162 lines
4.9 KiB
Plaintext
162 lines
4.9 KiB
Plaintext
;; SELinux CIL Policy Example
|
|
|
|
;; NOTE: This file is not functional, but
|
|
;; is designed to test syntax highlighting.
|
|
|
|
; Brackets colors
|
|
((((((((((((( ))))))))))))) ))
|
|
|
|
; Statements
|
|
(policycap open_perms) ; Policy config. statement
|
|
(mls true)
|
|
(handleunknown allow)
|
|
|
|
(sid kernel) ; Declaration type statement
|
|
(classpermissionset char_w (char (write setattr))) ; Other statements
|
|
|
|
(user user) ; Declare identifier 'user' of user type
|
|
(role role)
|
|
(type type)
|
|
(allow allow) (true true) (in in) (xor xor)
|
|
|
|
; List of permissions
|
|
(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
|
|
|
|
; Highlighting permissions only if there is not a statement keyword
|
|
(class binder (impersonate call set_context_mgr transfer receive))
|
|
(class binder (classcommon impersonate call set_context_mgr transfer receive))
|
|
(impersonate call set_context_mgr transfer receive)
|
|
(tunableif impersonate call set_context_mgr transfer receive)
|
|
|
|
; This is allowed by the CIL compiler
|
|
( typeattribute;comment
|
|
all_fs_type_except_usermodehelper_and_proc_security)
|
|
(;comment
|
|
typeattribute all_fs_type_except_usermodehelper_and_proc_security)
|
|
( ;comment
|
|
;more comments
|
|
typeattribute all_fs_type_except_usermodehelper_and_proc_security)
|
|
|
|
; Paths
|
|
(true true /true true /true/true/ true true/true "true")
|
|
; Global namespace
|
|
(true true .true true true.true true .true.true true.true.true
|
|
.true. true. true.true. ; invalid
|
|
)
|
|
|
|
; Keywords in some rules
|
|
|
|
; filecon
|
|
(filecon "/system/bin/run-as" file runas_exec_context)
|
|
(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
|
|
(filecon "/data/local/mine" dir ())
|
|
(classcommon file any dir)
|
|
(file any dir)
|
|
; portcon
|
|
(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
|
|
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
|
|
(defaultrole tcp udp)
|
|
(tcp udp)
|
|
; fsuse
|
|
(fsuse xattr ext4 file.labeledfs_context)
|
|
(fsuse task pipefs file.pipefs_context)
|
|
(fsuse trans tmpfs file.tmpfs_context)
|
|
(typemember xattr task trans)
|
|
(xattr task trans)
|
|
|
|
(allow unconfined.process self (file (read write)))
|
|
(allow process httpd.object (file (read write)))
|
|
|
|
(defaultrange db_table glblub)
|
|
|
|
; Paths
|
|
"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
|
|
"/pa\12th.*a+b?"
|
|
/usr/hi\"esc\032esc\*3es{2,2}ds
|
|
"/data/(open "
|
|
"/data/[open "
|
|
|
|
|
|
; Some rules
|
|
|
|
(call macro1("__kmsg__"))
|
|
(macro macro1 ((string ARG1))
|
|
(typetransition audit.process device.device chr_file ARG1 device.klog_device)
|
|
)
|
|
|
|
(allow unconfined.process self (file (read write)))
|
|
(auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
|
|
(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
|
|
(permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
|
|
(allowx type_3 type_4 ioctl_nodebug)
|
|
(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
|
|
|
|
(class property_service (set))
|
|
(block av_rules
|
|
(type type_1)
|
|
(type type_2)
|
|
(typeattribute all_types)
|
|
(typeattributeset all_types ((all)))
|
|
|
|
(neverallow type_2 all_types (property_service (set)))
|
|
)
|
|
(macro binder_call ((type ARG1) (type ARG2))
|
|
(allow ARG1 ARG2 (binder (transfer call)))
|
|
)
|
|
(ipaddr netmask_1 255.255.255.0)
|
|
|
|
(class dir)
|
|
(class foo)
|
|
(class bar)
|
|
(class baz)
|
|
(classorder (dir foo))
|
|
(classorder (unordered bar foo baz))
|
|
|
|
(classpermission zygote_2)
|
|
(classpermissionset zygote_2 (zygote
|
|
(and
|
|
(all)
|
|
(not (specifyinvokewith specifyseinfo))
|
|
)
|
|
))
|
|
|
|
(permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
|
|
(boolean disableAudioCapture false)
|
|
(booleanif (and (not disableAudio) (not disableAudioCapture))
|
|
(true
|
|
(allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms)))
|
|
)
|
|
)
|
|
(tunable range_trans_rule false)
|
|
|
|
(block init
|
|
(class process (process))
|
|
(type process)
|
|
(tunableif range_trans_rule
|
|
(true
|
|
(rangetransition process sshd.exec process low_high))))
|
|
|
|
(validatetrans file (eq t1 unconfined.process))
|
|
(block ext_gateway
|
|
(optional move_file
|
|
(typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
|
|
(allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))))
|
|
|
|
(context runas_exec_context (u object_r exec low_low))
|
|
(filecon "/system/bin/run-as" file runas_exec_context)
|
|
|
|
(in file
|
|
(genfscon rootfs / rootfs_context)
|
|
(genfscon selinuxfs / selinuxfs_context)
|
|
)
|
|
|
|
; ioctl & call: due to the way in which the highlighter treats the parenthesis blocks
|
|
; (each level of different color), it is not possible to differentiate between statement and permission.
|
|
(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
|
|
(ioctl read
|
|
find connectto) ; kind or permission?
|
|
(ioctl read find connectto) ; ioctl permission
|
|
(ioctl read )
|
|
(call ioctl read find connectto) ; statement or permission?
|
|
( call ) ; call permission
|