autotests/folding/test.cil.fold

0001 ;; SELinux CIL Policy Example
0002
0003 ;; NOTE: This file is not functional, but
0004 ;; is designed to test syntax highlighting.
0005
0006 ; Brackets colors
0007 ((((((((((((( ))))))))))))) ))
0008
0009 ; Statements
0010 (policycap open_perms)  ; Policy config. statement
0011 (mls true)
0012 (handleunknown allow)
0013
0014 (sid kernel)  ; Declaration type statement
0015 (classpermissionset char_w (char (write setattr)))  ; Other statements
0016
0017 (user user) ; Declare identifier 'user' of user type
0018 (role role)
0019 (type type)
0020 (allow allow) (true true) (in in) (xor xor)
0021
0022 ; List of permissions
0023 (class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
0024
0025 ; Highlighting permissions only if there is not a statement keyword
0026 (class binder (impersonate call set_context_mgr transfer receive))
0027 (class binder (classcommon impersonate call set_context_mgr transfer receive))
0028 (impersonate call set_context_mgr transfer receive)
0029 (tunableif impersonate call set_context_mgr transfer receive)
0030
0031 ; This is allowed by the CIL compiler
0032 ( typeattribute;comment
0033         all_fs_type_except_usermodehelper_and_proc_security)
0034 (;comment
0035         typeattribute all_fs_type_except_usermodehelper_and_proc_security)
0036 (  ;comment
0037  ;more comments
0038         typeattribute all_fs_type_except_usermodehelper_and_proc_security)
0039
0040 ; Paths
0041 (true true /true true /true/true/ true true/true "true")
0042 ; Global namespace
0043 (true true .true true true.true true .true.true true.true.true
0044         .true. true. true.true. ; invalid
0045 )
0046
0047 ; Keywords in some rules
0048
0049 ; filecon
0050 (filecon "/system/bin/run-as" file runas_exec_context)
0051 (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
0052 (filecon "/data/local/mine" dir ())
0053 (classcommon file any dir)
0054 (file any dir)
0055 ; portcon
0056 (portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
0057 (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
0058 (defaultrole tcp udp)
0059 (tcp udp)
0060 ; fsuse
0061 (fsuse xattr ext4 file.labeledfs_context)
0062 (fsuse task pipefs file.pipefs_context)
0063 (fsuse trans tmpfs file.tmpfs_context)
0064 (typemember xattr task trans)
0065 (xattr task trans)
0066
0067 (allow unconfined.process self (file (read write)))
0068 (allow process httpd.object (file (read write)))
0069
0070 (defaultrange db_table glblub)
0071
0072 ; Paths
0073 "/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
0074 "/pa\12th.*a+b?"
0075 /usr/hi\"esc\032esc\*3es{2,2}ds
0076 "/data/(open "
0077 "/data/[open "
0078
0079
0080 ; Some rules
0081
0082 (call macro1("__kmsg__"))
0083 (macro macro1 ((string ARG1))
0084     (typetransition audit.process device.device chr_file ARG1 device.klog_device)
0085 )
0086
0087 (allow unconfined.process self (file (read write)))
0088 (auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
0089 (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
0090 (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
0091 (allowx type_3 type_4 ioctl_nodebug)
0092 (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
0093
0094 (class property_service (set))
0095 (block av_rules
0096     (type type_1)
0097     (type type_2)
0098     (typeattribute all_types)
0099     (typeattributeset all_types ((all)))
0100
0101     (neverallow type_2 all_types (property_service (set)))
0102 )
0103 (macro binder_call ((type ARG1) (type ARG2))
0104     (allow ARG1 ARG2 (binder (transfer call)))
0105 )
0106 (ipaddr netmask_1 255.255.255.0)
0107
0108 (class dir)
0109 (class foo)
0110 (class bar)
0111 (class baz)
0112 (classorder (dir foo))
0113 (classorder (unordered bar foo baz))
0114
0115 (classpermission zygote_2)
0116 (classpermissionset zygote_2 (zygote
0117     (and
0118         (all)
0119         (not (specifyinvokewith specifyseinfo))
0120     )
0121 ))
0122
0123 (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
0124 (boolean disableAudioCapture false)
0125 (booleanif (and (not disableAudio) (not disableAudioCapture))
0126     (true
0127         (allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms)))
0128     )
0129 )
0130 (tunable range_trans_rule false)
0131
0132 (block init
0133     (class process (process))
0134     (type process)
0135     (tunableif range_trans_rule
0136         (true
0137             (rangetransition process sshd.exec process low_high))))
0138
0139 (validatetrans file (eq t1 unconfined.process))
0140 (block ext_gateway
0141     (optional move_file
0142         (typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
0143         (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))))
0144
0145 (context runas_exec_context (u object_r exec low_low))
0146 (filecon "/system/bin/run-as" file runas_exec_context)
0147
0148 (in file
0149     (genfscon rootfs / rootfs_context)
0150     (genfscon selinuxfs / selinuxfs_context)
0151 )
0152
0153 ; ioctl & call: due to the way in which the highlighter treats the parenthesis blocks
0154 ; (each level of different color), it is not possible to differentiate between statement and permission.
0155 (allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
0156 (ioctl read
0157     find connectto) ; kind or permission?
0158 (ioctl read find connectto) ; ioctl permission
0159 (ioctl read  )
0160 (call ioctl read find connectto) ; statement or permission?
0161 ( call  ) ; call permission