9b2e0cbeea
In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
11 lines
360 B
Text
11 lines
360 B
Text
type modprobe, domain;
|
|
|
|
allow modprobe proc_modules:file r_file_perms;
|
|
allow modprobe self:global_capability_class_set sys_module;
|
|
allow modprobe kernel:key search;
|
|
recovery_only(`
|
|
allow modprobe rootfs:system module_load;
|
|
allow modprobe rootfs:file r_file_perms;
|
|
')
|
|
allow modprobe { system_file }:system module_load;
|
|
r_dir_file(modprobe, { system_file })
|