Define the user namespace capability classes and access vectors.
am: 8a00360706
Change-Id: Ifdce40a385442a85f69d7e477c95ab540457f54b
This commit is contained in:
Stephen Smalley
android-build-merger
commit
60eff1f278
2 changed files with 72 additions and 48 deletions
|
|
@ -76,6 +76,60 @@ common ipc
|
|||
unix_write
|
||||
}
|
||||
|
||||
#
|
||||
# Define a common for capability access vectors.
|
||||
#
|
||||
common cap
|
||||
{
|
||||
# The capabilities are defined in include/linux/capability.h
|
||||
# Capabilities >= 32 are defined in the cap2 common.
|
||||
# Care should be taken to ensure that these are consistent with
|
||||
# those definitions. (Order matters)
|
||||
|
||||
chown
|
||||
dac_override
|
||||
dac_read_search
|
||||
fowner
|
||||
fsetid
|
||||
kill
|
||||
setgid
|
||||
setuid
|
||||
setpcap
|
||||
linux_immutable
|
||||
net_bind_service
|
||||
net_broadcast
|
||||
net_admin
|
||||
net_raw
|
||||
ipc_lock
|
||||
ipc_owner
|
||||
sys_module
|
||||
sys_rawio
|
||||
sys_chroot
|
||||
sys_ptrace
|
||||
sys_pacct
|
||||
sys_admin
|
||||
sys_boot
|
||||
sys_nice
|
||||
sys_resource
|
||||
sys_time
|
||||
sys_tty_config
|
||||
mknod
|
||||
lease
|
||||
audit_write
|
||||
audit_control
|
||||
setfcap
|
||||
}
|
||||
|
||||
common cap2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
}
|
||||
|
||||
#
|
||||
# Define the access vectors.
|
||||
#
|
||||
|
|
@ -330,59 +384,14 @@ class system
|
|||
}
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controling capabilies
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
#
|
||||
|
||||
class capability
|
||||
{
|
||||
# The capabilities are defined in include/linux/capability.h
|
||||
# Capabilities >= 32 are defined in the capability2 class.
|
||||
# Care should be taken to ensure that these are consistent with
|
||||
# those definitions. (Order matters)
|
||||
|
||||
chown
|
||||
dac_override
|
||||
dac_read_search
|
||||
fowner
|
||||
fsetid
|
||||
kill
|
||||
setgid
|
||||
setuid
|
||||
setpcap
|
||||
linux_immutable
|
||||
net_bind_service
|
||||
net_broadcast
|
||||
net_admin
|
||||
net_raw
|
||||
ipc_lock
|
||||
ipc_owner
|
||||
sys_module
|
||||
sys_rawio
|
||||
sys_chroot
|
||||
sys_ptrace
|
||||
sys_pacct
|
||||
sys_admin
|
||||
sys_boot
|
||||
sys_nice
|
||||
sys_resource
|
||||
sys_time
|
||||
sys_tty_config
|
||||
mknod
|
||||
lease
|
||||
audit_write
|
||||
audit_control
|
||||
setfcap
|
||||
}
|
||||
inherits cap
|
||||
|
||||
class capability2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
}
|
||||
inherits cap2
|
||||
|
||||
#
|
||||
# Extended Netlink classes
|
||||
|
|
@ -543,6 +552,17 @@ inherits socket
|
|||
class netlink_crypto_socket
|
||||
inherits socket
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
# in user namespaces
|
||||
#
|
||||
|
||||
class cap_userns
|
||||
inherits cap
|
||||
|
||||
class cap2_userns
|
||||
inherits cap2
|
||||
|
||||
class property_service
|
||||
{
|
||||
set
|
||||
|
|
|
|||
|
|
@ -94,6 +94,10 @@ class netlink_scsitransport_socket
|
|||
class netlink_rdma_socket
|
||||
class netlink_crypto_socket
|
||||
|
||||
# Capability checks when on a non-init user namespace
|
||||
class cap_userns
|
||||
class cap2_userns
|
||||
|
||||
# Property service
|
||||
class property_service # userspace
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue