Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76^! / . / private / incidentd.te
commit9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76[log] [tgz]
authorBenjamin Gordon <bmgordon@google.com>Thu Nov 09 15:51:26 2017 -0700
committerBenjamin Gordon <bmgordon@chromium.org>Tue Nov 21 08:34:32 2017 -0700
treedeebfa0ea439c4d6c9951e89857a2a30b1bddff8
parentdf8d4b87ef495272b11bade7b128b9a160254428 [diff] [blame]
sepolicy: Add rules for non-init namespaces

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

diff --git a/private/incidentd.te b/private/incidentd.te
index efd23bd..5810d9a 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te

@@ -7,12 +7,12 @@
 
 # Allow setting process priority, protect from OOM killer, and dropping
 # privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
+# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
 
 # Allow incidentd to scan through /proc/pid for all processes
 r_dir_file(incidentd, domain)
 
-allow incidentd self:capability {
+allow incidentd self:global_capability_class_set {
     # Send signals to processes
     kill
 };
@@ -56,7 +56,7 @@
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+# TODO allow incidentd self:global_capability_class_set sys_ptrace;
 
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;