sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
diff --git a/private/adbd.te b/private/adbd.te
index 47a6cbd..2f6a450 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -17,10 +17,10 @@
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
+allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
+allow adbd self:global_capability_class_set setpcap;
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app.te b/private/app.te
index 70b42b9..b79f447 100644
--- a/private/app.te
+++ b/private/app.te
@@ -350,8 +350,7 @@
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
+neverallow { appdomain -bluetooth } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 41867ae..86a7a2a 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,12 +22,12 @@
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
@@ -56,7 +56,7 @@
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
+allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
@@ -71,5 +71,5 @@
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/private/domain.te b/private/domain.te
index ec34213..663c541 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -12,7 +12,7 @@
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
+} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/incidentd.te b/private/incidentd.te
index efd23bd..5810d9a 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -7,12 +7,12 @@
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
+# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:capability {
+allow incidentd self:global_capability_class_set {
# Send signals to processes
kill
};
@@ -56,7 +56,7 @@
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+# TODO allow incidentd self:global_capability_class_set sys_ptrace;
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index 70e3198..8cdbd2d 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -8,7 +8,7 @@
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
- allow logpersist self:capability sys_nice;
+ allow logpersist self:global_capability_class_set sys_nice;
allow logpersist pstorefs:dir search;
allow logpersist pstorefs:file r_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f7fe32a..9a5697e 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -3,13 +3,13 @@
r_dir_file(netutils_wrapper, system_file);
# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
+allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
+allow netutils_wrapper self:global_capability_class_set net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
diff --git a/private/storaged.te b/private/storaged.te
index 8da1f26..c8cc02d 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -52,7 +52,7 @@
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
+dontaudit storaged self:global_capability_class_set dac_override;
###
### neverallow
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5fbd9ab..f28e3fe 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -87,7 +87,7 @@
# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, system_file)
diff --git a/private/system_server.te b/private/system_server.te
index 2017dac..eaa1412 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -52,7 +52,7 @@
# These are the capabilities assigned by the zygote to the
# system server.
-allow system_server self:capability {
+allow system_server self:global_capability_class_set {
ipc_lock
kill
net_admin
@@ -72,7 +72,7 @@
allow system_server kernel:system module_request;
# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
+allow system_server self:global_capability2_class_set wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 3f17ce5..7bdcd84 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set dac_override;
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3c5403b..f85d40c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -20,9 +20,9 @@
allow webview_zygote shared_relro_file:file r_file_perms;
# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
+allow webview_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
+allow webview_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
diff --git a/private/zygote.te b/private/zygote.te
index 7fe79ef..9ec0e4a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,10 +7,10 @@
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
+allow zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
@@ -56,7 +56,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
+allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork