| commit | 1b1d133be5350989cbd6c09e4f000e146f9ab7ae | [log] [tgz] |
|---|---|---|
| author | Nick Kralevich <nnk@google.com> | Fri Sep 07 10:48:55 2018 -0700 |
| committer | Nick Kralevich <nnk@google.com> | Fri Sep 07 10:52:31 2018 -0700 |
| tree | 9cd65b45032e25feaf15b819a484c56b63ded77d | |
| parent | 8d7d5b42b5e3f5974a468940019d392f9b818a9e [diff] |
Add nnp_nosuid_transition policycap and related class/perm definitions. https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef allows a security policy writer to determine whether transitions under nosuid / NO_NEW_PRIVS should be allowed or not. Define these permissions, so that they're usable to policy writers. This change is modeled after refpolicy https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087 Test: policy compiles and device boots Test Note: Because this requires a newer kernel, full testing on such kernels could not be done. Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
diff --git a/private/access_vectors b/private/access_vectors index 898c884..57ab3a8 100644 --- a/private/access_vectors +++ b/private/access_vectors
@@ -330,6 +330,11 @@ getrlimit } +class process2 +{ + nnp_transition + nosuid_transition +} # # Define the access vector interpretation for ipc-related objects
diff --git a/private/policy_capabilities b/private/policy_capabilities index ab55c15..9290e3a 100644 --- a/private/policy_capabilities +++ b/private/policy_capabilities
@@ -11,3 +11,10 @@ # to the rawip_socket class. policycap extended_socket_class; +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). +# +# Checks enabled; +# process2: nnp_transition, nosuid_transition +# +policycap nnp_nosuid_transition;
diff --git a/private/security_classes b/private/security_classes index 251b721..e0007d1 100644 --- a/private/security_classes +++ b/private/security_classes
@@ -130,6 +130,8 @@ class qipcrtr_socket class smc_socket +class process2 + # Property service class property_service # userspace