Declares a common identifier in the current namespace with a set of common permissions that can be used by one or more class identifiers. The classcommon statement is used to associate a common identifier to a specific class identifier.
Statement definition:
(common common_id (permission_id ...))
Where:
Example:
This common statement will associate the common identifier ‘file’ with the list of permissions:
(common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
Associate a class identifier to a one or more permissions declared by a common identifier.
Statement definition:
(classcommon class_id common_id)
Where:
Example:
This associates the dir class with the list of permissions declared by the file common identifier:
(common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon dir file)
Declares a class and zero or more permissions in the current namespace.
Statement definition:
(class class_id (permission_id ...))
Where:
Examples:
This example defines a set of permissions for the binder class identifier:
(class binder (impersonate call set_context_mgr transfer receive))
This example defines a common set of permissions to be used by the sem class, the (class sem ()) does not define any other permissions (i.e. an empty list):
(common ipc (create destroy getattr setattr read write associate unix_read unix_write)) (classcommon sem ipc) (class sem ())
and will produce the following set of permissions for the sem class identifier of:
(class sem (create destroy getattr setattr read write associate unix_read unix_write))
This example, with the following combination of the common, classcommon and class statements:
(common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon dir file) (class dir (add_name remove_name reparent search rmdir open audit_access execmod))
will produce a set of permissions for the dir class identifier of:
(class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton))
Defines the order of class's. This is a mandatory statement. Multiple classorder statements declared in the policy will form an ordered list.
Statement definition:
(classorder (class_id ...))
Where:
Example:
This will produce an ordered list of “file dir process”
(class process) (class file) (class dir) (classorder (file dir)) (classorder (dir process))
Unordered Classorder Statement:
If users do not have knowledge of the existing classorder, the unordered keyword may be used in a classorder statement. The classes in an unordered statement are appended to the existing classorder. A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The unordered keyword must be the first item in the classorder listing.
Example:
This will produce an unordered list of “file dir foo a bar baz”
(class file) (class dir) (class foo) (class bar) (class baz) (class a) (classorder (file dir)) (classorder (dir foo)) (classorder (unordered a)) (classorder (unordered bar foo baz))
Declares a class permission set identifier in the current namespace that can be used by one or more classpermissionsets to associate one or more classes and permissions to form a named set.
Statement definition:
(classpermission classpermissionset_id)
Where:
Example:
See the classpermissionset statement for examples.
Defines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous classpermissionsets may be used in av rules and constraints.
Statement definition:
(classpermissionset classpermissionset_id (class_id (permission_id | expr ...)))
Where:
Examples:
These class permission set statements will resolve to the permission sets shown in the kernel policy language allow rules:
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (type test_1) (type test_2) (type test_3) (type test_4) (type test_5) ; NOT (classpermission zygote_1) (classpermissionset zygote_1 (zygote (not (specifyinvokewith specifyseinfo) ) )) (allow unconfined.process test_1 zygote_1) ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ; ; AND - ALL - NOT - Equiv to test_1 (classpermission zygote_2) (classpermissionset zygote_2 (zygote (and (all) (not (specifyinvokewith specifyseinfo)) ) )) (allow unconfined.process test_2 zygote_2) ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities } ; ; OR (classpermission zygote_3) (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo))))) (allow unconfined.process test_3 zygote_3) ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ; ; XOR - This will not produce an allow rule as the XOR will remove all the permissions: (classpermission zygote_4) (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)))) ; ALL (classpermission zygote_all_perms) (classpermissionset zygote_all_perms (zygote (all))) (allow unconfined.process test_5 zygote_all_perms) ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow:
Multiple classpermissionsets to be linked to a pair of classmap / classmapping identifiers.
Multiple classs to be associated to statements and rules that support a list of classes:
typetransition typechange typemember rangetransition roletransition defaultuser defaultrole defaulttype defaultrange validatetrans mlsvalidatetrans
Statement definition:
(classmap classmap_id (classmapping_id ...))
Where:
Example:
See the classmapping statement for examples.
Define sets of classpermissionsets (named or anonymous) to form a consolidated classmapping set. Generally there are multiple classmapping statements with the same classmap and classmapping identifiers that form a set of different classpermissionset's. This is useful when multiple class / permissions are required in rules such as the allow rules (as shown in the examples).
Statement definition:
(classmapping classmap_id classmapping_id classpermissionset_id)
Where:
Examples:
These class mapping statements will resolve to the permission sets shown in the kernel policy language allow rules:
(class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (classpermission cps_zygote) (classpermissionset cps_zygote (zygote (not (specifyids)))) (classmap android_classes (set_1 set_2 set_3)) (classmapping android_classes set_1 (binder (all))) (classmapping android_classes set_1 (property_service (set))) (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) (classmapping android_classes set_3 cps_zygote) (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) (block map_example (type type_1) (type type_2) (type type_3) (allow type_1 self (android_classes (set_1))) (allow type_2 self (android_classes (set_2))) (allow type_3 self (android_classes (set_3))) ) ; The above will resolve to the following AV rules: ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ; ;; allow map_example.type_1 map_example.type_1 : property_service set ; ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ; ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ; ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ; ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ; ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
Defines a named extended permission, which can be used in the allowx, auditallowx, dontauditx, and neverallowx statements.
Statement definition:
(permissionx permissionx_id (kind class_id (permission ... | expr ...)))
Where:
Examples:
(permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000))) (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF))) (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))