1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>test.cil</title>
<meta name="generator" content="KF5::SyntaxHighlighting - Definition (SELinux CIL Policy) - Theme (Breeze Light)"/>
</head><body style="background-color:#ffffff;color:#1f1c1b"><pre>
<span style="color:#898887">;; SELinux CIL Policy Example</span>
<span style="color:#898887">;; </span><span style="color:#81ca2d;background-color:#f7e6e6;font-weight:bold">NOTE</span><span style="color:#898887">: This file is not functional, but</span>
<span style="color:#898887">;; is designed to test syntax highlighting.</span>
<span style="color:#898887">; Brackets colors</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#ff8800;font-weight:bold">(</span><span style="color:#888800;font-weight:bold">(</span><span style="color:#009400;font-weight:bold">(</span><span style="color:#3689e6;font-weight:bold">(</span><span style="color:#a56de2;font-weight:bold">(</span><span style="color:#c6262e;font-weight:bold">(</span><span style="color:#ff8800;font-weight:bold">(</span><span style="color:#888800;font-weight:bold">(</span><span style="color:#009400;font-weight:bold">(</span><span style="color:#3689e6;font-weight:bold">(</span><span style="color:#a56de2;font-weight:bold">(</span><span style="color:#c6262e;font-weight:bold">(</span> <span style="color:#c6262e;font-weight:bold">)</span><span style="color:#a56de2;font-weight:bold">)</span><span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span><span style="color:#a56de2;font-weight:bold">)</span><span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#bf0303;text-decoration:underline">))</span>
<span style="color:#898887">; Statements</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#006e28;font-weight:bold">policycap</span> <span style="color:#006e28">open_perms</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; Policy config. statement</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#006e28;font-weight:bold">mls</span> <span style="color:#0095ff;font-weight:bold">true</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#006e28;font-weight:bold">handleunknown</span> <span style="color:#bf0303;font-weight:bold">allow</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">sid</span> kernel<span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; Declaration type statement</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">classpermissionset</span> char_w <span style="color:#ff8800;font-weight:bold">(</span>char <span style="color:#888800;font-weight:bold">(</span><span style="color:#e31616">write</span> <span style="color:#e31616">setattr</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; Other statements</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">user</span> user<span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; Declare identifier 'user' of user type</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">role</span> role<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> type<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> allow<span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#c6262e;font-weight:bold">(</span><span style="color:#0095ff;font-weight:bold">true</span> <span style="color:#0095ff;font-weight:bold">true</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">in</span> in<span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#c6262e;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">xor</span> xor<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; List of permissions</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> security <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#e31616">compute_av</span> <span style="color:#e31616">compute_create</span> <span style="color:#e31616">compute_member</span> <span style="color:#e31616">check_context</span> <span style="color:#e31616">load_policy</span> <span style="color:#e31616">compute_relabel</span> <span style="color:#e31616">compute_user</span> <span style="color:#e31616">setenforce</span> <span style="color:#e31616">setbool</span> <span style="color:#e31616">setsecparam</span> <span style="color:#e31616">setcheckreqprot</span> <span style="color:#e31616">read_policy</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; Highlighting permissions only if there is not a statement keyword</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> binder <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#e31616">impersonate</span> <span style="color:#e31616">call</span> <span style="color:#e31616">set_context_mgr</span> <span style="color:#e31616">transfer</span> <span style="color:#e31616">receive</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> binder <span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">classcommon</span> impersonate call set_context_mgr transfer receive<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#e31616">impersonate</span> <span style="color:#e31616">call</span> <span style="color:#e31616">set_context_mgr</span> <span style="color:#e31616">transfer</span> <span style="color:#e31616">receive</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">tunableif</span> impersonate call set_context_mgr transfer receive<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; This is allowed by the CIL compiler</span>
<span style="color:#c6262e;font-weight:bold">(</span> <span style="color:#644a9b;font-weight:bold">typeattribute</span><span style="color:#898887">;comment</span>
all_fs_type_except_usermodehelper_and_proc_security<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#898887">;comment</span>
<span style="color:#644a9b;font-weight:bold">typeattribute</span> all_fs_type_except_usermodehelper_and_proc_security<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span> <span style="color:#898887">;comment</span>
<span style="color:#898887">;more comments</span>
<span style="color:#644a9b;font-weight:bold">typeattribute</span> all_fs_type_except_usermodehelper_and_proc_security<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; Paths</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#0095ff;font-weight:bold">true</span> <span style="color:#0095ff;font-weight:bold">true</span> /true <span style="color:#0095ff;font-weight:bold">true</span> /true/true/ <span style="color:#0095ff;font-weight:bold">true</span> <span style="color:#0095ff;font-weight:bold">true</span>/true <span style="color:#bf0303">"true"</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; Global namespace</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#0095ff;font-weight:bold">true</span> <span style="color:#0095ff;font-weight:bold">true</span> .true <span style="color:#0095ff;font-weight:bold">true</span> true.true <span style="color:#0095ff;font-weight:bold">true</span> .true.true true.true.true
.<span style="color:#0095ff;font-weight:bold">true</span>. <span style="color:#0095ff;font-weight:bold">true</span>. <span style="color:#0095ff;font-weight:bold">true</span>.<span style="color:#0095ff;font-weight:bold">true</span>. <span style="color:#898887">; invalid</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; Keywords in some rules</span>
<span style="color:#898887">; filecon</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">filecon</span> <span style="color:#bf0303">"/system/bin/run-as"</span> <span style="color:#0057ae">file</span> runas_exec_context<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">filecon</span> <span style="color:#bf0303">"/dev/socket/wpa_wlan</span><span style="color:#ff5500">[</span><span style="color:#ff5500">0-9</span><span style="color:#ff5500">]</span><span style="color:#bf0303">"</span> <span style="color:#0057ae">any</span> <span style="color:#ff5500">u</span>:<span style="color:#ff5500">object_r</span>:<span style="color:#b08000">wpa.socket</span>:<span style="color:#ff5500">s0</span>-<span style="color:#ff5500">s0</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">filecon</span> <span style="color:#bf0303">"/data/local/mine"</span> <span style="color:#0057ae">dir</span> <span style="color:#ff8800;font-weight:bold">()</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">classcommon</span> file any dir<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span>file any dir<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; portcon</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">portcon</span> <span style="color:#0057ae">sctp</span> <span style="color:#b08000">3333</span> <span style="color:#ff8800;font-weight:bold">(</span>unconfined.user <span style="font-style:italic">object_r</span> unconfined.object levelrange_1<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">portcon</span> <span style="color:#0057ae">udp</span> <span style="color:#b08000">4444</span> <span style="color:#ff8800;font-weight:bold">(</span>unconfined.user <span style="font-style:italic">object_r</span> unconfined.object <span style="color:#888800;font-weight:bold">(</span><span style="color:#009400;font-weight:bold">(</span>s0<span style="color:#009400;font-weight:bold">)</span> level_2<span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">defaultrole</span> tcp udp<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span>tcp udp<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; fsuse</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">fsuse</span> <span style="color:#0057ae">xattr</span> <span style="font-style:italic">ext4</span> file.labeledfs_context<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">fsuse</span> <span style="color:#0057ae">task</span> <span style="font-style:italic">pipefs</span> file.pipefs_context<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">fsuse</span> <span style="color:#0057ae">trans</span> <span style="font-style:italic">tmpfs</span> file.tmpfs_context<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">typemember</span> xattr task trans<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span>xattr task trans<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> unconfined.process <span style="color:#006e28">self</span> <span style="color:#ff8800;font-weight:bold">(</span>file <span style="color:#888800;font-weight:bold">(</span><span style="color:#e31616">read</span> <span style="color:#e31616">write</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> process httpd.object <span style="color:#ff8800;font-weight:bold">(</span>file <span style="color:#888800;font-weight:bold">(</span><span style="color:#e31616">read</span> <span style="color:#e31616">write</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">defaultrange</span> db_table <span style="font-style:italic">glblub</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; Paths</span>
<span style="color:#bf0303">"/system/</span><span style="color:#ff5500">(</span><span style="color:#ff5500">foo</span><span style="color:#ca60ca">|</span><span style="color:#ff5500">bar</span><span style="color:#ff5500">)</span><span style="color:#bf0303">/</span><span style="color:#ff5500">[</span><span style="color:#ca60ca">^</span><span style="color:#ff5500">/</span><span style="color:#ff5500">]</span><span style="color:#3daee9">*</span><span style="color:#bf0303">/</span><span style="color:#ff5500">(</span><span style="color:#ff5500">hi</span><span style="color:#ff5500">){</span><span style="color:#ff5500">2</span><span style="color:#ca60ca">,</span><span style="color:#ff5500">6</span><span style="color:#ff5500">}(</span><span style="color:#3daee9">.*</span><span style="color:#ff5500">)</span><span style="color:#3daee9">?</span><span style="color:#bf0303">"</span>
<span style="color:#bf0303">"/pa</span><span style="color:#924c9d">\12</span><span style="color:#bf0303">th</span><span style="color:#3daee9">.*</span><span style="color:#bf0303">a</span><span style="color:#3daee9">+</span><span style="color:#bf0303">b</span><span style="color:#3daee9">?</span><span style="color:#bf0303">"</span>
/usr/hi<span style="color:#924c9d">\"</span>esc<span style="color:#924c9d">\032</span>esc<span style="color:#924c9d">\*</span>3es<span style="color:#ff5500">{</span><span style="color:#ff5500">2</span><span style="color:#ca60ca">,</span><span style="color:#ff5500">2</span><span style="color:#ff5500">}</span>ds
<span style="color:#bf0303">"/data/</span><span style="color:#ff5500">(</span><span style="color:#ff5500">ope</span><span style="color:#ff5500;text-decoration:underline">n</span><span style="color:#ff5500"> </span><span style="color:#bf0303">"</span>
<span style="color:#bf0303">"/data/</span><span style="color:#ff5500">[</span><span style="color:#ff5500">ope</span><span style="color:#ff5500;text-decoration:underline">n</span><span style="color:#ff5500"> </span><span style="color:#bf0303">"</span>
<span style="color:#898887">; Some rules</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">call</span> macro1<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#bf0303">"__kmsg__"</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">macro</span> macro1 <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">string</span> ARG1<span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">typetransition</span> audit.process device.device chr_file ARG1 device.klog_device<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> unconfined.process <span style="color:#006e28">self</span> <span style="color:#ff8800;font-weight:bold">(</span>file <span style="color:#888800;font-weight:bold">(</span><span style="color:#e31616">read</span> <span style="color:#e31616">write</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">auditallow</span> release_app.process secmark_demo.browser_packet <span style="color:#ff8800;font-weight:bold">(</span>packet <span style="color:#888800;font-weight:bold">(</span><span style="color:#e31616">send</span> <span style="color:#e31616">recv</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allowx</span> type_1 type_2 <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> tcp_socket <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x2000</span> <span style="color:#b08000">0x20FF</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">permissionx</span> ioctl_nodebug <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> udp_socket <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">not</span> <span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x4000</span> <span style="color:#b08000">0x4010</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allowx</span> type_3 type_4 ioctl_nodebug<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">dontauditx</span> type_1 type_2 <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> tcp_socket <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x3000</span> <span style="color:#b08000">0x30FF</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> property_service <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#e31616;font-style:italic">set</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">block</span> av_rules
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> type_1<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> type_2<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">typeattribute</span> all_types<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">typeattributeset</span> all_types <span style="color:#888800;font-weight:bold">(</span><span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">all</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">neverallow</span> type_2 all_types <span style="color:#888800;font-weight:bold">(</span>property_service <span style="color:#009400;font-weight:bold">(</span><span style="color:#e31616;font-style:italic">set</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">macro</span> binder_call <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#888800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> ARG1<span style="color:#888800;font-weight:bold">)</span> <span style="color:#888800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> ARG2<span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> ARG1 ARG2 <span style="color:#888800;font-weight:bold">(</span>binder <span style="color:#009400;font-weight:bold">(</span><span style="color:#e31616">transfer</span> <span style="color:#e31616">call</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">ipaddr</span> netmask_1 <span style="color:#b08000">255.255.255.0</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> dir<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> foo<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> bar<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> baz<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">classorder</span> <span style="color:#ff8800;font-weight:bold">(</span>dir foo<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">classorder</span> <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">unordered</span> bar foo baz<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">classpermission</span> zygote_2<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">classpermissionset</span> zygote_2 <span style="color:#ff8800;font-weight:bold">(</span>zygote
<span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">and</span>
<span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">all</span><span style="color:#009400;font-weight:bold">)</span>
<span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">not</span> <span style="color:#3689e6;font-weight:bold">(</span>specifyinvokewith specifyseinfo<span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span>
<span style="color:#888800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">permissionx</span> ioctl_3 <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> tcp_socket <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">and</span> <span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x8000</span> <span style="color:#b08000">0x90FF</span><span style="color:#009400;font-weight:bold">)</span> <span style="color:#009400;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">not</span> <span style="color:#3689e6;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x8100</span> <span style="color:#b08000">0x82FF</span><span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">boolean</span> disableAudioCapture <span style="color:#0095ff;font-weight:bold">false</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">booleanif</span> <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">and</span> <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">not</span> disableAudio<span style="color:#888800;font-weight:bold">)</span> <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">not</span> disableAudioCapture<span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0095ff;font-weight:bold">true</span>
<span style="color:#888800;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> process mediaserver.audio_capture_device <span style="color:#009400;font-weight:bold">(</span>chr_file_set <span style="color:#3689e6;font-weight:bold">(</span>rw_file_perms<span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">tunable</span> range_trans_rule <span style="color:#0095ff;font-weight:bold">false</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">block</span> init
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">class</span> process <span style="color:#888800;font-weight:bold">(</span>process<span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">type</span> process<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">tunableif</span> range_trans_rule
<span style="color:#888800;font-weight:bold">(</span><span style="color:#0095ff;font-weight:bold">true</span>
<span style="color:#009400;font-weight:bold">(</span><span style="font-weight:bold">rangetransition</span> process sshd.exec process low_high<span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">validatetrans</span> file <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">eq</span> <span style="font-style:italic">t1</span> unconfined.process<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">block</span> ext_gateway
<span style="color:#ff8800;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">optional</span> move_file
<span style="color:#888800;font-weight:bold">(</span><span style="font-weight:bold">typetransition</span> process msg_filter.move_file.in_queue file msg_filter.move_file.in_file<span style="color:#888800;font-weight:bold">)</span>
<span style="color:#888800;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allow</span> process msg_filter.move_file.in_queue <span style="color:#009400;font-weight:bold">(</span>dir <span style="color:#3689e6;font-weight:bold">(</span><span style="color:#e31616">read</span> <span style="color:#e31616">getattr</span> <span style="color:#e31616">write</span> <span style="color:#e31616">search</span> <span style="color:#e31616">add_name</span><span style="color:#3689e6;font-weight:bold">)</span><span style="color:#009400;font-weight:bold">)</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#644a9b;font-weight:bold">context</span> runas_exec_context <span style="color:#ff8800;font-weight:bold">(</span>u <span style="font-style:italic">object_r</span> exec low_low<span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">filecon</span> <span style="color:#bf0303">"/system/bin/run-as"</span> <span style="color:#0057ae">file</span> runas_exec_context<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">in</span> file
<span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">genfscon</span> <span style="font-style:italic">rootfs</span> / rootfs_context<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#ff8800;font-weight:bold">(</span><span style="font-weight:bold">genfscon</span> <span style="font-style:italic">selinuxfs</span> / selinuxfs_context<span style="color:#ff8800;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#898887">; ioctl & call: due to the way in which the highlighter treats the parenthesis blocks</span>
<span style="color:#898887">; (each level of different color), it is not possible to differentiate between statement and permission.</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#bf0303;font-weight:bold">allowx</span> x bin_t <span style="color:#ff8800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> policy.file <span style="color:#888800;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">range</span> <span style="color:#b08000">0x1000</span> <span style="color:#b08000">0x11FF</span><span style="color:#888800;font-weight:bold">)</span><span style="color:#ff8800;font-weight:bold">)</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; ioctl kind</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#0057ae;font-weight:bold">ioctl</span> <span style="color:#e31616">read</span>
<span style="color:#e31616;font-style:italic">find</span> <span style="color:#e31616">connectto</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; kind or permission?</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#e31616">ioctl</span> <span style="color:#e31616">read</span> <span style="color:#e31616;font-style:italic">find</span> <span style="color:#e31616">connectto</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; ioctl permission</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="color:#e31616">ioctl</span> <span style="color:#e31616">read</span> <span style="color:#c6262e;font-weight:bold">)</span>
<span style="color:#c6262e;font-weight:bold">(</span><span style="font-weight:bold">call</span> <span style="color:#e31616">ioctl</span> <span style="color:#e31616">read</span> <span style="color:#e31616;font-style:italic">find</span> <span style="color:#e31616">connectto</span><span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; statement or permission?</span>
<span style="color:#c6262e;font-weight:bold">(</span> <span style="color:#e31616">call</span> <span style="color:#c6262e;font-weight:bold">)</span> <span style="color:#898887">; call permission</span>
</pre></body></html>
|
