Add nnp_nosuid_transition policycap and related class/perm definitions.

af63f4193f
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
1637a8b407

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f

private/access_vectors

@@ -330,6 +330,11 @@ class process
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects

private/policy_capabilities

@@ -11,3 +11,10 @@ policycap open_perms;
 # to the rawip_socket class.
 policycap extended_socket_class;
 
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;

private/security_classes

@@ -130,6 +130,8 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket
 
+class process2
+
 # Property service
 class property_service          # userspace