Define the user namespace capability classes and access vectors. am: 8a003607

am: 60eff1f2 Change-Id: I903b56cbf25dcc5e8da3508874afce151571d976

Define the user namespace capability classes and access vectors. am: 8a003607
2d6dc8b5 · Stephen Smalley · android-build-merger · 60bfd5d6 · 60eff1f2 · 2d6dc8b5
Commit 2d6dc8b5 authored 8 years ago by Stephen Smalley Committed by android-build-merger 8 years ago
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -76,6 +76,60 @@ common ipc
 	unix_write
 }

+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
 #
 # Define the access vectors.
 #
@@ -330,59 +384,14 @@ class system
 }

 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #

 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
-
-	chown
-	dac_override
-	dac_read_search
-	fowner
-	fsetid
-	kill
-	setgid
-	setuid
-	setpcap
-	linux_immutable
-	net_bind_service
-	net_broadcast
-	net_admin
-	net_raw
-	ipc_lock
-	ipc_owner
-	sys_module
-	sys_rawio
-	sys_chroot
-	sys_ptrace
-	sys_pacct
-	sys_admin
-	sys_boot
-	sys_nice
-	sys_resource
-	sys_time
-	sys_tty_config
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
+inherits cap

 class capability2
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
+inherits cap2

 #
 # Extended Netlink classes
@@ -543,6 +552,17 @@ inherits socket
 class netlink_crypto_socket
 inherits socket

+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
 class property_service
 {
 	set

--- a/private/security_classes
+++ b/private/security_classes
@@ -94,6 +94,10 @@ class netlink_scsitransport_socket
 class netlink_rdma_socket
 class netlink_crypto_socket

+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # Property service
 class property_service          # userspace