blob: 0537214498ab73be146b79b81cf810c88a1dfce3 [file] [log] [blame] [edit]
# FLASK
#
# Define the security object classes
#
# Classes marked as userspace are classes
# for userspace object managers
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class anon_inode
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
# extended netlink sockets
class netlink_route_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_dnrt_socket
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
# Kernel access key retention
class key
class dccp_socket
class memprotect
# network peer labels
class peer
# Capabilities >= 32
class capability2
# kernel services that need to override task security, e.g. cachefiles
class kernel_service
class tun_socket
class binder
# Updated netlink classes for more recent netlink protocols.
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket
# Infiniband
class infiniband_pkey
class infiniband_endport
# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns
# New socket classes introduced by extended_socket_class policy capability.
# These two were previously mapped to rawip_socket.
class sctp_socket
class icmp_socket
# These were previously mapped to socket.
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket
class xdp_socket
class mctp_socket
class process2
class bpf
class perf_event
class io_uring
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
class user_namespace
# Property service
class property_service # userspace
# Service manager
class service_manager # userspace
# hardware service manager # userspace
class hwservice_manager
# Legacy Keystore key permissions
class keystore_key # userspace
# Keystore 2.0 permissions
class keystore2 # userspace
# Keystore 2.0 key permissions
class keystore2_key # userspace
# Diced permissions
class diced # userspace
class drmservice # userspace
# FLASK
# Permissions for VMs to access SMC services
class tee_service # userspace