Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ffa66ea2e4ae58a9bcb33978fde5eee2ffd41f14^1..ffa66ea2e4ae58a9bcb33978fde5eee2ffd41f14 / .
commitffa66ea2e4ae58a9bcb33978fde5eee2ffd41f14[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Feb 06 22:39:49 2017 +0000
committerandroid-build-merger <android-build-merger@google.com>Mon Feb 06 22:39:49 2017 +0000
tree5de7e77b6431221a2bbc12c688f2579a44a3a194
parent0fb8fe6c58e230c42c824c2b00988f531b9ca38d [diff]
parent2d6dc8b5e788d8a9c8b7787314b55d2c0d89fbc1 [diff]
Define the user namespace capability classes and access vectors. am: 8a00360706 am: 60eff1f278
am: 2d6dc8b5e7

Change-Id: Id1d56498a1221655543916632c376113da918e14

diff --git a/private/access_vectors b/private/access_vectors
index efd4924..875d7ba 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -77,6 +77,60 @@
 }
 
 #
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -330,59 +384,14 @@
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
-
-	chown
-	dac_override
-	dac_read_search
-	fowner
-	fsetid
-	kill
-	setgid
-	setuid
-	setpcap
-	linux_immutable
-	net_bind_service
-	net_broadcast
-	net_admin
-	net_raw
-	ipc_lock
-	ipc_owner
-	sys_module
-	sys_rawio
-	sys_chroot
-	sys_ptrace
-	sys_pacct
-	sys_admin
-	sys_boot
-	sys_nice
-	sys_resource
-	sys_time
-	sys_tty_config
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
+inherits cap
 
 class capability2
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
+inherits cap2
 
 #
 # Extended Netlink classes
@@ -543,6 +552,17 @@
 class netlink_crypto_socket
 inherits socket
 
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
 class property_service
 {
 	set

diff --git a/private/security_classes b/private/security_classes
index 19fd5db..abd9cbe 100644
--- a/private/security_classes
+++ b/private/security_classes

@@ -94,6 +94,10 @@
 class netlink_rdma_socket
 class netlink_crypto_socket
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # Property service
 class property_service          # userspace