sepolicy: Fix references to self:capability

commit 9b2e0cbe added a new self:global_capability_class_set macro that covers both self:capability and self:cap_userns. Apply the new macro to various self:capability references that have cropped up since then. Bug: 112307595 Test: policy diff shows new rules are all cap_userns Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609

sepolicy: Fix references to self:capability
7ed266c6 · Benjamin Gordon · 3784e7fc · 7ed266c6 · 7ed266c6 · 7ed266c6
Commit 7ed266c6 authored 6 years ago by Benjamin Gordon
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,4 +27,4 @@ neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };

-dontaudit bpfloader self:capability sys_admin;
+dontaudit bpfloader self:global_capability_class_set sys_admin;
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,7 +35,7 @@ allow traced_probes kmsg_device:chr_file write;
 allow traced_probes system_file:dir { open read };

 # Allow traced_probes to list some of the data partition.
-allow traced_probes self:capability dac_read_search;
+allow traced_probes self:global_capability_class_set dac_read_search;

 allow traced_probes apk_data_file:dir { getattr open read search };
 allow traced_probes dalvikcache_data_file:dir { getattr open read search };

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@ get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)

 # ingore spurious denials
-dontaudit zygote self:capability sys_resource;
+dontaudit zygote self:global_capability_class_set sys_resource;

 ###
 ### neverallow rules

--- a/public/domain.te
+++ b/public/domain.te
@@ -1397,8 +1397,8 @@ neverallow {
  -vold
  -vold_prepare_subdirs
  -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+} self:global_capability_class_set dac_override;
+neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;

 # If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that

--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,4 +4,4 @@ binder_call(hal_bootctl_server, hal_bootctl_client)

 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)

-dontaudit hal_bootctl self:capability sys_rawio;
+dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,7 +19,7 @@ wakelock_use(update_engine);

 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:capability sys_rawio;
+dontaudit update_engine self:global_capability_class_set sys_rawio;

 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir create_dir_perms;