| # Life begins with the kernel. |
| type kernel, chromeos_domain, domain, mlstrustedsubject; |
| |
| permissive kernel; |
| |
| r_dir_file(kernel, rootfs) |
| r_dir_file(kernel, sysfs) |
| |
| allow kernel selinuxfs:dir r_dir_perms; |
| allow kernel selinuxfs:file rw_file_perms; |
| allow kernel self:security setcheckreqprot; |
| |
| allow kernel unlabeled:dir search; |
| allow kernel cros_system_file:dir search; |
| |
| # TODO: label device file in more detail. |
| # Some types of devices are in subdirectories that have special labels, so |
| # grant the same permissions that are applied to general device-labeled |
| # directories. |
| allow kernel {device audio_device input_device usb_device}:dir { search read write getattr }; |
| allow kernel cros_dev_type:chr_file { create setattr getattr }; |
| allow kernel cros_labeled_dev_type:chr_file write; |
| allow kernel {device usb_device}:dir add_name; # for dm-X and usb devices. |
| allow kernel device:blk_file { rw_file_perms create setattr }; |
| allow kernel {device audio_device input_device usb_device}:dir open; |
| |
| allow kernel self:global_capability_class_set sys_nice; |
| allow kernel self:system { module_request }; |
| allow kernel self:capability { mknod }; |
| |
| allow kernel sysfs:filesystem getattr; |
| allow kernel labeledfs:filesystem getattr; |
| allow kernel device:filesystem getattr; |
| |
| allow kernel device:chr_file relabelfrom; |
| allow kernel cros_dev_type:chr_file relabelto; |
| allow kernel {device audio_device input_device usb_device}:dir relabelfrom; |
| allow kernel cros_dev_type:dir relabelto; |
| |
| allow kernel cros_modprobe_exec:{ file lnk_file } r_file_perms; |
| |
| neverallow * kernel:process { transition dyntransition }; |
| |
| dontaudit kernel device:chr_file write; |