Add nnp_nosuid_transition policycap and related class/perm definitions. https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef allows a security policy writer to determine whether transitions under nosuid / NO_NEW_PRIVS should be allowed or not. Define these permissions, so that they're usable to policy writers. This change is modeled after refpolicy https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087 Test: policy compiles and device boots Test Note: Because this requires a newer kernel, full testing on such kernels could not be done. Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f

commit: 1b1d133be5350989cbd6c09e4f000e146f9ab7ae [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Sep 07 10:48:55 2018 -0700
committer: Nick Kralevich <nnk@google.com> Fri Sep 07 10:52:31 2018 -0700
tree: 9cd65b45032e25feaf15b819a484c56b63ded77d
parent: 8d7d5b42b5e3f5974a468940019d392f9b818a9e [diff] [blame]
diff --git a/private/policy_capabilities b/private/policy_capabilities
index ab55c15..9290e3a 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities

@@ -11,3 +11,10 @@
 # to the rawip_socket class.
 policycap extended_socket_class;
 
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
commit	1b1d133be5350989cbd6c09e4f000e146f9ab7ae	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Sep 07 10:48:55 2018 -0700
committer	Nick Kralevich <nnk@google.com>	Fri Sep 07 10:52:31 2018 -0700
tree	9cd65b45032e25feaf15b819a484c56b63ded77d
parent	8d7d5b42b5e3f5974a468940019d392f9b818a9e [diff] [blame]