1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
;; SELinux CIL Policy Example
;; NOTE: This file is not functional, but
;; is designed to test syntax highlighting.
; Brackets colors
((((((((((((( ))))))))))))) ))
; Statements
(policycap open_perms) ; Policy config. statement
(mls true)
(handleunknown allow)
(sid kernel) ; Declaration type statement
(classpermissionset char_w (char (write setattr))) ; Other statements
(user user) ; Declare identifier 'user' of user type
(role role)
(type type)
(allow allow) (true true) (in in) (xor xor)
; List of permissions
(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
; Highlighting permissions only if there is not a statement keyword
(class binder (impersonate call set_context_mgr transfer receive))
(class binder (classcommon impersonate call set_context_mgr transfer receive))
(impersonate call set_context_mgr transfer receive)
(tunableif impersonate call set_context_mgr transfer receive)
; This is allowed by the CIL compiler
( typeattribute;comment
all_fs_type_except_usermodehelper_and_proc_security)
(;comment
typeattribute all_fs_type_except_usermodehelper_and_proc_security)
( ;comment
;more comments
typeattribute all_fs_type_except_usermodehelper_and_proc_security)
; Paths
(true true /true true /true/true/ true true/true "true")
; Global namespace
(true true .true true true.true true .true.true true.true.true
.true. true. true.true. ; invalid
)
; Keywords in some rules
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
; portcon
(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
; fsuse
(fsuse xattr ext4 file.labeledfs_context)
(fsuse task pipefs file.pipefs_context)
(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
(allow unconfined.process self (file (read write)))
(allow process httpd.object (file (read write)))
(defaultrange db_table glblub)
; Paths
"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
"/pa\12th.*a+b?"
/usr/hi\"esc\032esc\*3es{2,2}ds
"/data/(open "
"/data/[open "
; Some rules
(call macro1("__kmsg__"))
(macro macro1 ((string ARG1))
(typetransition audit.process device.device chr_file ARG1 device.klog_device)
)
(allow unconfined.process self (file (read write)))
(auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
(permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
(allowx type_3 type_4 ioctl_nodebug)
(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
(class property_service (set))
(block av_rules
(type type_1)
(type type_2)
(typeattribute all_types)
(typeattributeset all_types ((all)))
(neverallow type_2 all_types (property_service (set)))
)
(macro binder_call ((type ARG1) (type ARG2))
(allow ARG1 ARG2 (binder (transfer call)))
)
(ipaddr netmask_1 255.255.255.0)
(class dir)
(class foo)
(class bar)
(class baz)
(classorder (dir foo))
(classorder (unordered bar foo baz))
(classpermission zygote_2)
(classpermissionset zygote_2 (zygote
(and
(all)
(not (specifyinvokewith specifyseinfo))
)
))
(permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
(boolean disableAudioCapture false)
(booleanif (and (not disableAudio) (not disableAudioCapture))
(true
(allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms)))
)
)
(tunable range_trans_rule false)
(block init
(class process (process))
(type process)
(tunableif range_trans_rule
(true
(rangetransition process sshd.exec process low_high))))
(validatetrans file (eq t1 unconfined.process))
(block ext_gateway
(optional move_file
(typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
(allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))))
(context runas_exec_context (u object_r exec low_low))
(filecon "/system/bin/run-as" file runas_exec_context)
(in file
(genfscon rootfs / rootfs_context)
(genfscon selinuxfs / selinuxfs_context)
)
; ioctl & call: due to the way in which the highlighter treats the parenthesis blocks
; (each level of different color), it is not possible to differentiate between statement and permission.
(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
(ioctl read
find connectto) ; kind or permission?
(ioctl read find connectto) ; ioctl permission
(ioctl read )
(call ioctl read find connectto) ; statement or permission?
( call ) ; call permission
|
