From 7ed266c678a13a889482e1b42cc2fe6934e78051 Mon Sep 17 00:00:00 2001
From: Benjamin Gordon <bmgordon@google.com>
Date: Wed, 15 Aug 2018 13:34:20 -0600
Subject: [PATCH] sepolicy: Fix references to self:capability

commit 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
---
 private/bpfloader.te     | 2 +-
 private/traced_probes.te | 2 +-
 private/zygote.te        | 2 +-
 public/domain.te         | 4 ++--
 public/hal_bootctl.te    | 2 +-
 public/update_engine.te  | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4e8ec2b46..bcfbf39f5 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,4 +27,4 @@ neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
 
-dontaudit bpfloader self:capability sys_admin;
+dontaudit bpfloader self:global_capability_class_set sys_admin;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 5d80f7e8b..ef5a3960f 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,7 +35,7 @@ allow traced_probes kmsg_device:chr_file write;
 allow traced_probes system_file:dir { open read };
 
 # Allow traced_probes to list some of the data partition.
-allow traced_probes self:capability dac_read_search;
+allow traced_probes self:global_capability_class_set dac_read_search;
 
 allow traced_probes apk_data_file:dir { getattr open read search };
 allow traced_probes dalvikcache_data_file:dir { getattr open read search };
diff --git a/private/zygote.te b/private/zygote.te
index ac1ef0087..3a8e793c5 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@ get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)
 
 # ingore spurious denials
-dontaudit zygote self:capability sys_resource;
+dontaudit zygote self:global_capability_class_set sys_resource;
 
 ###
 ### neverallow rules
diff --git a/public/domain.te b/public/domain.te
index 3afbe7ed6..c8b0bc137 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1397,8 +1397,8 @@ neverallow {
   -vold
   -vold_prepare_subdirs
   -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+} self:global_capability_class_set dac_override;
+neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
 
 # If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 9c13f5584..2491734f7 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,4 +4,4 @@ binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
 
-dontaudit hal_bootctl self:capability sys_rawio;
+dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/update_engine.te b/public/update_engine.te
index 2075985d3..26b0581d1 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,7 +19,7 @@ wakelock_use(update_engine);
 
 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:capability sys_rawio;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
 
 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir create_dir_perms;
-- 
GitLab