Add nnp_nosuid_transition policycap and related class/perm definitions.

am: 1b1d133be5 Change-Id: I3fa539a472a0ac382205ad206fe56a36949d222c
2018-09-07 19:43:47 -07:00 · 2018-09-07 19:43:47 -07:00 · 7496d3827d
commit 7496d3827d
parent 8386cae8ad 1b1d133be5
3 changed files with 14 additions and 0 deletions
--- a/private/access_vectors
+++ b/private/access_vectors
@ -330,6 +330,11 @@ class process
 	getrlimit
 }

+class process2
+{
+	nnp_transition
+	nosuid_transition
+}

 #
 # Define the access vector interpretation for ipc-related objects
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@ -11,3 +11,10 @@ policycap open_perms;
 # to the rawip_socket class.
 policycap extended_socket_class;

+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
--- a/private/security_classes
+++ b/private/security_classes
@ -130,6 +130,8 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket

+class process2
+
 # Property service
 class property_service          # userspace