diff --git a/private/adbd.te b/private/adbd.te
index 47a6cbd8cf701a04032f8236fa3dc8f7364e43d6..2f6a450d30a2289b71804bb8c0d012d7959efabc 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -17,10 +17,10 @@ userdebug_or_eng(`
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
+allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
+allow adbd self:global_capability_class_set setpcap;
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app.te b/private/app.te
index c978306d704150689364694e25c33d538f443f84..184629d05165801a695302bb921a60ecb57221a0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -350,8 +350,7 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
+neverallow { appdomain -bluetooth } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 41867ae459ce25ff48159a6b2ec0ff0a9b6c8e97..86a7a2a8880a72aee0a1280cfaf76a1ce2fb7547 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,12 +22,12 @@ allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
@@ -56,7 +56,7 @@ allow bluetooth system_api_service:service_manager find;
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
+allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
@@ -71,5 +71,5 @@ read_runtime_log_tags(bluetooth)
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/private/domain.te b/private/domain.te
index ec34213997ae0d3987b6fda1e1714a840a45a870..663c5418f0cf73d78601f60aaae863312b07d1d9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -12,7 +12,7 @@ neverallow {
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
+} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/incidentd.te b/private/incidentd.te
index efd23bdae8896c29a4bce0757e9a8c4b61e6e60f..5810d9a096bec02d39dbbe24b2dc3b90cf1aff72 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -7,12 +7,12 @@ wakelock_use(incidentd)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
+# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:capability {
+allow incidentd self:global_capability_class_set {
# Send signals to processes
kill
};
@@ -56,7 +56,7 @@ binder_call(incidentd, binderservicedomain)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+# TODO allow incidentd self:global_capability_class_set sys_ptrace;
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index 70e3198b54fb04f230575ac384da5291a4363543..8cdbd2dd01db4b29c3ed16645e0178ae30f7ad69 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -8,7 +8,7 @@ userdebug_or_eng(`
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
- allow logpersist self:capability sys_nice;
+ allow logpersist self:global_capability_class_set sys_nice;
allow logpersist pstorefs:dir search;
allow logpersist pstorefs:file r_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f7fe32ae46bd6212ccbeb559e9c5812a9a8369f0..9a5697e36a3679e734818d5ec849312d9eb75a26 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -3,13 +3,13 @@ typeattribute netutils_wrapper coredomain;
r_dir_file(netutils_wrapper, system_file);
# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
+allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
+allow netutils_wrapper self:global_capability_class_set net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
diff --git a/private/storaged.te b/private/storaged.te
index 96d59d978be963f0842e4e71fc5d10e4a8fe3b48..8be0b91b2592a87474426c34b5e80c26a4dde4ea 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -50,7 +50,7 @@ allow storaged package_native_service:service_manager find;
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
+dontaudit storaged self:global_capability_class_set dac_override;
###
### neverallow
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5fbd9ab263cefc5035ce9f0cb33d7922670e2d1e..f28e3fec1e226d35d39b835406235b2d7843940b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -87,7 +87,7 @@ allow surfaceflinger window_service:service_manager find;
# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, system_file)
diff --git a/private/system_server.te b/private/system_server.te
index 639d3878fdedd757e816c6a29e7ff2d9c661b325..920658fe20ebe7091c1ecc4f8094bc40b56e7d89 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -52,7 +52,7 @@ bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
# system server.
-allow system_server self:capability {
+allow system_server self:global_capability_class_set {
ipc_lock
kill
net_admin
@@ -72,7 +72,7 @@ wakelock_use(system_server)
allow system_server kernel:system module_request;
# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
+allow system_server self:global_capability2_class_set wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 3f17ce5c6b110b57f46960763eec38e49e8dac7d..7bdcd8474baad1246a3b345d22cf3604e4f0c536 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set dac_override;
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3c5403b0dca8d962fca7a43f3efc7a672feb81a4..f85d40cdbbff66b066a812cd107ce5e0f6a91234 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -20,9 +20,9 @@ allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file r_file_perms;
# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
+allow webview_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
+allow webview_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
diff --git a/private/zygote.te b/private/zygote.te
index 7fe79ef43ad85a6e3fa1f330beffed94dbd473b7..9ec0e4ac25dd1efa3f2554fd948d7c2d0b0e762d 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,10 +7,10 @@ init_daemon_domain(zygote)
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
+allow zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
@@ -56,7 +56,7 @@ r_dir_file(zygote, vendor_overlay_file)
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
+allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
diff --git a/public/charger.te b/public/charger.te
index 9c48dddbd74672ff9a5daa5e5e809e06fe93ebc8..4577cbcec5f5dcf2448184780006a2725b64884b 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -10,8 +10,8 @@ r_dir_file(charger, sysfs_type)
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
wakelock_use(charger)
diff --git a/public/clatd.te b/public/clatd.te
index 212b76edee64ff5ceb097bc7511c6757a3b074c0..ee44abf7c6d02a949d729dfc1b9c77f991278f30 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -17,7 +17,7 @@ allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
-allow clatd self:capability { net_admin net_raw setuid setgid };
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@@ -26,7 +26,7 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
+allow clatd self:global_capability_class_set ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c101b34d6b12a6516a11be95890368605976e8bc..d70b15065258f8681f463bd40be45a76f69645d9 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -11,7 +11,7 @@ allow crash_dump {
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
diff --git a/public/dhcp.te b/public/dhcp.te
index 2b54b7f8850443e9ec5b18b08cca0bedfb6eabbc..1f1ef2b48ccc7155392047812f5139ac6a12a83a 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,7 @@ type dhcp_exec, exec_type, file_type;
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index ccac69a3370c0e65a91a4dcaf1b41fd2d187ad5c..3aaefd3e6e0d42944309449af354ffa1b187d9b7 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,9 +6,9 @@ net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
+allow dnsmasq self:global_capability_class_set dac_override;
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index f6e65be589a346940b94a7f57742e2007e7749bc..3ca05b6e7fbeed9362974cad010b93d59afb80ac 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -248,7 +248,7 @@ neverallow {
-init
-ueventd
-vold
-} self:capability mknod;
+} self:global_capability_class_set mknod;
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
@@ -261,16 +261,16 @@ neverallow {
-healthd
-uncrypt
-tee
-} self:capability sys_rawio;
+} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
+neverallow * self:global_capability2_class_set mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
+neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
@@ -1023,7 +1023,7 @@ neverallow * ~{ system_file vendor_file rootfs }:system module_load;
neverallow {
domain
-recovery
-} self:capability setfcap;
+} self:global_capability_class_set setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 772b63d76e96d45f0572154987785f022e144801..6f1fa69c02a6dd2c6ae52a828e138baa2bc59fe5 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -8,12 +8,12 @@ wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
-allow dumpstate self:capability {
+allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
@@ -42,7 +42,7 @@ allow dumpstate anr_data_file:file create_file_perms;
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
-allow dumpstate self:capability2 syslog;
+allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
@@ -116,7 +116,7 @@ hal_client_domain(dumpstate, hal_vibrator)
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
+allow dumpstate self:global_capability_class_set sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/global_macros b/public/global_macros
index bcfb68644a6057347b02fbfbf84faf01e23dec53..5dab5ab0c77107cbac0628cab207ef0c511e6066 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -1,7 +1,9 @@
#####################################
# Common groupings of object classes.
#
-define(`capability_class_set', `{ capability capability2 }')
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
define(`devfile_class_set', `{ chr_file blk_file }')
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 2394e2ebcd393d6153d8c896fb2986be6ef9cd04..461523bdca988a6c132c5d909bfff8ec462adf03 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -8,7 +8,7 @@ allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
+allow hal_bluetooth self:global_capability_class_set net_admin;
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
@@ -18,7 +18,7 @@ allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_prop)
@@ -27,4 +27,4 @@ set_prop(hal_bluetooth, bluetooth_prop)
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index f56e8f6d72297e4658a4a7c307634732d6c3b0e4..e2b04ae83ce0e500742f9646e45f5711a5f105aa 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -10,4 +10,4 @@ allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 287037c6e0e621f41fc301451512dc7223dd8839..2df461249614627d8b7414c49438e80d32d5850a 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -23,4 +23,4 @@ allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 036e1d2dca7cb2dbca35b58a897c4465bb3fd8e1..c866baeff9a8bff9821bb5a36be6ae0cefa6468a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -6,7 +6,7 @@ neverallow {
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
-} self:capability { net_admin net_raw };
+} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 068c93b8c351b9d37813e00d8713e2d7e6c5a644..9d7cbe91396652ea4943147203937c1071501d6a 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,4 +12,4 @@ allow hal_sensors { appdomain -isolated_app }:fd use;
allow hal_sensors hal_allocator:fd use;
# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
+allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e267731453e25f3aca2fa12fa935332d0e321438..ac8a0d9f13a266bd9e04a5bc655e376e877b1551 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -14,7 +14,7 @@ set_prop(hal_wifi, wifi_prop)
allow hal_wifi self:udp_socket create_socket_perms;
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
-allow hal_wifi self:capability { net_admin net_raw };
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
@@ -22,4 +22,4 @@ allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
\ No newline at end of file
+allow hal_wifi proc_modules:file { getattr open read };
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 82c9e7d7a202e3dd7ebad733164985201049cd9b..a4f041f58a0cb5eaa16cc3fbe207745fe9058e00 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -12,7 +12,7 @@ r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net)
allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index e4cae1f690de75400ea8fa1ba7800a5b4f89e8f3..5fd603fadf5005424fb0d70de1f8fee2a2ac62f5 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,8 +14,8 @@ r_dir_file(healthd, cgroup)
# /{system,vendor,odm}/lib[64]/hw/
r_dir_file(healthd, system_file)
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/init.te b/public/init.te
index 56daa024b0f71e3a672e79c5b0840f8431946c54..c3d0e0a65eba0bcaad499e77a994948a99dec06d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -40,7 +40,7 @@ allow init system_block_device:{ blk_file lnk_file } relabelto;
allow init misc_block_device:{ blk_file lnk_file } relabelto;
# setrlimit
-allow init self:capability sys_resource;
+allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
@@ -61,7 +61,7 @@ allow init console_device:chr_file rw_file_perms;
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
-allow init self:capability sys_admin;
+allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
@@ -92,12 +92,12 @@ allow init configfs:{ file lnk_file } create_file_perms;
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
+allow init self:global_capability_class_set dac_override;
# Set system clock.
-allow init self:capability sys_time;
+allow init self:global_capability_class_set sys_time;
-allow init self:capability { sys_rawio mknod };
+allow init self:global_capability_class_set { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
@@ -124,7 +124,7 @@ allow init rootfs:{ dir file } relabelfrom;
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
+allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
@@ -256,7 +256,7 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
+allow init self:global_capability2_class_set syslog;
# init access to /proc.
r_dir_file(init, proc_net)
@@ -295,10 +295,10 @@ allow init {
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init self:capability net_admin;
+allow init self:global_capability_class_set net_admin;
# Reboot.
-allow init self:capability sys_boot;
+allow init self:global_capability_class_set sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
@@ -311,7 +311,7 @@ allow init misc_logd_file:dir { add_name open create read getattr setattr search
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
-allow init self:capability kill;
+allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
@@ -329,7 +329,7 @@ allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
+allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
@@ -369,13 +369,13 @@ allow init property_type:property_service set;
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
+allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
+allow init self:global_capability_class_set net_raw;
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
@@ -396,7 +396,7 @@ allow init hw_random_device:chr_file r_file_perms;
allow init device:file create_file_perms;
# keychord configuration
-allow init self:capability sys_tty_config;
+allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 21156634d9cd63d12fa980ba7721a8ea83766341..ab688386e577fc9948a72c2460af73a24da0cc1f 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:capability dac_override;
+allow install_recovery self:global_capability_class_set dac_override;
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index d02a86ad4cefa7071d285b415feb5fd1edbf15db..fad4562addb48ee5abb4be5f2dc6f6645f53c291 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/kernel.te b/public/kernel.te
index 74c77a961f705fbbf7026fa1738e97a38fcdfd3a..ba1dec95cf6ac5adbb9780d0c84b436e1bb9c679 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -1,7 +1,7 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-allow kernel self:capability sys_nice;
+allow kernel self:global_capability_class_set sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
@@ -33,14 +33,14 @@ allow kernel usbfs:dir search;
dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
+allow kernel self:global_capability_class_set sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
+allow kernel self:global_capability_class_set sys_boot;
allow kernel proc_sysrq:file w_file_perms;
# Allow writing to /dev/kmsg which was created prior to loading policy.
@@ -101,4 +101,4 @@ neverallow kernel *:file { entrypoint execute_no_trans };
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
diff --git a/public/lmkd.te b/public/lmkd.te
index 0ff9518148d053eed6b789723aeb699d43fe9124..f43e42a2eea610a24c8a684fe4c80ad25ed6d7c0 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,13 +2,13 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:capability { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
-allow lmkd self:capability ipc_lock;
+allow lmkd self:global_capability_class_set ipc_lock;
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
@@ -31,7 +31,7 @@ allow lmkd cgroup:dir { remove_name rmdir };
allow lmkd cgroup:file r_file_perms;
# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
+allow lmkd self:global_capability_class_set sys_nice;
allow lmkd proc_zoneinfo:file r_file_perms;
diff --git a/public/logd.te b/public/logd.te
index c47bfd744aee89aac26ef81121ee1466224aedb2..817a7059fc716e7ec61f87ff7878c61310a77b07 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -8,8 +8,8 @@ r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
diff --git a/public/modprobe.te b/public/modprobe.te
index 3ed320e5b3b632e092785f11875d6ea6a76ba76a..7d9e05d6ae6287298d26169b9a9f2afd40bd27ab 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,7 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
+allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
allow modprobe rootfs:system module_load;
diff --git a/public/mtp.te b/public/mtp.te
index a77624064677516b6531cc1a1ba1333b744b4772..7256bcf55795a13aa6485b35fecb09f88bb2ae34 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -6,6 +6,6 @@ net_domain(mtp)
# pptp policy
allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
+allow mtp self:global_capability_class_set net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/public/netd.te b/public/netd.te
index ab01fd834ee5f27c07dae305099e3b4202a0b41e..fa03dbdb64994ff0e41f77caffc5bb15e2bd660d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -9,14 +9,14 @@ allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
allow netd system_server:fd use;
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:global_capability_class_set { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
-dontaudit netd self:capability fsetid;
+dontaudit netd self:global_capability_class_set fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
@@ -60,12 +60,12 @@ allow netd sysfs_usb:file write;
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:capability { dac_override chown };
+allow netd self:global_capability_class_set { dac_override chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
+allow netd self:global_capability_class_set fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index c071f447f15e529a6505d74e766fdbea336a9b20..894363ab1fa6eba41a371b16287a5472ccb20300 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -5,7 +5,7 @@ type otapreopt_chroot_exec, exec_type, file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
diff --git a/public/performanced.te b/public/performanced.te
index 9bf813e1a7ede74f73b9aa4f4e1445f75537ea10..5f23088ad7c985978201dda2ba07de5b570aae86 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,7 +10,7 @@ allow performanced permission_service:service_manager find;
pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
diff --git a/public/perfprofd.te b/public/perfprofd.te
index bfb8693fa47d8e98181656bae333410bee868d52..578391cfd30bf71daeaf6188714866aacdbf4746 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -20,7 +20,7 @@ userdebug_or_eng(`
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
@@ -34,13 +34,13 @@ userdebug_or_eng(`
wakelock_use(perfprofd);
# simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
+ allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
+ allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
@@ -54,6 +54,6 @@ userdebug_or_eng(`
allow perfprofd toolbox_exec:file rx_file_perms;
# needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
+ allow perfprofd self:global_capability_class_set ipc_lock;
')
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index d6c20602be771d26ad67064ed67141118093c422..8881f4414fdfcce36cfbe1e9efba379c84562de8 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/ppp.te b/public/ppp.te
index 04e17f57ad708feced020739dd45d421f472d6a9..9340dee87db4d5610858c169ae8d8fdb58f44544 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -15,7 +15,7 @@ allowxperm ppp mtp:socket ioctl ppp_ioctls;
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
+allow ppp self:global_capability_class_set net_admin;
allow ppp system_file:file rx_file_perms;
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
diff --git a/public/racoon.te b/public/racoon.te
index 00744d8f10a0de919c1ffe1838ec5c72d68a6b89..c759217a061214f629028d3a9f88063e6d8b8ec7 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
diff --git a/public/recovery.te b/public/recovery.te
index fb61dbd5ffeb858fd27f0a80c2e08f63cf253c88..3e3c28e61531fbde5bdd95f11a2f7b6f4021eb1a 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,10 +12,10 @@ recovery_only(`
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
+ allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
+ allow recovery self:global_capability2_class_set mac_admin;
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)
diff --git a/public/rild.te b/public/rild.te
index 4244ff365e8f50405803d0379fe812e21bd8dd28..5bcde720ae13738f269341b90032239f70d045ef 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -7,7 +7,7 @@ allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
+allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/runas.te b/public/runas.te
index ca6f4f6963a3ab0333ebd9650c2a4af06ad79309..053a87f6be2d8ade1555b43ee8511e8e3e474795 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,11 +18,11 @@ allow runas system_data_file:lnk_file getattr;
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
+dontaudit runas self:global_capability_class_set dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
+allow runas self:global_capability_class_set { setuid setgid };
# run-as switches to the app security context.
selinux_check_context(runas) # validate context
@@ -38,5 +38,5 @@ allow runas seapp_contexts_file:file r_file_perms;
###
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 2af64102da793516f6e82add58f40c3184b1bbfe..4a88f54d01940ab9d53bf358dc82861a766fd6ee 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/sgdisk.te b/public/sgdisk.te
index 3007398783ac3ed427f653098985d0a98788cca1..ca3096cefcb1a0fa317a7a4221dd3830f37e1132 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -14,7 +14,7 @@ allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
+allow sgdisk self:global_capability_class_set sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
diff --git a/public/slideshow.te b/public/slideshow.te
index 86d4bff2e32746b180a43f2b0d44924acfb1819d..10fbbb8520ba234714c8277c0f2a659bbe37009b 100644
--- a/public/slideshow.te
+++ b/public/slideshow.te
@@ -5,7 +5,7 @@ type slideshow, domain;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
+allow slideshow self:global_capability_class_set sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
diff --git a/public/te_macros b/public/te_macros
index f3aa583a50406eec65f0b6389d6b7fed576c7bc8..aad29499bca085e34f5f0c7fd039995eafe733e9 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -402,7 +402,7 @@ define(`wakelock_use', `
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
+allow $1 self:global_capability2_class_set block_suspend;
')
#####################################
diff --git a/public/ueventd.te b/public/ueventd.te
index 7e1f3fd5fc314767a292ea7e1a797e2043e8a5ae..b4a24970296425933e34787c8a39e571097ccc1e 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@ type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index dd2d7dd71236f65de44683b6362ea7ce731236bc..1e48b831d678fc2482772bd39d1a28ae6d1bf7f9 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:capability dac_override;
+allow uncrypt self:global_capability_class_set dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
@@ -29,7 +29,7 @@ unix_socket_connect(uncrypt, uncrypt, uncrypt)
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
+allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index fef5dec78d749b68595ec8cf29c4f91714e679f0..6e97aa919290ad8f7b9fe2cedc2e3ff1d5612bbd 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -11,12 +11,12 @@ allow update_engine qtaguid_device:chr_file r_file_perms;
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
-dontaudit update_engine self:capability fsetid;
+dontaudit update_engine self:global_capability_class_set fsetid;
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 16d283fadea18e1eb1dcb56e3d0b5d64f8d07603..5b9d09f4449a55598c664d5fcf077dffa7285932 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -22,14 +22,14 @@ allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:capability dac_override;
+allow vendor_init self:global_capability_class_set dac_override;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
-allow vendor_init self:capability { chown fowner fsetid };
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
allow vendor_init {
file_type
@@ -188,7 +188,7 @@ allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net)
allow vendor_init proc_net:file w_file_perms;
-allow vendor_init self:capability net_admin;
+allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
@@ -207,4 +207,4 @@ r_dir_file(vendor_init, vendor_file_type)
allow vendor_init serialno_prop:file { getattr open read };
# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:capability sys_admin;
+allow vendor_init self:global_capability_class_set sys_admin;
diff --git a/public/vold.te b/public/vold.te
index 148f4b541adf98ff6aa16cc7ea21fd8cacedd1df..b4469150f21d8325ec42c91cf64f568d81cc7313 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
@@ -88,7 +88,7 @@ allow vold dm_device:blk_file rw_file_perms;
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
@@ -179,10 +179,10 @@ allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
+allow vold self:global_capability_class_set sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
+allow vold self:global_capability_class_set sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.
diff --git a/public/wificond.te b/public/wificond.te
index c91053e72a9c8e17bbb01b1adb8bf217660037aa..8eeb8c8f993531af3f100847937f791268371166 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -14,7 +14,7 @@ set_prop(wificond, ctl_default_prop)
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
+allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
diff --git a/public/wpantund.te b/public/wpantund.te
index a97481eb2ce010e94fd5b3a5b35f2ee6093738b8..b3172365101a72c60e8206932db3e1144fd077ff 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -25,5 +25,5 @@ allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
# Allow us to bring up a TUN network interface.
allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:capability { net_admin net_raw };
+allow wpantund self:global_capability_class_set { net_admin net_raw };
allow wpantund self:tun_socket create;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 2c62cf03508096aea768475b5bb6cffd5c9b1e87..ab0545df50e9947440664e1848cfcd1d2096eb25 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -5,7 +5,7 @@ type hostapd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd)
net_domain(hostapd)
-allow hostapd self:capability { net_admin net_raw };
+allow hostapd self:global_capability_class_set { net_admin net_raw };
# hostapd learns about its network interface via sysfs.
allow hostapd sysfs:file r_file_perms;
diff --git a/vendor/tee.te b/vendor/tee.te
index 7eb2430d7fc2352415b5b6759daaad03e8ef01f5..4b2e6c7b50161db779d2f47bccf82d3ee44891be 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -4,7 +4,7 @@
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
-allow tee self:capability { dac_override };
+allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index b8a1edbc93a08051ecfa185e49e774a6371e6dc5..7689ca5d465c2d8b831018823aeb722c3fe357d2 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -4,7 +4,7 @@ type vendor_modprobe, domain;
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
-allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;
allow vendor_modprobe { vendor_file }:system module_load;