sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
diff --git a/public/charger.te b/public/charger.te
index 9c48ddd..4577cbc 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -10,8 +10,8 @@
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
wakelock_use(charger)
diff --git a/public/clatd.te b/public/clatd.te
index 212b76e..ee44abf 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -17,7 +17,7 @@
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
-allow clatd self:capability { net_admin net_raw setuid setgid };
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@@ -26,7 +26,7 @@
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
+allow clatd self:global_capability_class_set ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c101b34..d70b150 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -11,7 +11,7 @@
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
diff --git a/public/dhcp.te b/public/dhcp.te
index 2b54b7f..1f1ef2b 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index ccac69a..3aaefd3 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,9 +6,9 @@
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
+allow dnsmasq self:global_capability_class_set dac_override;
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 7c53d0c..f4d5c68 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -248,7 +248,7 @@
-init
-ueventd
-vold
-} self:capability mknod;
+} self:global_capability_class_set mknod;
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
@@ -261,16 +261,16 @@
-healthd
-uncrypt
-tee
-} self:capability sys_rawio;
+} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
+neverallow * self:global_capability2_class_set mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
+neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
@@ -1096,7 +1096,7 @@
neverallow {
domain
-recovery
-} self:capability setfcap;
+} self:global_capability_class_set setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 772b63d..6f1fa69 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -8,12 +8,12 @@
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
-allow dumpstate self:capability {
+allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
@@ -33,7 +33,7 @@
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
@@ -42,7 +42,7 @@
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
-allow dumpstate self:capability2 syslog;
+allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
@@ -116,7 +116,7 @@
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
+allow dumpstate self:global_capability_class_set sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/global_macros b/public/global_macros
index bcfb686..5dab5ab 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -1,7 +1,9 @@
#####################################
# Common groupings of object classes.
#
-define(`capability_class_set', `{ capability capability2 }')
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
define(`devfile_class_set', `{ chr_file blk_file }')
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 2394e2e..461523b 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -8,7 +8,7 @@
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
+allow hal_bluetooth self:global_capability_class_set net_admin;
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
@@ -18,7 +18,7 @@
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_prop)
@@ -27,4 +27,4 @@
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index f56e8f6..e2b04ae 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -10,4 +10,4 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 287037c..2df4612 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -23,4 +23,4 @@
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 036e1d2..c866bae 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -6,7 +6,7 @@
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
-} self:capability { net_admin net_raw };
+} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 068c93b..9d7cbe9 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,4 +12,4 @@
allow hal_sensors hal_allocator:fd use;
# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
+allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e267731..ac8a0d9 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -14,7 +14,7 @@
allow hal_wifi self:udp_socket create_socket_perms;
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
-allow hal_wifi self:capability { net_admin net_raw };
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
@@ -22,4 +22,4 @@
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
\ No newline at end of file
+allow hal_wifi proc_modules:file { getattr open read };
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 10db826..6bf0d32 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -12,7 +12,7 @@
r_dir_file(hal_wifi_supplicant, proc_net)
allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index e7c92c4..856a4b1 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,8 +14,8 @@
# /{system,vendor,odm}/lib[64]/hw/
r_dir_file(healthd, system_file)
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/init.te b/public/init.te
index deeb887..9792522 100644
--- a/public/init.te
+++ b/public/init.te
@@ -40,7 +40,7 @@
allow init misc_block_device:{ blk_file lnk_file } relabelto;
# setrlimit
-allow init self:capability sys_resource;
+allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
@@ -61,7 +61,7 @@
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
-allow init self:capability sys_admin;
+allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
@@ -92,12 +92,12 @@
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
+allow init self:global_capability_class_set dac_override;
# Set system clock.
-allow init self:capability sys_time;
+allow init self:global_capability_class_set sys_time;
-allow init self:capability { sys_rawio mknod };
+allow init self:global_capability_class_set { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
@@ -124,7 +124,7 @@
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
+allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
@@ -256,7 +256,7 @@
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
+allow init self:global_capability2_class_set syslog;
# init access to /proc.
r_dir_file(init, proc_net)
@@ -295,10 +295,10 @@
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init self:capability net_admin;
+allow init self:global_capability_class_set net_admin;
# Reboot.
-allow init self:capability sys_boot;
+allow init self:global_capability_class_set sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
@@ -311,7 +311,7 @@
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
-allow init self:capability kill;
+allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
@@ -329,7 +329,7 @@
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
+allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
@@ -369,13 +369,13 @@
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
+allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
+allow init self:global_capability_class_set net_raw;
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
@@ -396,7 +396,7 @@
allow init device:file create_file_perms;
# keychord configuration
-allow init self:capability sys_tty_config;
+allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 2115663..ab68838 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:capability dac_override;
+allow install_recovery self:global_capability_class_set dac_override;
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index d02a86a..fad4562 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/kernel.te b/public/kernel.te
index 74c77a9..ba1dec9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -1,7 +1,7 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-allow kernel self:capability sys_nice;
+allow kernel self:global_capability_class_set sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
@@ -33,14 +33,14 @@
dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
+allow kernel self:global_capability_class_set sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
+allow kernel self:global_capability_class_set sys_boot;
allow kernel proc_sysrq:file w_file_perms;
# Allow writing to /dev/kmsg which was created prior to loading policy.
@@ -101,4 +101,4 @@
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
diff --git a/public/lmkd.te b/public/lmkd.te
index 0ff9518..f43e42a 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,13 +2,13 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:capability { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
-allow lmkd self:capability ipc_lock;
+allow lmkd self:global_capability_class_set ipc_lock;
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
@@ -31,7 +31,7 @@
allow lmkd cgroup:file r_file_perms;
# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
+allow lmkd self:global_capability_class_set sys_nice;
allow lmkd proc_zoneinfo:file r_file_perms;
diff --git a/public/logd.te b/public/logd.te
index c47bfd7..817a705 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -8,8 +8,8 @@
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
diff --git a/public/modprobe.te b/public/modprobe.te
index 3ed320e..7d9e05d 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,7 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
+allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
allow modprobe rootfs:system module_load;
diff --git a/public/mtp.te b/public/mtp.te
index a776240..7256bcf 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -6,6 +6,6 @@
# pptp policy
allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
+allow mtp self:global_capability_class_set net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/public/netd.te b/public/netd.te
index ab01fd8..fa03dbd 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -9,14 +9,14 @@
r_dir_file(netd, cgroup)
allow netd system_server:fd use;
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:global_capability_class_set { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
-dontaudit netd self:capability fsetid;
+dontaudit netd self:global_capability_class_set fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
@@ -60,12 +60,12 @@
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:capability { dac_override chown };
+allow netd self:global_capability_class_set { dac_override chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
+allow netd self:global_capability_class_set fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index c071f44..894363a 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -5,7 +5,7 @@
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
diff --git a/public/performanced.te b/public/performanced.te
index 9bf813e..5f23088 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,7 +10,7 @@
pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
diff --git a/public/perfprofd.te b/public/perfprofd.te
index bfb8693..578391c 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -20,7 +20,7 @@
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
@@ -34,13 +34,13 @@
wakelock_use(perfprofd);
# simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
+ allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
+ allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
@@ -54,6 +54,6 @@
allow perfprofd toolbox_exec:file rx_file_perms;
# needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
+ allow perfprofd self:global_capability_class_set ipc_lock;
')
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index d6c2060..8881f44 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/ppp.te b/public/ppp.te
index 04e17f5..9340dee 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -15,7 +15,7 @@
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
+allow ppp self:global_capability_class_set net_admin;
allow ppp system_file:file rx_file_perms;
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
diff --git a/public/racoon.te b/public/racoon.te
index 00744d8..c759217 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
diff --git a/public/recovery.te b/public/recovery.te
index fb61dbd..3e3c28e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,10 +12,10 @@
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
+ allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
+ allow recovery self:global_capability2_class_set mac_admin;
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)
diff --git a/public/rild.te b/public/rild.te
index 4244ff3..5bcde72 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -7,7 +7,7 @@
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
-allow rild self:capability { setpcap setgid setuid net_admin net_raw };
+allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/runas.te b/public/runas.te
index ca6f4f6..053a87f 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,11 +18,11 @@
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
+dontaudit runas self:global_capability_class_set dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
+allow runas self:global_capability_class_set { setuid setgid };
# run-as switches to the app security context.
selinux_check_context(runas) # validate context
@@ -38,5 +38,5 @@
###
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 2af6410..4a88f54 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/sgdisk.te b/public/sgdisk.te
index 3007398..ca3096c 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -14,7 +14,7 @@
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
+allow sgdisk self:global_capability_class_set sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
diff --git a/public/slideshow.te b/public/slideshow.te
index 86d4bff..10fbbb8 100644
--- a/public/slideshow.te
+++ b/public/slideshow.te
@@ -5,7 +5,7 @@
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
+allow slideshow self:global_capability_class_set sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
diff --git a/public/te_macros b/public/te_macros
index f3aa583..aad2949 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -402,7 +402,7 @@
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
+allow $1 self:global_capability2_class_set block_suspend;
')
#####################################
diff --git a/public/ueventd.te b/public/ueventd.te
index 7e1f3fd..b4a2497 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index dd2d7dd..1e48b83 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:capability dac_override;
+allow uncrypt self:global_capability_class_set dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
@@ -29,7 +29,7 @@
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
+allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index fef5dec..6e97aa9 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -11,12 +11,12 @@
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
-dontaudit update_engine self:capability fsetid;
+dontaudit update_engine self:global_capability_class_set fsetid;
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 16d283f..5b9d09f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -22,14 +22,14 @@
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:capability dac_override;
+allow vendor_init self:global_capability_class_set dac_override;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
-allow vendor_init self:capability { chown fowner fsetid };
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
allow vendor_init {
file_type
@@ -188,7 +188,7 @@
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net)
allow vendor_init proc_net:file w_file_perms;
-allow vendor_init self:capability net_admin;
+allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
@@ -207,4 +207,4 @@
allow vendor_init serialno_prop:file { getattr open read };
# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:capability sys_admin;
+allow vendor_init self:global_capability_class_set sys_admin;
diff --git a/public/vold.te b/public/vold.te
index 148f4b5..b446915 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -75,7 +75,7 @@
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
@@ -88,7 +88,7 @@
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
@@ -179,10 +179,10 @@
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
+allow vold self:global_capability_class_set sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
+allow vold self:global_capability_class_set sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.
diff --git a/public/wificond.te b/public/wificond.te
index c91053e..8eeb8c8 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -14,7 +14,7 @@
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
+allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
diff --git a/public/wpantund.te b/public/wpantund.te
index a97481e..b317236 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -25,5 +25,5 @@
# Allow us to bring up a TUN network interface.
allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:capability { net_admin net_raw };
+allow wpantund self:global_capability_class_set { net_admin net_raw };
allow wpantund self:tun_socket create;