File: cil_default_object_statements.md

package info (click to toggle)
android-platform-external-libselinux 10.0.0%2Br36-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 34,176 kB
  • sloc: ansic: 147,112; python: 25,790; makefile: 1,930; yacc: 1,389; sh: 1,206; lex: 452; xml: 180
file content (183 lines) | stat: -rw-r--r-- 6,533 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
 
Default Object Statements
=========================

These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.

defaultuser
-----------

Allows the default user to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.

**Statement definition:**

    (defaultuser class_id default)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultuser</code></p></td>
<td align="left"><p>The <code>defaultuser</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>

**Example:**

When creating new `binder`, `property_service`, `zygote` or `memprotect` objects the [`user`](cil_user_statements.md#user) component of the new security context will be taken from the `source` context:

    (class binder (impersonate call set_context_mgr transfer receive))
    (class property_service (set))
    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
    (class memprotect (mmap_zero))

    (classmap android_classes (android))
    (classmapping android_classes android (binder (all)))
    (classmapping android_classes android (property_service (set)))
    (classmapping android_classes android (zygote (not (specifycapabilities))))

    (defaultuser (android_classes memprotect) source)

    ; Will produce the following in the binary policy file:
    ;; default_user binder source;
    ;; default_user zygote source;
    ;; default_user property_service source;
    ;; default_user memprotect source;

defaultrole
-----------

Allows the default role to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.

    (defaultrole class_id default)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultrole</code></p></td>
<td align="left"><p>The <code>defaultrole</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>

**Example:**

When creating new `binder`, `property_service` or `zygote` objects the [`role`](cil_role_statements.md#role) component of the new security context will be taken from the `target` context:

    (class binder (impersonate call set_context_mgr transfer receive))
    (class property_service (set))
    (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))

    (defaultrole (binder property_service zygote) target)

    ; Will produce the following in the binary policy file:
    ;; default_role binder target;
    ;; default_role zygote target;
    ;; default_role property_service target;

defaulttype
-----------

Allows the default type to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 28.

**Statement definition:**

    (defaulttype class_id default)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaulttype</code></p></td>
<td align="left"><p>The <code>defaulttype</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
</tbody>
</table>

**Example:**

When creating a new `socket` object, the [`type`](cil_type_statements.md#type) component of the new security context will be taken from the `source` context:

    (defaulttype socket source)

defaultrange
------------

Allows the default level or range to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27.

**Statement definition:**

    (defaultrange class_id default range)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>defaultrange</code></p></td>
<td align="left"><p>The <code>defaultrange</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier, or a list of previously declared <code>class</code> or <code>classmap</code> identifiers enclosed within parentheses.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>default</code></p></td>
<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>range</code></p></td>
<td align="left"><p>A keyword of either <code>low</code>, <code>high</code> or <code>low-high</code>.</p></td>
</tr>
</tbody>
</table>

**Example:**

When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context:

    (defaultrange file target low_high)