6.8 KiB
Default Object Statements
These rules allow a default user, role, type and/or range to be used when computing a context for a new object. These require policy version 27 or 28 with kernels 3.5 or greater.
defaultuser
Allows the default user to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 27.
Statement definition:
(defaultuser class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder
, property_service
, zygote
or memprotect
objects the user
component of the new security context will be taken from the source
context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(class memprotect (mmap_zero))
(classmap android_classes (android))
(classmapping android_classes android (binder (all)))
(classmapping android_classes android (property_service (set)))
(classmapping android_classes android (zygote (not (specifycapabilities))))
(defaultuser (android_classes memprotect) source)
; Will produce the following in the binary policy file:
;; default_user binder source;
;; default_user zygote source;
;; default_user property_service source;
;; default_user memprotect source;
defaultrole
Allows the default role to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 27.
(defaultrole class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating new binder
, property_service
or zygote
objects the role
component of the new security context will be taken from the target
context:
(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
(defaultrole (binder property_service zygote) target)
; Will produce the following in the binary policy file:
;; default_role binder target;
;; default_role zygote target;
;; default_role property_service target;
defaulttype
Allows the default type to be taken from the source or target context when computing a new context for the object class
identifier. Requires policy version 28.
Statement definition:
(defaulttype class_id default)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
Example:
When creating a new socket
object, the type
component of the new security context will be taken from the source
context:
(defaulttype socket source)
defaultrange
Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object class
identifier. Requires policy version 27. glblub as the default requires policy version 32.
Statement definition:
(defaultrange class_id default <range>)
Where:
|
The |
|
A single previously declared |
|
A keyword of either |
|
A keyword of either |
Example:
When creating a new file
object, the appropriate range
component of the new security context will be taken from the target
context:
(defaultrange file target low_high)
MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object:
(defaultrange db_table glblub)