1# Copyright (c) 2021-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14common file 15{ 16 ioctl 17 read 18 write 19 create 20 getattr 21 setattr 22 lock 23 relabelfrom 24 relabelto 25 append 26 map 27 unlink 28 link 29 rename 30 execute 31 quotaon 32 mounton 33 audit_access 34 open 35 execmod 36 watch 37 watch_mount 38 watch_sb 39 watch_with_perm 40 watch_reads 41} 42common socket 43{ 44 ioctl 45 read 46 write 47 create 48 getattr 49 setattr 50 lock 51 relabelfrom 52 relabelto 53 append 54 map 55 bind 56 connect 57 listen 58 accept 59 getopt 60 setopt 61 shutdown 62 recvfrom 63 sendto 64 name_bind 65} 66common ipc 67{ 68 create 69 destroy 70 getattr 71 setattr 72 read 73 write 74 associate 75 unix_read 76 unix_write 77} 78common cap 79{ 80 chown 81 dac_override 82 dac_read_search 83 fowner 84 fsetid 85 kill 86 setgid 87 setuid 88 setpcap 89 linux_immutable 90 net_bind_service 91 net_broadcast 92 net_admin 93 net_raw 94 ipc_lock 95 ipc_owner 96 sys_module 97 sys_rawio 98 sys_chroot 99 sys_ptrace 100 sys_pacct 101 sys_admin 102 sys_boot 103 sys_nice 104 sys_resource 105 sys_time 106 sys_tty_config 107 mknod 108 lease 109 audit_write 110 audit_control 111 setfcap 112} 113common cap2 114{ 115 mac_override 116 mac_admin 117 syslog 118 wake_alarm 119 block_suspend 120 audit_read 121 checkpoint_restore 122 perfmon 123 bpf 124} 125class filesystem 126{ 127 mount 128 remount 129 unmount 130 getattr 131 relabelfrom 132 relabelto 133 associate 134 quotamod 135 quotaget 136 watch 137} 138class dir 139inherits file 140{ 141 add_name 142 remove_name 143 reparent 144 search 145 rmdir 146} 147class file 148inherits file 149{ 150 execute_no_trans 151 entrypoint 152} 153class lnk_file 154inherits file 155class chr_file 156inherits file 157{ 158 execute_no_trans 159 entrypoint 160} 161class blk_file 162inherits file 163class sock_file 164inherits file 165class fifo_file 166inherits file 167class fd 168{ 169 use 170} 171class socket 172inherits socket 173class tcp_socket 174inherits socket 175{ 176 node_bind 177 name_connect 178} 179class udp_socket 180inherits socket 181{ 182 node_bind 183} 184class rawip_socket 185inherits socket 186{ 187 node_bind 188} 189class node 190{ 191 recvfrom 192 sendto 193} 194class netif 195{ 196 ingress 197 egress 198} 199class netlink_socket 200inherits socket 201class packet_socket 202inherits socket 203class key_socket 204inherits socket 205class unix_stream_socket 206inherits socket 207{ 208 connectto 209} 210class unix_dgram_socket 211inherits socket 212class process 213{ 214 fork 215 transition 216 sigchld 217 sigkill 218 sigstop 219 signull 220 signal 221 ptrace 222 getsched 223 setsched 224 getsession 225 getpgid 226 setpgid 227 getcap 228 setcap 229 share 230 getattr 231 setexec 232 setfscreate 233 noatsecure 234 siginh 235 setrlimit 236 rlimitinh 237 dyntransition 238 setcurrent 239 execmem 240 execstack 241 execheap 242 setkeycreate 243 setsockcreate 244 getrlimit 245} 246class process2 247{ 248 nnp_transition 249 nosuid_transition 250} 251class ipc 252inherits ipc 253class sem 254inherits ipc 255class msgq 256inherits ipc 257{ 258 enqueue 259} 260class msg 261{ 262 send 263 receive 264} 265class shm 266inherits ipc 267{ 268 lock 269} 270class security 271{ 272 compute_av 273 compute_create 274 compute_member 275 check_context 276 load_policy 277 compute_relabel 278 compute_user 279 setenforce 280 setbool 281 setsecparam 282 setcheckreqprot 283 read_policy 284 validate_trans 285} 286class system 287{ 288 ipc_info 289 syslog_read 290 syslog_mod 291 syslog_console 292 module_request 293 module_load 294} 295class capability 296inherits cap 297class capability2 298inherits cap2 299class netlink_route_socket 300inherits socket 301{ 302 nlmsg_read 303 nlmsg_write 304 nlmsg_readpriv 305} 306class netlink_tcpdiag_socket 307inherits socket 308{ 309 nlmsg_read 310 nlmsg_write 311} 312class netlink_nflog_socket 313inherits socket 314class netlink_xfrm_socket 315inherits socket 316{ 317 nlmsg_read 318 nlmsg_write 319} 320class netlink_selinux_socket 321inherits socket 322class netlink_audit_socket 323inherits socket 324{ 325 nlmsg_read 326 nlmsg_write 327 nlmsg_relay 328 nlmsg_readpriv 329 nlmsg_tty_audit 330} 331class netlink_dnrt_socket 332inherits socket 333class association 334{ 335 sendto 336 recvfrom 337 setcontext 338 polmatch 339} 340class netlink_kobject_uevent_socket 341inherits socket 342class appletalk_socket 343inherits socket 344class packet 345{ 346 send 347 recv 348 relabelto 349 forward_in 350 forward_out 351} 352class key 353{ 354 view 355 read 356 write 357 search 358 link 359 setattr 360 create 361} 362class dccp_socket 363inherits socket 364{ 365 node_bind 366 name_connect 367} 368class memprotect 369{ 370 mmap_zero 371} 372class peer 373{ 374 recv 375} 376class kernel_service 377{ 378 use_as_override 379 create_files_as 380} 381class tun_socket 382inherits socket 383{ 384 attach_queue 385} 386class binder 387{ 388 impersonate 389 call 390 set_context_mgr 391 transfer 392} 393class netlink_iscsi_socket 394inherits socket 395class netlink_fib_lookup_socket 396inherits socket 397class netlink_connector_socket 398inherits socket 399class netlink_netfilter_socket 400inherits socket 401class netlink_generic_socket 402inherits socket 403class netlink_scsitransport_socket 404inherits socket 405class netlink_rdma_socket 406inherits socket 407class netlink_crypto_socket 408inherits socket 409class infiniband_pkey 410{ 411 access 412} 413class infiniband_endport 414{ 415 manage_subnet 416} 417class cap_userns 418inherits cap 419class cap2_userns 420inherits cap2 421class sctp_socket 422inherits socket 423{ 424 node_bind 425 name_connect 426 association 427} 428class icmp_socket 429inherits socket 430{ 431 node_bind 432} 433class ax25_socket 434inherits socket 435class ipx_socket 436inherits socket 437class netrom_socket 438inherits socket 439class atmpvc_socket 440inherits socket 441class x25_socket 442inherits socket 443class rose_socket 444inherits socket 445class decnet_socket 446inherits socket 447class atmsvc_socket 448inherits socket 449class rds_socket 450inherits socket 451class irda_socket 452inherits socket 453class pppox_socket 454inherits socket 455class llc_socket 456inherits socket 457class can_socket 458inherits socket 459class tipc_socket 460inherits socket 461class bluetooth_socket 462inherits socket 463class iucv_socket 464inherits socket 465class rxrpc_socket 466inherits socket 467class isdn_socket 468inherits socket 469class phonet_socket 470inherits socket 471class ieee802154_socket 472inherits socket 473class caif_socket 474inherits socket 475class alg_socket 476inherits socket 477class nfc_socket 478inherits socket 479class vsock_socket 480inherits socket 481class kcm_socket 482inherits socket 483class qipcrtr_socket 484inherits socket 485class smc_socket 486inherits socket 487class bpf 488{ 489 map_create 490 map_read 491 map_write 492 prog_load 493 prog_run 494} 495class xdp_socket 496inherits socket 497class parameter_service 498{ 499 set 500} 501class samgr_class 502{ 503 add 504 get 505 get_remote 506 list 507} 508class hdf_devmgr_class 509{ 510 add 511 get 512 list 513} 514 515class lockdown 516{ 517 integrity 518 confidentiality 519} 520 521class perf_event 522{ 523 open 524 cpu 525 kernel 526 tracepoint 527 read 528 write 529} 530 531class xpm 532{ 533 exec_no_sign 534 exec_anon_mem 535 exec_in_jitfort 536 exec_allow_debug_id 537} 538 539class hideaddr 540{ 541 hide_exec_anon_mem 542 hide_exec_anon_mem_debug 543} 544 545class code_sign 546{ 547 add_cert_chain 548 remove_cert_chain 549} 550 551class hmpsf 552{ 553 map_create 554 map_read 555 map_write 556 module_load 557 module_run 558} 559 560class ced 561{ 562 container_escape_check 563} 564 565class jit_memory 566{ 567 exec_mem_ctrl 568} 569 570class hmcap 571{ 572 supervsable 573 pid_mem_read 574 pid_mem_write 575} 576