Merge "sepolicy: Add rules for non-init namespaces" am: b9ea282c am: d41e6161

am: 44957a90 Change-Id: I363639d2cdf70b1772da3d6c7f7c814554063dfc

Merge "sepolicy: Add rules for non-init namespaces" am: b9ea282c am: d41e6161
65214c68 · Benjamin Gordon · android-build-merger · ecc0f22f · 44957a90 · 65214c68
Commit 65214c68 authored 7 years ago by Benjamin Gordon Committed by android-build-merger 7 years ago
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -17,10 +17,10 @@ userdebug_or_eng(`
 allow adbd shell:process { noatsecure signal };

 # Set UID and GID to shell.  Set supplementary groups.
-allow adbd self:capability { setuid setgid };
+allow adbd self:global_capability_class_set { setuid setgid };

 # Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
+allow adbd self:global_capability_class_set setpcap;

 # Create and use network sockets.
 net_domain(adbd)

--- a/private/app.te
+++ b/private/app.te
@@ -350,8 +350,7 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')

 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
+neverallow { appdomain -bluetooth } self:capability_class_set *;

 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };

--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,12 +22,12 @@ allow bluetooth bluetooth_logs_data_file:file create_file_perms;
 # Socket creation under /data/misc/bluedroid.
 allow bluetooth bluetooth_socket:sock_file create_file_perms;

-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;

 # tethering
 allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
 allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
 allow bluetooth tun_device:chr_file rw_file_perms;
 allow bluetooth efs_file:dir search;
@@ -56,7 +56,7 @@ allow bluetooth system_api_service:service_manager find;
 allow bluetooth shell_data_file:file read;

 # Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
+allow bluetooth self:global_capability_class_set sys_nice;

 hal_client_domain(bluetooth, hal_bluetooth)
 hal_client_domain(bluetooth, hal_telephony)
@@ -71,5 +71,5 @@ read_runtime_log_tags(bluetooth)

 # Superuser capabilities.
 # Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
--- a/private/domain.te
+++ b/private/domain.te
@@ -12,7 +12,7 @@ neverallow {
  -storaged
  -system_server
  userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
+} self:global_capability_class_set sys_ptrace;

 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;

--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -7,12 +7,12 @@ wakelock_use(incidentd)

 # Allow setting process priority, protect from OOM killer, and dropping
 # privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
+# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };

 # Allow incidentd to scan through /proc/pid for all processes
 r_dir_file(incidentd, domain)

-allow incidentd self:capability {
+allow incidentd self:global_capability_class_set {
    # Send signals to processes
    kill
 };
@@ -56,7 +56,7 @@ binder_call(incidentd, binderservicedomain)
 binder_call(incidentd, appdomain)

 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+# TODO allow incidentd self:global_capability_class_set sys_ptrace;

 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;

--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -8,7 +8,7 @@ userdebug_or_eng(`
  allow logpersist misc_logd_file:file create_file_perms;
  allow logpersist misc_logd_file:dir rw_dir_perms;

-  allow logpersist self:capability sys_nice;
+  allow logpersist self:global_capability_class_set sys_nice;
  allow logpersist pstorefs:dir search;
  allow logpersist pstorefs:file r_file_perms;


--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -3,13 +3,13 @@ typeattribute netutils_wrapper coredomain;
 r_dir_file(netutils_wrapper, system_file);

 # For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
+allow netutils_wrapper self:global_capability_class_set net_raw;

 allow netutils_wrapper system_file:file { execute execute_no_trans };
 allow netutils_wrapper proc_net:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
+allow netutils_wrapper self:global_capability_class_set net_admin;
 # ip utils need everything but ioctl
 allow netutils_wrapper self:netlink_route_socket ~ioctl;
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

--- a/private/storaged.te
+++ b/private/storaged.te
@@ -50,7 +50,7 @@ allow storaged package_native_service:service_manager find;

 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
+dontaudit storaged self:global_capability_class_set dac_override;

 ###
 ### neverallow

--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -87,7 +87,7 @@ allow surfaceflinger window_service:service_manager find;


 # allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
 r_dir_file(surfaceflinger, system_file)

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -52,7 +52,7 @@ bluetooth_domain(system_server)

 # These are the capabilities assigned by the zygote to the
 # system server.
-allow system_server self:capability {
+allow system_server self:global_capability_class_set {
    ipc_lock
    kill
    net_admin
@@ -72,7 +72,7 @@ wakelock_use(system_server)
 allow system_server kernel:system module_request;

 # Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
+allow system_server self:global_capability2_class_set wake_alarm;

 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;

--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set dac_override;
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };

--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -20,9 +20,9 @@ allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;

 # Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
+allow webview_zygote self:global_capability_class_set { setgid setuid };
 # Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
+allow webview_zygote self:global_capability_class_set setpcap;
 # Switch SELinux context to app domains.
 allow webview_zygote self:process setcurrent;
 allow webview_zygote isolated_app:process dyntransition;

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,10 +7,10 @@ init_daemon_domain(zygote)
 read_runtime_log_tags(zygote)

 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };

 # Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
+allow zygote self:global_capability_class_set setpcap;

 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
@@ -56,7 +56,7 @@ r_dir_file(zygote, vendor_overlay_file)
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
+allow zygote self:global_capability_class_set sys_admin;

 # Allow zygote to stat the files that it opens. The zygote must
 # be able to inspect them so that it can reopen them on fork

--- a/public/charger.te
+++ b/public/charger.te
@@ -10,8 +10,8 @@ r_dir_file(charger, sysfs_type)
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)

-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;

 wakelock_use(charger)


--- a/public/clatd.te
+++ b/public/clatd.te
@@ -17,7 +17,7 @@ allow clatd netd:udp_socket { read write };
 allow clatd netd:unix_stream_socket { read write };
 allow clatd netd:unix_dgram_socket { read write };

-allow clatd self:capability { net_admin net_raw setuid setgid };
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };

 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@@ -26,7 +26,7 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
 # so we permit any requests we see from clatd asking for this capability.
 # See https://android-review.googlesource.com/127940 and
 # https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
+allow clatd self:global_capability_class_set ipc_lock;

 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;

--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -11,7 +11,7 @@ allow crash_dump {

 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };

 userdebug_or_eng(`
  allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };

--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,7 @@ type dhcp_exec, exec_type, file_type;
 net_domain(dhcp)

 allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;

--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,9 +6,9 @@ net_domain(dnsmasq)
 allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;

 # TODO:  Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
+allow dnsmasq self:global_capability_class_set dac_override;

-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };

 allow dnsmasq dhcp_data_file:dir w_dir_perms;
 allow dnsmasq dhcp_data_file:file create_file_perms;

--- a/public/domain.te
+++ b/public/domain.te
@@ -248,7 +248,7 @@ neverallow {
  -init
  -ueventd
  -vold
-} self:capability mknod;
+} self:global_capability_class_set mknod;

 # Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
 neverallow {
@@ -261,16 +261,16 @@ neverallow {
  -healthd
  -uncrypt
  -tee
-} self:capability sys_rawio;
+} self:global_capability_class_set sys_rawio;

 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow * self:memprotect mmap_zero;

 # No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
+neverallow * self:global_capability2_class_set mac_override;

 # Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
+neverallow { domain -recovery } self:global_capability2_class_set mac_admin;

 # Once the policy has been loaded there shall be none to modify the policy.
 # It is sealed.
@@ -1023,7 +1023,7 @@ neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 neverallow {
  domain
  -recovery
-} self:capability setfcap;
+} self:global_capability_class_set setfcap;

 # Enforce AT_SECURE for executing crash_dump.
 neverallow domain crash_dump:process noatsecure;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -8,12 +8,12 @@ wakelock_use(dumpstate)

 # Allow setting process priority, protect from OOM killer, and dropping
 # privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };

 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)

-allow dumpstate self:capability {
+allow dumpstate self:global_capability_class_set {
    # Send signals to processes
    kill
    # Run iptables
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
 allow dumpstate system_file:dir r_dir_perms;

 # Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
 allow dumpstate anr_data_file:file create_file_perms;

@@ -42,7 +42,7 @@ allow dumpstate anr_data_file:file create_file_perms;
 allow dumpstate system_data_file:file r_file_perms;

 # Read dmesg
-allow dumpstate self:capability2 syslog;
+allow dumpstate self:global_capability2_class_set syslog;
 allow dumpstate kernel:system syslog_read;

 # Read /sys/fs/pstore/console-ramoops
@@ -116,7 +116,7 @@ hal_client_domain(dumpstate, hal_vibrator)
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };

 # Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
+allow dumpstate self:global_capability_class_set sys_ptrace;

 # Allow the bugreport service to create a file in
 # /data/data/com.android.shell/files/bugreports/bugreport