sepolicy: Add rules for non-init namespaces

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

private/adbd.te

@@ -17,10 +17,10 @@ userdebug_or_eng(`
 allow adbd shell:process { noatsecure signal };
 
 # Set UID and GID to shell.  Set supplementary groups.
-allow adbd self:capability { setuid setgid };
+allow adbd self:global_capability_class_set { setuid setgid };
 
 # Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
+allow adbd self:global_capability_class_set setpcap;
 
 # Create and use network sockets.
 net_domain(adbd)

private/app.te

@@ -350,8 +350,7 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
 
 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
+neverallow { appdomain -bluetooth } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };

private/bluetooth.te

@@ -22,12 +22,12 @@ allow bluetooth bluetooth_logs_data_file:file create_file_perms;
 # Socket creation under /data/misc/bluedroid.
 allow bluetooth bluetooth_socket:sock_file create_file_perms;
 
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
 
 # tethering
 allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
 allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
 allow bluetooth tun_device:chr_file rw_file_perms;
 allow bluetooth efs_file:dir search;
@@ -56,7 +56,7 @@ allow bluetooth system_api_service:service_manager find;
 allow bluetooth shell_data_file:file read;
 
 # Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
+allow bluetooth self:global_capability_class_set sys_nice;
 
 hal_client_domain(bluetooth, hal_bluetooth)
 hal_client_domain(bluetooth, hal_telephony)
@@ -71,5 +71,5 @@ read_runtime_log_tags(bluetooth)
 
 # Superuser capabilities.
 # Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };

private/domain.te

@@ -12,7 +12,7 @@ neverallow {
   -storaged
   -system_server
   userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
+} self:global_capability_class_set sys_ptrace;
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;

private/incidentd.te

@@ -7,12 +7,12 @@ wakelock_use(incidentd)
 
 # Allow setting process priority, protect from OOM killer, and dropping
 # privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
+# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
 
 # Allow incidentd to scan through /proc/pid for all processes
 r_dir_file(incidentd, domain)
 
-allow incidentd self:capability {
+allow incidentd self:global_capability_class_set {
     # Send signals to processes
     kill
 };
@@ -56,7 +56,7 @@ binder_call(incidentd, binderservicedomain)
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+# TODO allow incidentd self:global_capability_class_set sys_ptrace;
 
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;

private/logpersist.te

@@ -8,7 +8,7 @@ userdebug_or_eng(`
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;
 
-  allow logpersist self:capability sys_nice;
+  allow logpersist self:global_capability_class_set sys_nice;
   allow logpersist pstorefs:dir search;
   allow logpersist pstorefs:file r_file_perms;
 

private/netutils_wrapper.te

@@ -3,13 +3,13 @@ typeattribute netutils_wrapper coredomain;
 r_dir_file(netutils_wrapper, system_file);
 
 # For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
+allow netutils_wrapper self:global_capability_class_set net_raw;
 
 allow netutils_wrapper system_file:file { execute execute_no_trans };
 allow netutils_wrapper proc_net:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
+allow netutils_wrapper self:global_capability_class_set net_admin;
 # ip utils need everything but ioctl
 allow netutils_wrapper self:netlink_route_socket ~ioctl;
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

private/storaged.te

@@ -52,7 +52,7 @@ allow storaged package_native_service:service_manager find;
 
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
+dontaudit storaged self:global_capability_class_set dac_override;
 
 ###
 ### neverallow

private/surfaceflinger.te

@@ -87,7 +87,7 @@ allow surfaceflinger window_service:service_manager find;
 
 
 # allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
 r_dir_file(surfaceflinger, system_file)

private/system_server.te

@@ -52,7 +52,7 @@ bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the
 # system server.
-allow system_server self:capability {
+allow system_server self:global_capability_class_set {
     ipc_lock
     kill
     net_admin
@@ -72,7 +72,7 @@ wakelock_use(system_server)
 allow system_server kernel:system module_request;
 
 # Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
+allow system_server self:global_capability2_class_set wake_alarm;
 
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;

private/vold_prepare_subdirs.te

@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set dac_override;
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };

private/webview_zygote.te

@@ -20,9 +20,9 @@ allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;
 
 # Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
+allow webview_zygote self:global_capability_class_set { setgid setuid };
 # Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
+allow webview_zygote self:global_capability_class_set setpcap;
 # Switch SELinux context to app domains.
 allow webview_zygote self:process setcurrent;
 allow webview_zygote isolated_app:process dyntransition;

private/zygote.te

@@ -7,10 +7,10 @@ init_daemon_domain(zygote)
 read_runtime_log_tags(zygote)
 
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
 
 # Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
+allow zygote self:global_capability_class_set setpcap;
 
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
@@ -56,7 +56,7 @@ r_dir_file(zygote, vendor_overlay_file)
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
+allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
 # be able to inspect them so that it can reopen them on fork

public/charger.te

@@ -10,8 +10,8 @@ r_dir_file(charger, sysfs_type)
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
 
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
 
 wakelock_use(charger)
 

public/clatd.te

@@ -17,7 +17,7 @@ allow clatd netd:udp_socket { read write };
 allow clatd netd:unix_stream_socket { read write };
 allow clatd netd:unix_dgram_socket { read write };
 
-allow clatd self:capability { net_admin net_raw setuid setgid };
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
 
 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@@ -26,7 +26,7 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
 # so we permit any requests we see from clatd asking for this capability.
 # See https://android-review.googlesource.com/127940 and
 # https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
+allow clatd self:global_capability_class_set ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;

public/crash_dump.te

@@ -11,7 +11,7 @@ allow crash_dump {
 
 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
 
 userdebug_or_eng(`
   allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };

public/dhcp.te

@@ -4,7 +4,7 @@ type dhcp_exec, exec_type, file_type;
 net_domain(dhcp)
 
 allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;

public/dnsmasq.te

@@ -6,9 +6,9 @@ net_domain(dnsmasq)
 allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
 
 # TODO:  Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
+allow dnsmasq self:global_capability_class_set dac_override;
 
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;
 allow dnsmasq dhcp_data_file:file create_file_perms;

public/domain.te

@@ -248,7 +248,7 @@ neverallow {
   -init
   -ueventd
   -vold
-} self:capability mknod;
+} self:global_capability_class_set mknod;
 
 # Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
 neverallow {
@@ -261,16 +261,16 @@ neverallow {
   -healthd
   -uncrypt
   -tee
-} self:capability sys_rawio;
+} self:global_capability_class_set sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow * self:memprotect mmap_zero;
 
 # No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
+neverallow * self:global_capability2_class_set mac_override;
 
 # Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
+neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
 
 # Once the policy has been loaded there shall be none to modify the policy.
 # It is sealed.
@@ -1096,7 +1096,7 @@ neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 neverallow {
   domain
   -recovery
-} self:capability setfcap;
+} self:global_capability_class_set setfcap;
 
 # Enforce AT_SECURE for executing crash_dump.
 neverallow domain crash_dump:process noatsecure;

public/dumpstate.te

@@ -8,12 +8,12 @@ wakelock_use(dumpstate)
 
 # Allow setting process priority, protect from OOM killer, and dropping
 # privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
 
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
 
-allow dumpstate self:capability {
+allow dumpstate self:global_capability_class_set {
     # Send signals to processes
     kill
     # Run iptables
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
 allow dumpstate system_file:dir r_dir_perms;
 
 # Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
 allow dumpstate anr_data_file:file create_file_perms;
 
@@ -42,7 +42,7 @@ allow dumpstate anr_data_file:file create_file_perms;
 allow dumpstate system_data_file:file r_file_perms;
 
 # Read dmesg
-allow dumpstate self:capability2 syslog;
+allow dumpstate self:global_capability2_class_set syslog;
 allow dumpstate kernel:system syslog_read;
 
 # Read /sys/fs/pstore/console-ramoops
@@ -116,7 +116,7 @@ hal_client_domain(dumpstate, hal_vibrator)
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
 
 # Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
+allow dumpstate self:global_capability_class_set sys_ptrace;
 
 # Allow the bugreport service to create a file in
 # /data/data/com.android.shell/files/bugreports/bugreport

public/global_macros

@@ -1,7 +1,9 @@
 #####################################
 # Common groupings of object classes.
 #
-define(`capability_class_set', `{ capability capability2 }')
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
 
 define(`devfile_class_set', `{ chr_file blk_file }')
 define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

public/hal_bluetooth.te

@@ -8,7 +8,7 @@ allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
 wakelock_use(hal_bluetooth);
 
 # The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
+allow hal_bluetooth self:global_capability_class_set net_admin;
 
 # bluetooth factory file accesses.
 r_dir_file(hal_bluetooth, bluetooth_efs_file)
@@ -18,7 +18,7 @@ allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 # sysfs access.
 r_dir_file(hal_bluetooth, sysfs_type)
 allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
 
 # Allow write access to bluetooth-specific properties
 set_prop(hal_bluetooth, bluetooth_prop)
@@ -27,4 +27,4 @@ set_prop(hal_bluetooth, bluetooth_prop)
 allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
 
 # allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
+allow hal_bluetooth self:global_capability_class_set sys_nice;

public/hal_graphics_allocator.te

@@ -10,4 +10,4 @@ allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
 
 # allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;

public/hal_graphics_composer.te

@@ -23,4 +23,4 @@ allow hal_graphics_composer bootanim:fd use;
 allow hal_graphics_composer appdomain:fd use;
 
 # allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
+allow hal_graphics_composer self:global_capability_class_set sys_nice;

public/hal_neverallows.te

@@ -6,7 +6,7 @@ neverallow {
   -hal_wifi_server
   -hal_wifi_supplicant_server
   -rild
-} self:capability { net_admin net_raw };
+} self:global_capability_class_set { net_admin net_raw };
 
 # Unless a HAL's job is to communicate over the network, or control network
 # hardware, it should not be using network sockets.

public/hal_sensors.te

@@ -12,4 +12,4 @@ allow hal_sensors { appdomain -isolated_app }:fd use;
 allow hal_sensors hal_allocator:fd use;
 
 # allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
+allow hal_sensors self:global_capability_class_set sys_nice;

public/hal_wifi.te

@@ -14,7 +14,7 @@ set_prop(hal_wifi, wifi_prop)
 allow hal_wifi self:udp_socket create_socket_perms;
 allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
 
-allow hal_wifi self:capability { net_admin net_raw };
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
 # allow hal_wifi to speak to nl80211 in the kernel
 allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets

public/hal_wifi_supplicant.te

@@ -12,7 +12,7 @@ r_dir_file(hal_wifi_supplicant, sysfs_type)
 r_dir_file(hal_wifi_supplicant, proc_net)
 
 allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
 allow hal_wifi_supplicant cgroup:dir create_dir_perms;
 allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
 allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;

public/healthd.te

@@ -14,8 +14,8 @@ r_dir_file(healthd, cgroup)
 # /{system,vendor,odm}/lib[64]/hw/
 r_dir_file(healthd, system_file)
 
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
 
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 

public/init.te

@@ -40,7 +40,7 @@ allow init system_block_device:{ blk_file lnk_file } relabelto;
 allow init misc_block_device:{ blk_file lnk_file } relabelto;
 
 # setrlimit
-allow init self:capability sys_resource;
+allow init self:global_capability_class_set sys_resource;
 
 # Remove /dev/.booting, created before initial policy load or restorecon /dev.
 allow init tmpfs:file unlink;
@@ -61,7 +61,7 @@ allow init console_device:chr_file rw_file_perms;
 allow init tty_device:chr_file rw_file_perms;
 
 # Call mount(2).
-allow init self:capability sys_admin;
+allow init self:global_capability_class_set sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
@@ -92,12 +92,12 @@ allow init configfs:{ file lnk_file } create_file_perms;
 allow init tmpfs:dir relabelfrom;
 
 # Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
+allow init self:global_capability_class_set dac_override;
 
 # Set system clock.
-allow init self:capability sys_time;
+allow init self:global_capability_class_set sys_time;
 
-allow init self:capability { sys_rawio mknod };
+allow init self:global_capability_class_set { sys_rawio mknod };
 
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
@@ -124,7 +124,7 @@ allow init rootfs:{ dir file } relabelfrom;
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
+allow init self:global_capability_class_set { chown fowner fsetid };
 
 allow init {
   file_type
@@ -256,7 +256,7 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 # Any operation that can modify the kernel ring buffer, e.g. clear
 # or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
+allow init self:global_capability2_class_set syslog;
 
 # init access to /proc.
 r_dir_file(init, proc_net)
@@ -295,10 +295,10 @@ allow init {
 # Set usermodehelpers.
 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 
-allow init self:capability net_admin;
+allow init self:global_capability_class_set net_admin;
 
 # Reboot.
-allow init self:capability sys_boot;
+allow init self:global_capability_class_set sys_boot;
 
 # Write to sysfs nodes.
 allow init sysfs_type:dir r_dir_perms;
@@ -311,7 +311,7 @@ allow init misc_logd_file:dir { add_name open create read getattr setattr search
 allow init misc_logd_file:file { open create getattr setattr write };
 
 # Support "adb shell stop"
-allow init self:capability kill;
+allow init self:global_capability_class_set kill;
 allow init domain:process { getpgid sigkill signal };
 
 # Init creates keystore's directory on boot, and walks through
@@ -329,7 +329,7 @@ allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
 
 # Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
+allow init self:global_capability_class_set { setuid setgid setpcap };
 
 # For bootchart to read the /proc/$pid/cmdline file of each process,
 # we need to have following line to allow init to have access
@@ -369,13 +369,13 @@ allow init property_type:property_service set;
 # so it can be picked up and processed by logd. These denials are
 # generated when an attempt to set a property is denied by policy.
 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
+allow init self:global_capability_class_set audit_write;
 
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 # in addition to unpriv ioctls granted to all domains, init also needs:
 allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
+allow init self:global_capability_class_set net_raw;
 
 # This line seems suspect, as it should not really need to
 # set scheduling parameters for a kernel domain task.
@@ -396,7 +396,7 @@ allow init hw_random_device:chr_file r_file_perms;
 allow init device:file create_file_perms;
 
 # keychord configuration
-allow init self:capability sys_tty_config;
+allow init self:global_capability_class_set sys_tty_config;
 allow init keychord_device:chr_file rw_file_perms;
 
 # Access device mapper for setting up dm-verity

public/install_recovery.te

@@ -2,7 +2,7 @@
 type install_recovery, domain;
 type install_recovery_exec, exec_type, file_type;
 
-allow install_recovery self:capability dac_override;
+allow install_recovery self:global_capability_class_set dac_override;
 
 # /system/bin/install-recovery.sh is a shell script.
 # Needs to execute /system/bin/sh

public/installd.te

@@ -2,7 +2,7 @@
 type installd, domain;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
 
 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;

public/kernel.te

@@ -1,7 +1,7 @@
 # Life begins with the kernel.
 type kernel, domain, mlstrustedsubject;
 
-allow kernel self:capability sys_nice;
+allow kernel self:global_capability_class_set sys_nice;
 
 # Root fs.
 r_dir_file(kernel, rootfs)
@@ -33,14 +33,14 @@ allow kernel usbfs:dir search;
 dontaudit kernel self:security setenforce;
 
 # Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
+allow kernel self:global_capability_class_set sys_resource;
 
 # Init reboot before switching selinux domains under certain error
 # conditions. Allow it.
 # As part of rebooting, init writes "u" to /proc/sysrq-trigger to
 # remount filesystems read-only. /data is not mounted at this point,
 # so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
+allow kernel self:global_capability_class_set sys_boot;
 allow kernel proc_sysrq:file w_file_perms;
 
 # Allow writing to /dev/kmsg which was created prior to loading policy.
@@ -101,4 +101,4 @@ neverallow kernel *:file { entrypoint execute_no_trans };
 # the kernel should not be accessing files owned by other users.
 # Instead of adding dac_{read_search,override}, fix the unix permissions
 # on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };

public/lmkd.te

@@ -2,13 +2,13 @@
 type lmkd, domain, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;
 
-allow lmkd self:capability { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
 
 # lmkd locks itself in memory, to prevent it from being
 # swapped out and unable to kill other memory hogs.
 # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
 # b/16236289
-allow lmkd self:capability ipc_lock;
+allow lmkd self:global_capability_class_set ipc_lock;
 
 ## Open and write to /proc/PID/oom_score_adj
 ## TODO: maybe scope this down?
@@ -31,7 +31,7 @@ allow lmkd cgroup:dir { remove_name rmdir };
 allow lmkd cgroup:file r_file_perms;
 
 # Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
+allow lmkd self:global_capability_class_set sys_nice;
 
 allow lmkd proc_zoneinfo:file r_file_perms;
 

public/logd.te

@@ -8,8 +8,8 @@ r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 r_dir_file(logd, proc_net)
 
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
 allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;

public/modprobe.te

@@ -1,7 +1,7 @@
 type modprobe, domain;
 
 allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
+allow modprobe self:global_capability_class_set sys_module;
 allow modprobe kernel:key search;
 recovery_only(`
   allow modprobe rootfs:system module_load;

public/mtp.te

@@ -6,6 +6,6 @@ net_domain(mtp)
 
 # pptp policy
 allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
+allow mtp self:global_capability_class_set net_raw;
 allow mtp ppp:process signal;
 allow mtp vpn_data_file:dir search;

public/netd.te

@@ -9,14 +9,14 @@ allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 r_dir_file(netd, cgroup)
 allow netd system_server:fd use;
 
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:global_capability_class_set { net_admin net_raw kill };
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
 # than one of the groups assigned to the current process to see if
 # the setgid bit should be cleared, regardless of whether the setgid
 # bit was even set.  We do not appear to truly need this capability
 # for netd to operate.
-dontaudit netd self:capability fsetid;
+dontaudit netd self:global_capability_class_set fsetid;
 
 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_route_socket nlmsg_write;
@@ -60,12 +60,12 @@ allow netd sysfs_usb:file write;
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?
-allow netd self:capability { dac_override chown };
+allow netd self:global_capability_class_set { dac_override chown };
 
 # Needed to update /data/misc/net/rt_tables
 allow netd net_data_file:file create_file_perms;
 allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
+allow netd self:global_capability_class_set fowner;
 
 # Needed to lock the iptables lock.
 allow netd system_file:file lock;

public/otapreopt_chroot.te

@@ -5,7 +5,7 @@ type otapreopt_chroot_exec, exec_type, file_type;
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.
 allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
 
 # This is required to mount /vendor.
 allow otapreopt_chroot block_device:dir search;

public/performanced.te

@@ -10,7 +10,7 @@ allow performanced permission_service:service_manager find;
 pdx_server(performanced, performance_client)
 
 # TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
 
 # Access /proc to validate we're only affecting threads in the same thread group.
 # Performanced also shields unbound kernel threads.  It scans every task in the

public/perfprofd.te

@@ -20,7 +20,7 @@ userdebug_or_eng(`
   # perfprofd reads a config file from /data/data/com.google.android.gms/files
   allow perfprofd app_data_file:file r_file_perms;
   allow perfprofd app_data_file:dir search;
-  allow perfprofd self:capability { dac_override };
+  allow perfprofd self:global_capability_class_set { dac_override };
 
   # perfprofd opens a file for writing in /data/misc/perfprofd
   allow perfprofd perfprofd_data_file:file create_file_perms;
@@ -34,13 +34,13 @@ userdebug_or_eng(`
   wakelock_use(perfprofd);
 
   # simpleperf uses ioctl() to turn on kernel perf events measurements
-  allow perfprofd self:capability sys_admin;
+  allow perfprofd self:global_capability_class_set sys_admin;
 
   # simpleperf needs to examine /proc to collect task/thread info
   r_dir_file(perfprofd, domain)
 
   # simpleperf needs to access /proc/<pid>/exec
-  allow perfprofd self:capability { sys_resource sys_ptrace };
+  allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
   neverallow perfprofd domain:process ptrace;
 
   # simpleperf needs open/read any file that turns up in a profile
@@ -54,6 +54,6 @@ userdebug_or_eng(`
   allow perfprofd toolbox_exec:file rx_file_perms;
 
   # needed for simpleperf on some kernels
-  allow perfprofd self:capability ipc_lock;
+  allow perfprofd self:global_capability_class_set ipc_lock;
 
 ')

public/postinstall_dexopt.te

@@ -5,7 +5,7 @@
 
 type postinstall_dexopt, domain;
 
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
 
 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };

public/ppp.te

@@ -15,7 +15,7 @@ allowxperm ppp mtp:socket ioctl ppp_ioctls;
 
 allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
+allow ppp self:global_capability_class_set net_admin;
 allow ppp system_file:file rx_file_perms;
 not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
 allow ppp vpn_data_file:dir w_dir_perms;

public/racoon.te

@@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;
 allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;

public/recovery.te

@@ -12,10 +12,10 @@ recovery_only(`
   # Recovery can only use HALs in passthrough mode
   passthrough_hal_client_domain(recovery, hal_bootctl)
 
-  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
+  allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
   # Set security contexts on files that are not known to the loaded policy.
-  allow recovery self:capability2 mac_admin;
+  allow recovery self:global_capability2_class_set mac_admin;
 
   # Run helpers from / or /system without changing domain.
   r_dir_file(recovery, rootfs)

public/rild.te

@@ -7,7 +7,7 @@ allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
 
 allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
+allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild cgroup:dir create_dir_perms;
 allow rild cgroup:{ file lnk_file } r_file_perms;

public/runas.te

@@ -18,11 +18,11 @@ allow runas system_data_file:lnk_file getattr;
 allow runas system_data_file:lnk_file read;
 
 # run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
+dontaudit runas self:global_capability_class_set dac_override;
 allow runas app_data_file:dir { getattr search };
 
 # run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
+allow runas self:global_capability_class_set { setuid setgid };
 
 # run-as switches to the app security context.
 selinux_check_context(runas) # validate context
@@ -38,5 +38,5 @@ allow runas seapp_contexts_file:file r_file_perms;
 ###
 
 # run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;

public/sdcardd.te

@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
 allow sdcardd storage_file:dir search;
 allow sdcardd storage_stub_file:dir { search mounton };
 allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
 
 allow sdcardd sdcard_type:dir create_dir_perms;
 allow sdcardd sdcard_type:file create_file_perms;

public/sgdisk.te

@@ -14,7 +14,7 @@ allow sgdisk vold:fd use;
 allow sgdisk vold:fifo_file { read write getattr };
 
 # Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
+allow sgdisk self:global_capability_class_set sys_admin;
 
 # Only allow entry from vold
 neverallow { domain -vold } sgdisk:process transition;

public/slideshow.te

@@ -5,7 +5,7 @@ type slideshow, domain;
 allow slideshow kmsg_device:chr_file rw_file_perms;
 wakelock_use(slideshow)
 allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
+allow slideshow self:global_capability_class_set sys_tty_config;
 allow slideshow graphics_device:dir r_dir_perms;
 allow slideshow graphics_device:chr_file rw_file_perms;
 allow slideshow input_device:dir r_dir_perms;

public/te_macros

@@ -402,7 +402,7 @@ define(`wakelock_use', `
 # Access /sys/power/wake_lock and /sys/power/wake_unlock
 allow $1 sysfs_wake_lock:file rw_file_perms;
 # Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
+allow $1 self:global_capability2_class_set block_suspend;
 ')
 
 #####################################

public/ueventd.te

@@ -5,7 +5,7 @@ type ueventd, domain;
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;
 
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 
 r_dir_file(ueventd, rootfs)

public/uncrypt.te

@@ -2,7 +2,7 @@
 type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
-allow uncrypt self:capability dac_override;
+allow uncrypt self:global_capability_class_set dac_override;
 
 # Read OTA zip file from /data/data/com.google.android.gsf/app_download
 r_dir_file(uncrypt, app_data_file)
@@ -29,7 +29,7 @@ unix_socket_connect(uncrypt, uncrypt, uncrypt)
 set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
-allow uncrypt self:capability sys_rawio;
+allow uncrypt self:global_capability_class_set sys_rawio;
 allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
 

public/update_engine.te

@@ -11,12 +11,12 @@ allow update_engine qtaguid_device:chr_file r_file_perms;
 
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
 # Note: fsetid checks are triggered when creating a file in a directory with
 # the setgid bit set to determine if the file should inherit setgid. In this
 # case, setgid on the file is undesirable so we should just suppress the
 # denial.
-dontaudit update_engine self:capability fsetid;
+dontaudit update_engine self:global_capability_class_set fsetid;
 
 allow update_engine kmsg_device:chr_file w_file_perms;
 allow update_engine update_engine_exec:file rx_file_perms;

public/vendor_init.te

@@ -22,14 +22,14 @@ allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;
 
 # Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:capability dac_override;
+allow vendor_init self:global_capability_class_set dac_override;
 
 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
-allow vendor_init self:capability { chown fowner fsetid };
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 
 allow vendor_init {
   file_type
@@ -188,7 +188,7 @@ allow vendor_init dev_type:blk_file getattr;
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
 r_dir_file(vendor_init, proc_net)
 allow vendor_init proc_net:file w_file_perms;
-allow vendor_init self:capability net_admin;
+allow vendor_init self:global_capability_class_set net_admin;
 
 # Write to /proc/sys/vm/page-cluster
 allow vendor_init proc_page_cluster:file w_file_perms;
@@ -207,4 +207,4 @@ r_dir_file(vendor_init, vendor_file_type)
 allow vendor_init serialno_prop:file { getattr open read };
 
 # Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:capability sys_admin;
+allow vendor_init self:global_capability_class_set sys_admin;

public/vold.te

@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
@@ -88,7 +88,7 @@ allow vold dm_device:blk_file rw_file_perms;
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
 
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
@@ -179,10 +179,10 @@ allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };
 
 # vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
+allow vold self:global_capability_class_set sys_nice;
 
 # vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
+allow vold self:global_capability_class_set sys_chroot;
 allow vold storage_file:dir mounton;
 
 # For AppFuse.

public/wificond.te

@@ -14,7 +14,7 @@ set_prop(wificond, ctl_default_prop)
 allow wificond self:udp_socket create_socket_perms;
 # setting interface state up/down is a privileged ioctl
 allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
+allow wificond self:global_capability_class_set { net_admin net_raw };
 # allow wificond to speak to nl80211 in the kernel
 allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets

public/wpantund.te

@@ -25,5 +25,5 @@ allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
 
 # Allow us to bring up a TUN network interface.
 allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:capability { net_admin net_raw };
+allow wpantund self:global_capability_class_set { net_admin net_raw };
 allow wpantund self:tun_socket create;

vendor/hostapd.te

@@ -5,7 +5,7 @@ type hostapd_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hostapd)
 
 net_domain(hostapd)
-allow hostapd self:capability { net_admin net_raw };
+allow hostapd self:global_capability_class_set { net_admin net_raw };
 
 # hostapd learns about its network interface via sysfs.
 allow hostapd sysfs:file r_file_perms;

vendor/tee.te

@@ -4,7 +4,7 @@
 type tee_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(tee)
 
-allow tee self:capability { dac_override };
+allow tee self:global_capability_class_set { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;

vendor/vendor_modprobe.te

@@ -4,7 +4,7 @@ type vendor_modprobe, domain;
 domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
 
 allow vendor_modprobe proc_modules:file r_file_perms;
-allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:global_capability_class_set sys_module;
 allow vendor_modprobe kernel:key search;
 
 allow vendor_modprobe { vendor_file }:system module_load;