sepolicy: Fix references to self:capability
commit 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns. Apply the new macro to various self:capability
references that have cropped up since then.
Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4e8ec2b..bcfbf39 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,4 +27,4 @@
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
-dontaudit bpfloader self:capability sys_admin;
+dontaudit bpfloader self:global_capability_class_set sys_admin;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 5d80f7e..ef5a396 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,7 +35,7 @@
allow traced_probes system_file:dir { open read };
# Allow traced_probes to list some of the data partition.
-allow traced_probes self:capability dac_read_search;
+allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
diff --git a/private/zygote.te b/private/zygote.te
index ac1ef00..3a8e793 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@
get_prop(zygote, exported_overlay_prop)
# ingore spurious denials
-dontaudit zygote self:capability sys_resource;
+dontaudit zygote self:global_capability_class_set sys_resource;
###
### neverallow rules
diff --git a/public/domain.te b/public/domain.te
index 3afbe7e..c8b0bc1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1397,8 +1397,8 @@
-vold
-vold_prepare_subdirs
-zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+} self:global_capability_class_set dac_override;
+neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 9c13f55..2491734 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,4 +4,4 @@
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-dontaudit hal_bootctl self:capability sys_rawio;
+dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/update_engine.te b/public/update_engine.te
index 2075985..26b0581 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,7 +19,7 @@
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:capability sys_rawio;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir create_dir_perms;