1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
|
########################################
#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
#
# Datagram socket classes.
#
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
########################################
#
# Macros for sets of permissions
#
#
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr }')
#
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute }')
#
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')
#
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
#
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')
#
# Permissions for linking, unlinking and renaming files.
#
define(`link_file_perms', `{ getattr link unlink rename }')
#
# Permissions for creating lnk_files.
#
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
#
# Permissions for creating and using files.
#
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
#
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')
#
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
#
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
#
# Permissions for creating and using directories.
#
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`create_socket_perms', `{ create rw_socket_perms }')
#
# Permissions for using stream sockets.
#
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
#
# Permissions for creating and using stream sockets.
#
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
#
# Permissions for creating and using sockets.
#
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
#
# Permissions for creating and using netlink sockets.
#
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that modify state.
#
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that observe state.
#
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
########################################
#
# New permission sets
#
#
# Directory
#
define(`search_dir_perms',`{ getattr search }')
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
#
# File
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
define(`rw_file_perms',`{ getattr read write append ioctl lock }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
#
# Use (read and write) terminals
#
define(`rw_term_perms', `{ getattr read write ioctl }')
#
# Sockets
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
|