| # Basic macros |
| define(`domain_auto_trans_nnp', ` |
| domain_auto_trans($1, $2, $3); |
| allow $1 $3:process2 nnp_transition; |
| '); |
| |
| # rw_dir_file(domain, type) |
| # Allow the specified domain to read/write directories, files |
| # and symbolic links of the specified type. |
| define(`rw_dir_file', ` |
| allow $1 $2:dir rw_dir_perms; |
| allow $1 $2:file rw_file_perms; |
| allow $1 $2:lnk_file rw_file_perms; |
| ') |
| |
| # create_dir_file(domain, type) |
| # Allow the specified domain to read/write/create directories, files |
| # and symbolic links of the specified type. |
| define(`create_dir_file', ` |
| allow $1 $2:dir create_dir_perms; |
| allow $1 $2:file create_file_perms; |
| allow $1 $2:lnk_file create_file_perms; |
| ') |
| |
| # create_mounton_dir_file(domain, type) |
| # Allow the specified domain to create directories and files |
| # and mounton the directories of the specified type. |
| define(`create_mounton_dir_file', ` |
| allow $1 $2:dir { create_dir_perms mounton }; |
| allow $1 $2:file { create_file_perms }; |
| ') |
| |
| # create_relabelto_dir_file(domain, type) |
| # Allow the specified domain to create directories and files |
| # and relabelto the directories of the specified type. |
| define(`create_relabelto_dir_file', ` |
| allow $1 $2:dir { create_dir_perms relabelto}; |
| allow $1 $2:file { create_file_perms }; |
| ') |
| |
| define(`execute_file_follow_link', ` |
| allow $1 $2:file rx_file_perms; |
| allow $1 $2:lnk_file r_file_perms; |
| ') |
| |
| define(`exec_coreutils', ` |
| execute_file_follow_link($1, cros_coreutils_exec) |
| execute_file_follow_link($1, sh_exec) |
| r_dir_file($1, cros_tz_data_file) |
| allow $1 cros_var_lib:dir search; # date |
| ') |
| |
| define(`filetrans_pattern', ` |
| allow $1 $2:dir rw_dir_perms; |
| allow $1 $3:$4 create; |
| type_transition $1 $2:$4 $3 $5; |
| ') |
| |
| # TODO(fqj): remove this |
| define(`filetrans_pattern_no_target_perm', ` |
| filetrans_pattern($1, $2, $3, $4, $5) |
| '); |
| |
| # Chrome OS specific macros |
| define(`use_init_fd', ` |
| allow $1 cros_init:fd use; |
| allow $1 cros_init_scripts:fd use; |
| ') |
| |
| define(`log_writer', ` |
| allow $1 cros_logger_exec:file { rx_file_perms }; |
| allow $1 cros_rsyslogd:unix_dgram_socket { sendto }; |
| allow $1 logger_device:sock_file write; |
| ') |
| |
| define(`log_reader', ` |
| allow $1 cros_log_type:file r_file_perms; |
| allow $1 cros_log_type:dir r_dir_perms; |
| ') |
| |
| # cros_daemon_store_perms(domain, daemon, access_vector) |
| # Allow the specified domain to access the specified daemon's daemon-store |
| # directories and files with the specified access vector. |
| define(`cros_daemon_store_perms', ` |
| allow $1 cros_home_shadow_uid_root_$2:dir $3; |
| allow $1 cros_home_shadow_uid_root_$2:file $3; |
| ') |
| |
| # cros_daemon_store_create(domain, daemon) |
| # Allow the specified domain to create files and directories in |
| # the specified daemon's daemon-store. |
| define(`cros_daemon_store_create', ` |
| allow $1 cros_home_shadow_uid_root_$2:dir create_dir_perms; |
| allow $1 cros_home_shadow_uid_root_$2:file create_file_perms; |
| ') |
| |
| define(`cros_net', ` |
| typeattribute $1 cros_netdomain; |
| ') |
| |
| define(`cros_tcp_create', ` |
| allow $1 self:tcp_socket create_socket_perms; |
| ') |
| |
| define(`cros_tcp_connect', ` |
| cros_tcp_create($1); |
| allow $1 port:tcp_socket name_connect; |
| '); |
| |
| define(`cros_udp_create', ` |
| allow $1 self:udp_socket create_socket_perms; |
| '); |
| |
| define(`cros_udp_listen', ` |
| cros_udp_create($1); |
| allow $1 node:udp_socket node_bind; |
| allow $1 port:udp_socket name_bind; |
| '); |
| |
| define(`cros_netlink', ` |
| allow $1 self:$2 { create_socket_perms_no_ioctl nlmsg_read }; |
| ') |
| |
| # Contexts that write to /run/lock/power_override to block resume need to call |
| # this macro with the context name as the only argument. |
| define(`cros_power_override', ` |
| filetrans_pattern($1, cros_run_lock_power_override, cros_power_override_lock_file, file); |
| allow $1 cros_power_override_lock_file:file create_file_perms; |
| allow $1 cros_run_lock:dir lock; |
| ') |
| |
| define(`cros_dbus_client', ` |
| typeattribute $1 cros_dbus_client_domain; |
| ') |
| |
| define(`cros_tcsd_client', ` |
| typeattribute $1 cros_tcsd_client_domain; |
| '); |
| |
| define(`cros_cras_client', ` |
| typeattribute $1 cros_cras_client_domain; |
| '); |
| |
| define(`uma_writer', ` |
| typeattribute $1 cros_uma_events_writer_domain; |
| '); |
| |
| define(`cros_run_camera_creator', ` |
| typeattribute $1 cros_run_camera_creator_domain; |
| '); |
| |
| define(`cros_cron', ` |
| domain_auto_trans(cros_periodic_scheduler, $2, $1); |
| allow cros_periodic_scheduler $1:process2 nnp_transition; |
| typeattribute $1 cros_launched_by_periodic_scheduler_domain; |
| '); |
| |
| # tmp_file(domain, file|dir, file name, directory other than tmpfs); |
| define(`tmp_file', ` |
| type $1_tmp_file, file_type, cros_tmpfile_type, cros_file_type; |
| filetrans_pattern($1, {tmpfs $4}, $1_tmp_file, $2, $3); |
| '); |
| |
| # pid_file(domain, where, file name, file type of created pid file); |
| # if file type of created pid file is not specified, it will be |
| # <domain>_pid_file by default. |
| define(`pid_file', ` |
| ifelse($4, `', ` |
| define(`___pid_file_type', `$1_pid_file'); |
| ', ` |
| define(`___pid_file_type', `$4'); |
| '); |
| type ___pid_file_type, file_type, cros_tmpfile_type, cros_file_type; |
| filetrans_pattern($1, $2, ___pid_file_type, file, $3); |
| allow $1 ___pid_file_type:file create_file_perms; |
| undefine(`___pid_file_type'); |
| '); |
| |
| # minijail-related macros |
| include(sepolicy/policy/chromeos/minijail_te_macros) |