Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1b1d133be5350989cbd6c09e4f000e146f9ab7ae^! / . / private / access_vectors
commit1b1d133be5350989cbd6c09e4f000e146f9ab7ae[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Sep 07 10:48:55 2018 -0700
committerNick Kralevich <nnk@google.com>Fri Sep 07 10:52:31 2018 -0700
tree9cd65b45032e25feaf15b819a484c56b63ded77d
parent8d7d5b42b5e3f5974a468940019d392f9b818a9e [diff] [blame]
Add nnp_nosuid_transition policycap and related class/perm definitions.

https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f

diff --git a/private/access_vectors b/private/access_vectors
index 898c884..57ab3a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -330,6 +330,11 @@
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects