT_UEVENT family.`
			`class netlink_kobject_uevent_socket`

			`class appletalk_socket`

			`class packet`

			`# Kernel access key retention`
			`class key`

			`class dccp_socket`

			`class memprotect`

			`# network peer labels`
			`class peer`

			`# Capabilities >= 32`
			`class capability2`

			`# kernel services that need to override task security, e.g. cachefiles`
			`class kernel_service`

			`class tun_socket`

			`class binder`

Update netlink socket classes. Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-05-21 22:17:26 +02:00			`# Updated netlink classes for more recent netlink protocols.`
			`class netlink_iscsi_socket`
			`class netlink_fib_lookup_socket`
			`class netlink_connector_socket`
			`class netlink_netfilter_socket`
			`class netlink_generic_socket`
			`class netlink_scsitransport_socket`
			`class netlink_rdma_socket`
			`class netlink_crypto_socket`

Update access_vectors Update access_vectors to support newer kernel functionality. This change does not grant any new access. Inspired by the following refpolicy commits: * https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc * https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf * https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187 Bug: 118843234 Test: policy compiles Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202 2018-11-02 03:39:44 +01:00			`# Infiniband`
			`class infiniband_pkey`
			`class infiniband_endport`

Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-04-27 15:42:57 +02:00			`# Capability checks when on a non-init user namespace`
			`class cap_userns`
			`class cap2_userns`

Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-12-08 19:35:27 +01:00			`# New socket classes introduced by extended_socket_class policy capability.`
			`# These two were previously mapped to rawip_socket.`
			`class sctp_socket`
			`class icmp_socket`
			`# These were previously mapped to socket.`
			`class ax25_socket`
			`class ipx_socket`
			`class netrom_socket`
			`class atmpvc_socket`
			`class x25_socket`
			`class rose_socket`
			`class decnet_socket`
			`class atmsvc_socket`
			`class rds_socket`
			`class irda_socket`
			`class pppox_socket`
			`class llc_socket`
			`class can_socket`
			`class tipc_socket`
			`class bluetooth_socket`
			`class iucv_socket`
			`class rxrpc_socket`
			`class isdn_socket`
			`class phonet_socket`
			`class ieee802154_socket`
			`class caif_socket`
			`class alg_socket`
			`class nfc_socket`
			`class vsock_socket`
			`class kcm_socket`
			`class qipcrtr_socket`
Define smc_socket security class. Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, add it to the socket_class_set macro, and exclude it from webview_zygote like other socket classes. Test: Policy builds Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2017-05-17 18:06:49 +02:00			`class smc_socket`
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-12-08 19:35:27 +01:00
Add nnp_nosuid_transition policycap and related class/perm definitions. https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef allows a security policy writer to determine whether transitions under nosuid / NO_NEW_PRIVS should be allowed or not. Define these permissions, so that they're usable to policy writers. This change is modeled after refpolicy https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087 Test: policy compiles and device boots Test Note: Because this requires a newer kernel, full testing on such kernels could not be done. Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f 2018-09-07 19:48:55 +02:00			`class process2`

Update access_vectors Update access_vectors to support newer kernel functionality. This change does not grant any new access. Inspired by the following refpolicy commits: * https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc * https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf * https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187 Bug: 118843234 Test: policy compiles Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202 2018-11-02 03:39:44 +01:00			`class bpf`

			`class xdp_socket`

perf_event: define security class and access vectors This patch allows us to write SELinux policies for the perf_event_open() syscall LSM hooks added to the kernel in the following commit: https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e Bug: 137092007 Change-Id: I0005759eb7a487faebe94a4653e3865343eb441e 2020-01-08 18:30:26 +01:00			`class perf_event`

Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f 2022-11-14 23:06:36 +01:00			`class io_uring`

access_vectors: add lockdown class Needed to support upstream patch https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 Bug: 148822198 Test: compiles Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed 2020-02-13 21:57:27 +01:00			`# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331`
			`class lockdown`

Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties. 2012-04-04 16:11:16 +02:00			`# Property service`
			`class property_service # userspace`

Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d 2014-06-06 00:52:02 +02:00			`# Service manager`
			`class service_manager # userspace`

Add new classes and types for (hw\|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa 2017-04-06 18:24:41 +02:00			`# hardware service manager # userspace`
			`class hwservice_manager`

Add security class keystore2_key. Keystore 2.0 has a different set of permission that it enforces. We introduce keystore2_key so that we can set up policy for both Keystore 1.0 and Keystore 2.0 for a gradual transition from one to the other. Bug: 158500146 Test: None Change-Id: I3dcab06d73d242d63d21883659c304dfab8bf74f Merged-In: I3dcab06d73d242d63d21883659c304dfab8bf74f 2020-07-25 22:08:15 +02:00			`# Legacy Keystore key permissions`
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc 2014-06-17 23:58:52 +02:00			`class keystore_key # userspace`

Add security class keystore2_key. Keystore 2.0 has a different set of permission that it enforces. We introduce keystore2_key so that we can set up policy for both Keystore 1.0 and Keystore 2.0 for a gradual transition from one to the other. Bug: 158500146 Test: None Change-Id: I3dcab06d73d242d63d21883659c304dfab8bf74f Merged-In: I3dcab06d73d242d63d21883659c304dfab8bf74f 2020-07-25 22:08:15 +02:00			`# Keystore 2.0 permissions`
			`class keystore2 # userspace`

			`# Keystore 2.0 key permissions`
			`class keystore2_key # userspace`

Diced: Add policy for diced the DICE daemon. Bug: 198197213 Test: N/A Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d 2021-11-10 02:49:02 +01:00			`# Diced permissions`
			`class diced # userspace`

Add fine grained access control to DrmManagerService. Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e 2014-07-02 21:42:59 +02:00			`class drmservice # userspace`
SE Android policy. 2012-01-04 18:33:27 +01:00			`# FLASK`