16cd6a6acSopenharmony_ciClass and Permission Statements 26cd6a6acSopenharmony_ci=============================== 36cd6a6acSopenharmony_ci 46cd6a6acSopenharmony_cicommon 56cd6a6acSopenharmony_ci------ 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciDeclares a common identifier in the current namespace with a set of common permissions that can be used by one or more [`class`](cil_class_and_permission_statements.md#class) identifiers. The [`classcommon`](cil_class_and_permission_statements.md#classcommon) statement is used to associate a [`common`](cil_class_and_permission_statements.md#common) identifier to a specific [`class`](cil_class_and_permission_statements.md#class) identifier. 86cd6a6acSopenharmony_ci 96cd6a6acSopenharmony_ci**Statement definition:** 106cd6a6acSopenharmony_ci 116cd6a6acSopenharmony_ci```secil 126cd6a6acSopenharmony_ci (common common_id (permission_id ...)) 136cd6a6acSopenharmony_ci``` 146cd6a6acSopenharmony_ci 156cd6a6acSopenharmony_ci**Where:** 166cd6a6acSopenharmony_ci 176cd6a6acSopenharmony_ci<table> 186cd6a6acSopenharmony_ci<colgroup> 196cd6a6acSopenharmony_ci<col width="25%" /> 206cd6a6acSopenharmony_ci<col width="75%" /> 216cd6a6acSopenharmony_ci</colgroup> 226cd6a6acSopenharmony_ci<tbody> 236cd6a6acSopenharmony_ci<tr class="odd"> 246cd6a6acSopenharmony_ci<td align="left"><p><code>common</code></p></td> 256cd6a6acSopenharmony_ci<td align="left"><p>The <code>common</code> keyword.</p></td> 266cd6a6acSopenharmony_ci</tr> 276cd6a6acSopenharmony_ci<tr class="even"> 286cd6a6acSopenharmony_ci<td align="left"><p><code>common_id</code></p></td> 296cd6a6acSopenharmony_ci<td align="left"><p>The <code>common</code> identifier.</p></td> 306cd6a6acSopenharmony_ci</tr> 316cd6a6acSopenharmony_ci<tr class="odd"> 326cd6a6acSopenharmony_ci<td align="left"><p><code>permission_id</code></p></td> 336cd6a6acSopenharmony_ci<td align="left"><p>One or more permissions.</p></td> 346cd6a6acSopenharmony_ci</tr> 356cd6a6acSopenharmony_ci</tbody> 366cd6a6acSopenharmony_ci</table> 376cd6a6acSopenharmony_ci 386cd6a6acSopenharmony_ci**Example:** 396cd6a6acSopenharmony_ci 406cd6a6acSopenharmony_ciThis common statement will associate the [`common`](cil_class_and_permission_statements.md#common) identifier '`file`' with the list of permissions: 416cd6a6acSopenharmony_ci 426cd6a6acSopenharmony_ci```secil 436cd6a6acSopenharmony_ci (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 446cd6a6acSopenharmony_ci``` 456cd6a6acSopenharmony_ci 466cd6a6acSopenharmony_ciclasscommon 476cd6a6acSopenharmony_ci----------- 486cd6a6acSopenharmony_ci 496cd6a6acSopenharmony_ciAssociate a [`class`](cil_class_and_permission_statements.md#class) identifier to a one or more permissions declared by a [`common`](cil_class_and_permission_statements.md#common) identifier. 506cd6a6acSopenharmony_ci 516cd6a6acSopenharmony_ci**Statement definition:** 526cd6a6acSopenharmony_ci 536cd6a6acSopenharmony_ci```secil 546cd6a6acSopenharmony_ci (classcommon class_id common_id) 556cd6a6acSopenharmony_ci``` 566cd6a6acSopenharmony_ci 576cd6a6acSopenharmony_ci**Where:** 586cd6a6acSopenharmony_ci 596cd6a6acSopenharmony_ci<table> 606cd6a6acSopenharmony_ci<colgroup> 616cd6a6acSopenharmony_ci<col width="25%" /> 626cd6a6acSopenharmony_ci<col width="75%" /> 636cd6a6acSopenharmony_ci</colgroup> 646cd6a6acSopenharmony_ci<tbody> 656cd6a6acSopenharmony_ci<tr class="odd"> 666cd6a6acSopenharmony_ci<td align="left"><p><code>classcommon</code></p></td> 676cd6a6acSopenharmony_ci<td align="left"><p>The <code>classcommon</code> keyword.</p></td> 686cd6a6acSopenharmony_ci</tr> 696cd6a6acSopenharmony_ci<tr class="even"> 706cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 716cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 726cd6a6acSopenharmony_ci</tr> 736cd6a6acSopenharmony_ci<tr class="odd"> 746cd6a6acSopenharmony_ci<td align="left"><p><code>common_id</code></p></td> 756cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>common</code> identifier that defines the common permissions for that class.</p></td> 766cd6a6acSopenharmony_ci</tr> 776cd6a6acSopenharmony_ci</tbody> 786cd6a6acSopenharmony_ci</table> 796cd6a6acSopenharmony_ci 806cd6a6acSopenharmony_ci**Example:** 816cd6a6acSopenharmony_ci 826cd6a6acSopenharmony_ciThis associates the `dir` class with the list of permissions declared by the `file common` identifier: 836cd6a6acSopenharmony_ci 846cd6a6acSopenharmony_ci```secil 856cd6a6acSopenharmony_ci (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 866cd6a6acSopenharmony_ci 876cd6a6acSopenharmony_ci (classcommon dir file) 886cd6a6acSopenharmony_ci``` 896cd6a6acSopenharmony_ci 906cd6a6acSopenharmony_ciclass 916cd6a6acSopenharmony_ci----- 926cd6a6acSopenharmony_ci 936cd6a6acSopenharmony_ciDeclares a class and zero or more permissions in the current namespace. 946cd6a6acSopenharmony_ci 956cd6a6acSopenharmony_ci**Statement definition:** 966cd6a6acSopenharmony_ci 976cd6a6acSopenharmony_ci```secil 986cd6a6acSopenharmony_ci (class class_id (permission_id ...)) 996cd6a6acSopenharmony_ci``` 1006cd6a6acSopenharmony_ci 1016cd6a6acSopenharmony_ci**Where:** 1026cd6a6acSopenharmony_ci 1036cd6a6acSopenharmony_ci<table> 1046cd6a6acSopenharmony_ci<colgroup> 1056cd6a6acSopenharmony_ci<col width="25%" /> 1066cd6a6acSopenharmony_ci<col width="75%" /> 1076cd6a6acSopenharmony_ci</colgroup> 1086cd6a6acSopenharmony_ci<tbody> 1096cd6a6acSopenharmony_ci<tr class="odd"> 1106cd6a6acSopenharmony_ci<td align="left"><p><code>class</code></p></td> 1116cd6a6acSopenharmony_ci<td align="left"><p>The <code>class</code> keyword.</p></td> 1126cd6a6acSopenharmony_ci</tr> 1136cd6a6acSopenharmony_ci<tr class="even"> 1146cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 1156cd6a6acSopenharmony_ci<td align="left"><p>The <code>class</code> identifier.</p></td> 1166cd6a6acSopenharmony_ci</tr> 1176cd6a6acSopenharmony_ci<tr class="odd"> 1186cd6a6acSopenharmony_ci<td align="left"><p><code>permission_id</code></p></td> 1196cd6a6acSopenharmony_ci<td align="left"><p>Zero or more permissions declared for the class. Note that if zero permissions, an empty list is required as shown in the example.</p></td> 1206cd6a6acSopenharmony_ci</tr> 1216cd6a6acSopenharmony_ci</tbody> 1226cd6a6acSopenharmony_ci</table> 1236cd6a6acSopenharmony_ci 1246cd6a6acSopenharmony_ci**Examples:** 1256cd6a6acSopenharmony_ci 1266cd6a6acSopenharmony_ciThis example defines a set of permissions for the `binder` class identifier: 1276cd6a6acSopenharmony_ci 1286cd6a6acSopenharmony_ci```secil 1296cd6a6acSopenharmony_ci (class binder (impersonate call set_context_mgr transfer receive)) 1306cd6a6acSopenharmony_ci``` 1316cd6a6acSopenharmony_ci 1326cd6a6acSopenharmony_ciThis example defines a common set of permissions to be used by the `sem` class, the `(class sem ())` does not define any other permissions (i.e. an empty list): 1336cd6a6acSopenharmony_ci 1346cd6a6acSopenharmony_ci```secil 1356cd6a6acSopenharmony_ci (common ipc (create destroy getattr setattr read write associate unix_read unix_write)) 1366cd6a6acSopenharmony_ci 1376cd6a6acSopenharmony_ci (classcommon sem ipc) 1386cd6a6acSopenharmony_ci (class sem ()) 1396cd6a6acSopenharmony_ci``` 1406cd6a6acSopenharmony_ci 1416cd6a6acSopenharmony_ciand will produce the following set of permissions for the `sem` class identifier of: 1426cd6a6acSopenharmony_ci 1436cd6a6acSopenharmony_ci```secil 1446cd6a6acSopenharmony_ci (class sem (create destroy getattr setattr read write associate unix_read unix_write)) 1456cd6a6acSopenharmony_ci``` 1466cd6a6acSopenharmony_ci 1476cd6a6acSopenharmony_ciThis example, with the following combination of the [`common`](cil_class_and_permission_statements.md#common), [`classcommon`](cil_class_and_permission_statements.md#classcommon) and [`class`](cil_class_and_permission_statements.md#class) statements: 1486cd6a6acSopenharmony_ci 1496cd6a6acSopenharmony_ci```secil 1506cd6a6acSopenharmony_ci (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 1516cd6a6acSopenharmony_ci 1526cd6a6acSopenharmony_ci (classcommon dir file) 1536cd6a6acSopenharmony_ci (class dir (add_name remove_name reparent search rmdir open audit_access execmod)) 1546cd6a6acSopenharmony_ci``` 1556cd6a6acSopenharmony_ci 1566cd6a6acSopenharmony_ciwill produce a set of permissions for the `dir` class identifier of: 1576cd6a6acSopenharmony_ci 1586cd6a6acSopenharmony_ci```secil 1596cd6a6acSopenharmony_ci (class dir (add_name remove_name reparent search rmdir open audit_access execmod ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) 1606cd6a6acSopenharmony_ci``` 1616cd6a6acSopenharmony_ci 1626cd6a6acSopenharmony_ciclassorder 1636cd6a6acSopenharmony_ci---------- 1646cd6a6acSopenharmony_ci 1656cd6a6acSopenharmony_ciDefines the order of [class](#class)'s. This is a mandatory statement. Multiple [`classorder`](cil_class_and_permission_statements.md#classorder) statements declared in the policy will form an ordered list. 1666cd6a6acSopenharmony_ci 1676cd6a6acSopenharmony_ci**Statement definition:** 1686cd6a6acSopenharmony_ci 1696cd6a6acSopenharmony_ci```secil 1706cd6a6acSopenharmony_ci (classorder (class_id ...)) 1716cd6a6acSopenharmony_ci``` 1726cd6a6acSopenharmony_ci 1736cd6a6acSopenharmony_ci**Where:** 1746cd6a6acSopenharmony_ci 1756cd6a6acSopenharmony_ci<table> 1766cd6a6acSopenharmony_ci<colgroup> 1776cd6a6acSopenharmony_ci<col width="25%" /> 1786cd6a6acSopenharmony_ci<col width="75%" /> 1796cd6a6acSopenharmony_ci</colgroup> 1806cd6a6acSopenharmony_ci<tbody> 1816cd6a6acSopenharmony_ci<tr class="odd"> 1826cd6a6acSopenharmony_ci<td align="left"><p><code>classorder</code></p></td> 1836cd6a6acSopenharmony_ci<td align="left"><p>The <code>classorder</code> keyword.</p></td> 1846cd6a6acSopenharmony_ci</tr> 1856cd6a6acSopenharmony_ci<tr class="even"> 1866cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 1876cd6a6acSopenharmony_ci<td align="left"><p>One or more <code>class</code> identifiers.</p></td> 1886cd6a6acSopenharmony_ci</tr> 1896cd6a6acSopenharmony_ci</tbody> 1906cd6a6acSopenharmony_ci</table> 1916cd6a6acSopenharmony_ci 1926cd6a6acSopenharmony_ci**Example:** 1936cd6a6acSopenharmony_ci 1946cd6a6acSopenharmony_ciThis will produce an ordered list of "`file dir process`" 1956cd6a6acSopenharmony_ci 1966cd6a6acSopenharmony_ci```secil 1976cd6a6acSopenharmony_ci (class process) 1986cd6a6acSopenharmony_ci (class file) 1996cd6a6acSopenharmony_ci (class dir) 2006cd6a6acSopenharmony_ci (classorder (file dir)) 2016cd6a6acSopenharmony_ci (classorder (dir process)) 2026cd6a6acSopenharmony_ci``` 2036cd6a6acSopenharmony_ci 2046cd6a6acSopenharmony_ci**Unordered Classorder Statement:** 2056cd6a6acSopenharmony_ci 2066cd6a6acSopenharmony_ciIf users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. 2076cd6a6acSopenharmony_ci 2086cd6a6acSopenharmony_ci**Example:** 2096cd6a6acSopenharmony_ci 2106cd6a6acSopenharmony_ciThis will produce an unordered list of "`file dir foo a bar baz`" 2116cd6a6acSopenharmony_ci 2126cd6a6acSopenharmony_ci```secil 2136cd6a6acSopenharmony_ci (class file) 2146cd6a6acSopenharmony_ci (class dir) 2156cd6a6acSopenharmony_ci (class foo) 2166cd6a6acSopenharmony_ci (class bar) 2176cd6a6acSopenharmony_ci (class baz) 2186cd6a6acSopenharmony_ci (class a) 2196cd6a6acSopenharmony_ci (classorder (file dir)) 2206cd6a6acSopenharmony_ci (classorder (dir foo)) 2216cd6a6acSopenharmony_ci (classorder (unordered a)) 2226cd6a6acSopenharmony_ci (classorder (unordered bar foo baz)) 2236cd6a6acSopenharmony_ci``` 2246cd6a6acSopenharmony_ci 2256cd6a6acSopenharmony_ciclasspermission 2266cd6a6acSopenharmony_ci--------------- 2276cd6a6acSopenharmony_ci 2286cd6a6acSopenharmony_ciDeclares a class permission set identifier in the current namespace that can be used by one or more [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to associate one or more classes and permissions to form a named set. 2296cd6a6acSopenharmony_ci 2306cd6a6acSopenharmony_ci**Statement definition:** 2316cd6a6acSopenharmony_ci 2326cd6a6acSopenharmony_ci```secil 2336cd6a6acSopenharmony_ci (classpermission classpermissionset_id) 2346cd6a6acSopenharmony_ci``` 2356cd6a6acSopenharmony_ci 2366cd6a6acSopenharmony_ci**Where:** 2376cd6a6acSopenharmony_ci 2386cd6a6acSopenharmony_ci<table> 2396cd6a6acSopenharmony_ci<colgroup> 2406cd6a6acSopenharmony_ci<col width="25%" /> 2416cd6a6acSopenharmony_ci<col width="75%" /> 2426cd6a6acSopenharmony_ci</colgroup> 2436cd6a6acSopenharmony_ci<tbody> 2446cd6a6acSopenharmony_ci<tr class="odd"> 2456cd6a6acSopenharmony_ci<td align="left"><p><code>classpermission</code></p></td> 2466cd6a6acSopenharmony_ci<td align="left"><p>The <code>classpermission</code> keyword.</p></td> 2476cd6a6acSopenharmony_ci</tr> 2486cd6a6acSopenharmony_ci<tr class="even"> 2496cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset_id</code></p></td> 2506cd6a6acSopenharmony_ci<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 2516cd6a6acSopenharmony_ci</tr> 2526cd6a6acSopenharmony_ci</tbody> 2536cd6a6acSopenharmony_ci</table> 2546cd6a6acSopenharmony_ci 2556cd6a6acSopenharmony_ci**Example:** 2566cd6a6acSopenharmony_ci 2576cd6a6acSopenharmony_ciSee the [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) statement for examples. 2586cd6a6acSopenharmony_ci 2596cd6a6acSopenharmony_ciclasspermissionset 2606cd6a6acSopenharmony_ci------------------ 2616cd6a6acSopenharmony_ci 2626cd6a6acSopenharmony_ciDefines a class permission set identifier in the current namespace that associates a class and one or more permissions to form a named set. Nested expressions may be used to determine the required permissions as shown in the examples. Anonymous [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s may be used in av rules and constraints. 2636cd6a6acSopenharmony_ci 2646cd6a6acSopenharmony_ci**Statement definition:** 2656cd6a6acSopenharmony_ci 2666cd6a6acSopenharmony_ci```secil 2676cd6a6acSopenharmony_ci (classpermissionset classpermissionset_id (class_id (permission_id | expr ...))) 2686cd6a6acSopenharmony_ci``` 2696cd6a6acSopenharmony_ci 2706cd6a6acSopenharmony_ci**Where:** 2716cd6a6acSopenharmony_ci 2726cd6a6acSopenharmony_ci<table> 2736cd6a6acSopenharmony_ci<colgroup> 2746cd6a6acSopenharmony_ci<col width="27%" /> 2756cd6a6acSopenharmony_ci<col width="72%" /> 2766cd6a6acSopenharmony_ci</colgroup> 2776cd6a6acSopenharmony_ci<tbody> 2786cd6a6acSopenharmony_ci<tr class="odd"> 2796cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset</code></p></td> 2806cd6a6acSopenharmony_ci<td align="left"><p>The <code>classpermissionset</code> keyword.</p></td> 2816cd6a6acSopenharmony_ci</tr> 2826cd6a6acSopenharmony_ci<tr class="even"> 2836cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset_id</code></p></td> 2846cd6a6acSopenharmony_ci<td align="left"><p>The <code>classpermissionset</code> identifier.</p></td> 2856cd6a6acSopenharmony_ci</tr> 2866cd6a6acSopenharmony_ci<tr class="odd"> 2876cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 2886cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>class</code> identifier.</p></td> 2896cd6a6acSopenharmony_ci</tr> 2906cd6a6acSopenharmony_ci<tr class="even"> 2916cd6a6acSopenharmony_ci<td align="left"><p><code>permission_id</code></p></td> 2926cd6a6acSopenharmony_ci<td align="left"><p>Zero or more permissions required by the class.</p> 2936cd6a6acSopenharmony_ci<p>Note that there must be at least one <code>permission</code> identifier or <code>expr</code> declared).</p></td> 2946cd6a6acSopenharmony_ci</tr> 2956cd6a6acSopenharmony_ci<tr class="odd"> 2966cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 2976cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 2986cd6a6acSopenharmony_ci<p><code> (and (permission_id ...) (permission_id ...))</code></p> 2996cd6a6acSopenharmony_ci<p><code> (or (permission_id ...) (permission_id ...))</code></p> 3006cd6a6acSopenharmony_ci<p><code> (xor (permission_id ...) (permission_id ...))</code></p> 3016cd6a6acSopenharmony_ci<p><code> (not (permission_id ...))</code></p> 3026cd6a6acSopenharmony_ci<p><code> (all)</code></p></td> 3036cd6a6acSopenharmony_ci</tr> 3046cd6a6acSopenharmony_ci</tbody> 3056cd6a6acSopenharmony_ci</table> 3066cd6a6acSopenharmony_ci 3076cd6a6acSopenharmony_ci**Examples:** 3086cd6a6acSopenharmony_ci 3096cd6a6acSopenharmony_ciThese class permission set statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 3106cd6a6acSopenharmony_ci 3116cd6a6acSopenharmony_ci```secil 3126cd6a6acSopenharmony_ci (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 3136cd6a6acSopenharmony_ci 3146cd6a6acSopenharmony_ci (type test_1) 3156cd6a6acSopenharmony_ci (type test_2) 3166cd6a6acSopenharmony_ci (type test_3) 3176cd6a6acSopenharmony_ci (type test_4) 3186cd6a6acSopenharmony_ci (type test_5) 3196cd6a6acSopenharmony_ci 3206cd6a6acSopenharmony_ci ; NOT 3216cd6a6acSopenharmony_ci (classpermission zygote_1) 3226cd6a6acSopenharmony_ci (classpermissionset zygote_1 (zygote 3236cd6a6acSopenharmony_ci (not 3246cd6a6acSopenharmony_ci (specifyinvokewith specifyseinfo) 3256cd6a6acSopenharmony_ci ) 3266cd6a6acSopenharmony_ci )) 3276cd6a6acSopenharmony_ci (allow unconfined.process test_1 zygote_1) 3286cd6a6acSopenharmony_ci ;; allow unconfined.process test_1 : zygote { specifyids specifyrlimits specifycapabilities } ; 3296cd6a6acSopenharmony_ci 3306cd6a6acSopenharmony_ci ; AND - ALL - NOT - Equiv to test_1 3316cd6a6acSopenharmony_ci (classpermission zygote_2) 3326cd6a6acSopenharmony_ci (classpermissionset zygote_2 (zygote 3336cd6a6acSopenharmony_ci (and 3346cd6a6acSopenharmony_ci (all) 3356cd6a6acSopenharmony_ci (not (specifyinvokewith specifyseinfo)) 3366cd6a6acSopenharmony_ci ) 3376cd6a6acSopenharmony_ci )) 3386cd6a6acSopenharmony_ci (allow unconfined.process test_2 zygote_2) 3396cd6a6acSopenharmony_ci ;; allow unconfined.process test_2 : zygote { specifyids specifyrlimits specifycapabilities } ; 3406cd6a6acSopenharmony_ci 3416cd6a6acSopenharmony_ci ; OR 3426cd6a6acSopenharmony_ci (classpermission zygote_3) 3436cd6a6acSopenharmony_ci (classpermissionset zygote_3 (zygote ((or (specifyinvokewith) (specifyseinfo))))) 3446cd6a6acSopenharmony_ci (allow unconfined.process test_3 zygote_3) 3456cd6a6acSopenharmony_ci ;; allow unconfined.process test_3 : zygote { specifyinvokewith specifyseinfo } ; 3466cd6a6acSopenharmony_ci 3476cd6a6acSopenharmony_ci ; XOR - This will not produce an allow rule as the XOR will remove all the permissions: 3486cd6a6acSopenharmony_ci (classpermission zygote_4) 3496cd6a6acSopenharmony_ci (classpermissionset zygote_4 (zygote (xor (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo) (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)))) 3506cd6a6acSopenharmony_ci 3516cd6a6acSopenharmony_ci ; ALL 3526cd6a6acSopenharmony_ci (classpermission zygote_all_perms) 3536cd6a6acSopenharmony_ci (classpermissionset zygote_all_perms (zygote (all))) 3546cd6a6acSopenharmony_ci (allow unconfined.process test_5 zygote_all_perms) 3556cd6a6acSopenharmony_ci ;; allow unconfined.process test_5 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 3566cd6a6acSopenharmony_ci``` 3576cd6a6acSopenharmony_ci 3586cd6a6acSopenharmony_ciclassmap 3596cd6a6acSopenharmony_ci-------- 3606cd6a6acSopenharmony_ci 3616cd6a6acSopenharmony_ciDeclares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow: 3626cd6a6acSopenharmony_ci 3636cd6a6acSopenharmony_ci1. Multiple [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s to be linked to a pair of [`classmap`](cil_class_and_permission_statements.md#classmap) / [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers. 3646cd6a6acSopenharmony_ci 3656cd6a6acSopenharmony_ci2. Multiple [`class`](cil_class_and_permission_statements.md#class)s to be associated to statements and rules that support a list of classes: 3666cd6a6acSopenharmony_ci 3676cd6a6acSopenharmony_ci typetransition 3686cd6a6acSopenharmony_ci typechange 3696cd6a6acSopenharmony_ci typemember 3706cd6a6acSopenharmony_ci rangetransition 3716cd6a6acSopenharmony_ci roletransition 3726cd6a6acSopenharmony_ci defaultuser 3736cd6a6acSopenharmony_ci defaultrole 3746cd6a6acSopenharmony_ci defaulttype 3756cd6a6acSopenharmony_ci defaultrange 3766cd6a6acSopenharmony_ci validatetrans 3776cd6a6acSopenharmony_ci mlsvalidatetrans 3786cd6a6acSopenharmony_ci 3796cd6a6acSopenharmony_ci**Statement definition:** 3806cd6a6acSopenharmony_ci 3816cd6a6acSopenharmony_ci```secil 3826cd6a6acSopenharmony_ci (classmap classmap_id (classmapping_id ...)) 3836cd6a6acSopenharmony_ci``` 3846cd6a6acSopenharmony_ci 3856cd6a6acSopenharmony_ci**Where:** 3866cd6a6acSopenharmony_ci 3876cd6a6acSopenharmony_ci<table> 3886cd6a6acSopenharmony_ci<colgroup> 3896cd6a6acSopenharmony_ci<col width="25%" /> 3906cd6a6acSopenharmony_ci<col width="75%" /> 3916cd6a6acSopenharmony_ci</colgroup> 3926cd6a6acSopenharmony_ci<tbody> 3936cd6a6acSopenharmony_ci<tr class="odd"> 3946cd6a6acSopenharmony_ci<td align="left"><p><code>classmap</code></p></td> 3956cd6a6acSopenharmony_ci<td align="left"><p>The <code>classmap</code> keyword.</p></td> 3966cd6a6acSopenharmony_ci</tr> 3976cd6a6acSopenharmony_ci<tr class="even"> 3986cd6a6acSopenharmony_ci<td align="left"><p><code>classmap_id</code></p></td> 3996cd6a6acSopenharmony_ci<td align="left"><p>The <code>classmap</code> identifier.</p></td> 4006cd6a6acSopenharmony_ci</tr> 4016cd6a6acSopenharmony_ci<tr class="odd"> 4026cd6a6acSopenharmony_ci<td align="left"><p><code>classmapping_id</code></p></td> 4036cd6a6acSopenharmony_ci<td align="left"><p>One or more <code>classmapping</code> identifiers.</p></td> 4046cd6a6acSopenharmony_ci</tr> 4056cd6a6acSopenharmony_ci</tbody> 4066cd6a6acSopenharmony_ci</table> 4076cd6a6acSopenharmony_ci 4086cd6a6acSopenharmony_ci**Example:** 4096cd6a6acSopenharmony_ci 4106cd6a6acSopenharmony_ciSee the [`classmapping`](cil_class_and_permission_statements.md#classmapping) statement for examples. 4116cd6a6acSopenharmony_ci 4126cd6a6acSopenharmony_ciclassmapping 4136cd6a6acSopenharmony_ci------------ 4146cd6a6acSopenharmony_ci 4156cd6a6acSopenharmony_ciDefine sets of [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)s (named or anonymous) to form a consolidated [`classmapping`](cil_class_and_permission_statements.md#classmapping) set. Generally there are multiple [`classmapping`](cil_class_and_permission_statements.md#classmapping) statements with the same [`classmap`](cil_class_and_permission_statements.md#classmap) and [`classmapping`](cil_class_and_permission_statements.md#classmapping) identifiers that form a set of different [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset)'s. This is useful when multiple class / permissions are required in rules such as the [`allow`](cil_access_vector_rules.md#allow) rules (as shown in the examples). 4166cd6a6acSopenharmony_ci 4176cd6a6acSopenharmony_ci**Statement definition:** 4186cd6a6acSopenharmony_ci 4196cd6a6acSopenharmony_ci```secil 4206cd6a6acSopenharmony_ci (classmapping classmap_id classmapping_id classpermissionset_id) 4216cd6a6acSopenharmony_ci``` 4226cd6a6acSopenharmony_ci 4236cd6a6acSopenharmony_ci**Where:** 4246cd6a6acSopenharmony_ci 4256cd6a6acSopenharmony_ci<table> 4266cd6a6acSopenharmony_ci<colgroup> 4276cd6a6acSopenharmony_ci<col width="27%" /> 4286cd6a6acSopenharmony_ci<col width="72%" /> 4296cd6a6acSopenharmony_ci</colgroup> 4306cd6a6acSopenharmony_ci<tbody> 4316cd6a6acSopenharmony_ci<tr class="odd"> 4326cd6a6acSopenharmony_ci<td align="left"><p><code>classmapping</code></p></td> 4336cd6a6acSopenharmony_ci<td align="left"><p>The <code>classmapping</code> keyword.</p></td> 4346cd6a6acSopenharmony_ci</tr> 4356cd6a6acSopenharmony_ci<tr class="even"> 4366cd6a6acSopenharmony_ci<td align="left"><p><code>classmap_id</code></p></td> 4376cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>classmap</code> identifier.</p></td> 4386cd6a6acSopenharmony_ci</tr> 4396cd6a6acSopenharmony_ci<tr class="odd"> 4406cd6a6acSopenharmony_ci<td align="left"><p><code>classmapping_id</code></p></td> 4416cd6a6acSopenharmony_ci<td align="left"><p>The <code>classmapping</code> identifier.</p></td> 4426cd6a6acSopenharmony_ci</tr> 4436cd6a6acSopenharmony_ci<tr class="even"> 4446cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset_id</code></p></td> 4456cd6a6acSopenharmony_ci<td align="left"><p>A single named <code>classpermissionset</code> identifier or a single anonymous <code>classpermissionset</code> using <code>expr</code>'s as required (see the <code>classpermissionset</code> statement).</p></td> 4466cd6a6acSopenharmony_ci</tr> 4476cd6a6acSopenharmony_ci</tbody> 4486cd6a6acSopenharmony_ci</table> 4496cd6a6acSopenharmony_ci 4506cd6a6acSopenharmony_ci**Examples:** 4516cd6a6acSopenharmony_ci 4526cd6a6acSopenharmony_ciThese class mapping statements will resolve to the permission sets shown in the kernel policy language [`allow`](cil_access_vector_rules.md#allow) rules: 4536cd6a6acSopenharmony_ci 4546cd6a6acSopenharmony_ci```secil 4556cd6a6acSopenharmony_ci (class binder (impersonate call set_context_mgr transfer receive)) 4566cd6a6acSopenharmony_ci (class property_service (set)) 4576cd6a6acSopenharmony_ci (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) 4586cd6a6acSopenharmony_ci 4596cd6a6acSopenharmony_ci (classpermission cps_zygote) 4606cd6a6acSopenharmony_ci (classpermissionset cps_zygote (zygote (not (specifyids)))) 4616cd6a6acSopenharmony_ci 4626cd6a6acSopenharmony_ci (classmap android_classes (set_1 set_2 set_3)) 4636cd6a6acSopenharmony_ci 4646cd6a6acSopenharmony_ci (classmapping android_classes set_1 (binder (all))) 4656cd6a6acSopenharmony_ci (classmapping android_classes set_1 (property_service (set))) 4666cd6a6acSopenharmony_ci (classmapping android_classes set_1 (zygote (not (specifycapabilities)))) 4676cd6a6acSopenharmony_ci 4686cd6a6acSopenharmony_ci (classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer))) 4696cd6a6acSopenharmony_ci (classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))) 4706cd6a6acSopenharmony_ci 4716cd6a6acSopenharmony_ci (classmapping android_classes set_3 cps_zygote) 4726cd6a6acSopenharmony_ci (classmapping android_classes set_3 (binder (impersonate call set_context_mgr))) 4736cd6a6acSopenharmony_ci 4746cd6a6acSopenharmony_ci (block map_example 4756cd6a6acSopenharmony_ci (type type_1) 4766cd6a6acSopenharmony_ci (type type_2) 4776cd6a6acSopenharmony_ci (type type_3) 4786cd6a6acSopenharmony_ci 4796cd6a6acSopenharmony_ci (allow type_1 self (android_classes (set_1))) 4806cd6a6acSopenharmony_ci (allow type_2 self (android_classes (set_2))) 4816cd6a6acSopenharmony_ci (allow type_3 self (android_classes (set_3))) 4826cd6a6acSopenharmony_ci ) 4836cd6a6acSopenharmony_ci 4846cd6a6acSopenharmony_ci ; The above will resolve to the following AV rules: 4856cd6a6acSopenharmony_ci ;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ; 4866cd6a6acSopenharmony_ci ;; allow map_example.type_1 map_example.type_1 : property_service set ; 4876cd6a6acSopenharmony_ci ;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ; 4886cd6a6acSopenharmony_ci 4896cd6a6acSopenharmony_ci ;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ; 4906cd6a6acSopenharmony_ci ;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ; 4916cd6a6acSopenharmony_ci 4926cd6a6acSopenharmony_ci ;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ; 4936cd6a6acSopenharmony_ci ;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ; 4946cd6a6acSopenharmony_ci``` 4956cd6a6acSopenharmony_ci 4966cd6a6acSopenharmony_cipermissionx 4976cd6a6acSopenharmony_ci----------- 4986cd6a6acSopenharmony_ci 4996cd6a6acSopenharmony_ciDefines a named extended permission, which can be used in the [`allowx`](cil_access_vector_rules.md#allowx), [`auditallowx`](cil_access_vector_rules.md#auditallowx), [`dontauditx`](cil_access_vector_rules.md#dontauditx), and [`neverallowx`](cil_access_vector_rules.md#neverallowx) statements. 5006cd6a6acSopenharmony_ci 5016cd6a6acSopenharmony_ci**Statement definition:** 5026cd6a6acSopenharmony_ci 5036cd6a6acSopenharmony_ci```secil 5046cd6a6acSopenharmony_ci (permissionx permissionx_id (kind class_id (permission ... | expr ...))) 5056cd6a6acSopenharmony_ci``` 5066cd6a6acSopenharmony_ci 5076cd6a6acSopenharmony_ci**Where:** 5086cd6a6acSopenharmony_ci 5096cd6a6acSopenharmony_ci<table> 5106cd6a6acSopenharmony_ci<colgroup> 5116cd6a6acSopenharmony_ci<col width="27%" /> 5126cd6a6acSopenharmony_ci<col width="72%" /> 5136cd6a6acSopenharmony_ci</colgroup> 5146cd6a6acSopenharmony_ci<tbody> 5156cd6a6acSopenharmony_ci<tr class="odd"> 5166cd6a6acSopenharmony_ci<td align="left"><p><code>permissionx</code></p></td> 5176cd6a6acSopenharmony_ci<td align="left"><p>The <code>permissionx</code> keyword.</p></td> 5186cd6a6acSopenharmony_ci</tr> 5196cd6a6acSopenharmony_ci<tr class="even"> 5206cd6a6acSopenharmony_ci<td align="left"><p><code>kind</code></p></td> 5216cd6a6acSopenharmony_ci<td align="left"><p>A keyword specifying how to interpret the extended permission values. Must be one of:</p> 5226cd6a6acSopenharmony_ci<table> 5236cd6a6acSopenharmony_ci<thead> 5246cd6a6acSopenharmony_ci<tr class="header"> 5256cd6a6acSopenharmony_ci<th align="left"><p><strong>kind</strong></p></th> 5266cd6a6acSopenharmony_ci<th align="left"><p><strong>description</strong></p></th> 5276cd6a6acSopenharmony_ci</tr> 5286cd6a6acSopenharmony_ci</thead> 5296cd6a6acSopenharmony_ci<tbody> 5306cd6a6acSopenharmony_ci<tr class="odd"> 5316cd6a6acSopenharmony_ci<td align="left"><p>ioctl</p></td> 5326cd6a6acSopenharmony_ci<td align="left"><p>Permissions define a whitelist of ioctl values. Permission values must range from <code>0x0000</code> to <code>0xFFFF</code>, inclusive.</p></td> 5336cd6a6acSopenharmony_ci</tr> 5346cd6a6acSopenharmony_ci</tbody> 5356cd6a6acSopenharmony_ci</table></td> 5366cd6a6acSopenharmony_ci</tr> 5376cd6a6acSopenharmony_ci<tr class="odd"> 5386cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 5396cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 5406cd6a6acSopenharmony_ci</tr> 5416cd6a6acSopenharmony_ci<tr class="even"> 5426cd6a6acSopenharmony_ci<td align="left"><p><code>permission</code></p></td> 5436cd6a6acSopenharmony_ci<td align="left"><p>One or more numeric values, specified in decimal, or hexadecimal if prefixed with 0x, or octal if prefixed with 0. Values are interpreted based on the value of <code>kind</code>.</p></td> 5446cd6a6acSopenharmony_ci</tr> 5456cd6a6acSopenharmony_ci<tr class="odd"> 5466cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 5476cd6a6acSopenharmony_ci<td align="left"><p>An expression, with valid operators and syntax:</p> 5486cd6a6acSopenharmony_ci<p><code> (range (permission ...) (permission ...))</code></p> 5496cd6a6acSopenharmony_ci<p><code> (and (permission ...) (permission ...))</code></p> 5506cd6a6acSopenharmony_ci<p><code> (or (permission ...) (permission ...))</code></p> 5516cd6a6acSopenharmony_ci<p><code> (xor (permission ...) (permission ...))</code></p> 5526cd6a6acSopenharmony_ci<p><code> (not (permission ...))</code></p> 5536cd6a6acSopenharmony_ci<p><code> (all)</code></p></td> 5546cd6a6acSopenharmony_ci</tr> 5556cd6a6acSopenharmony_ci</tbody> 5566cd6a6acSopenharmony_ci</table> 5576cd6a6acSopenharmony_ci 5586cd6a6acSopenharmony_ci**Examples:** 5596cd6a6acSopenharmony_ci 5606cd6a6acSopenharmony_ci```secil 5616cd6a6acSopenharmony_ci (permissionx ioctl_1 (ioctl tcp_socket (0x2000 0x3000 0x4000))) 5626cd6a6acSopenharmony_ci (permissionx ioctl_2 (ioctl tcp_socket (range 0x6000 0x60FF))) 5636cd6a6acSopenharmony_ci (permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF))))) 5646cd6a6acSopenharmony_ci``` 565