1b1d133be5
af63f4193fallows a security policy writer to determine whether transitions under nosuid / NO_NEW_PRIVS should be allowed or not. Define these permissions, so that they're usable to policy writers. This change is modeled after refpolicy1637a8b407Test: policy compiles and device boots Test Note: Because this requires a newer kernel, full testing on such kernels could not be done. Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
20 lines
536 B
Text
20 lines
536 B
Text
# Enable new networking controls.
|
|
policycap network_peer_controls;
|
|
|
|
# Enable open permission check.
|
|
policycap open_perms;
|
|
|
|
# Enable separate security classes for
|
|
# all network address families previously
|
|
# mapped to the socket class and for
|
|
# ICMP and SCTP sockets previously mapped
|
|
# to the rawip_socket class.
|
|
policycap extended_socket_class;
|
|
|
|
# Enable NoNewPrivileges support. Requires libsepol 2.7+
|
|
# and kernel 4.14 (estimated).
|
|
#
|
|
# Checks enabled;
|
|
# process2: nnp_transition, nosuid_transition
|
|
#
|
|
policycap nnp_nosuid_transition;
|