From 8a003607064804307201d0738e1e284442f9826b Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 27 Apr 2016 09:42:57 -0400 Subject: [PATCH] Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley --- private/access_vectors | 116 +++++++++++++++++++++++---------------- private/security_classes | 4 ++ 2 files changed, 72 insertions(+), 48 deletions(-) diff --git a/private/access_vectors b/private/access_vectors index efd4924b5..875d7ba1f 100644 --- a/private/access_vectors +++ b/private/access_vectors @@ -76,6 +76,60 @@ common ipc unix_write } +# +# Define a common for capability access vectors. +# +common cap +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the cap2 common. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +common cap2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog + wake_alarm + block_suspend + audit_read +} + # # Define the access vectors. # @@ -330,59 +384,14 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} +inherits cap class capability2 -{ - mac_override # unused by SELinux - mac_admin # unused by SELinux - syslog - wake_alarm - block_suspend - audit_read -} +inherits cap2 # # Extended Netlink classes @@ -543,6 +552,17 @@ inherits socket class netlink_crypto_socket inherits socket +# +# Define the access vector interpretation for controlling capabilities +# in user namespaces +# + +class cap_userns +inherits cap + +class cap2_userns +inherits cap2 + class property_service { set diff --git a/private/security_classes b/private/security_classes index 19fd5db36..abd9cbea7 100644 --- a/private/security_classes +++ b/private/security_classes @@ -94,6 +94,10 @@ class netlink_scsitransport_socket class netlink_rdma_socket class netlink_crypto_socket +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns + # Property service class property_service # userspace