From 0be4f9ba0fd9dee52ea91b74572321539962154e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 6 Apr 2016 14:52:26 -0400
Subject: [PATCH] Add user namespace capability object classes.

Define cap and cap2 commons to manage the permissions.
---
 policy/flask/access_vectors   | 117 ++++++++++++++++++++--------------
 policy/flask/security_classes |   4 ++
 2 files changed, 72 insertions(+), 49 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3fe2bb96d..8adec70f3 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -120,6 +120,60 @@ common x_device
 	destroy
 }
 
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
 #
 # Define the access vectors.
 #
@@ -407,59 +461,14 @@ class system
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
+inherits cap
 
-	chown           
-	dac_override    
-	dac_read_search 
-	fowner          
-	fsetid          
-	kill            
-	setgid           
-	setuid           
-	setpcap          
-	linux_immutable  
-	net_bind_service 
-	net_broadcast    
-	net_admin        
-	net_raw          
-	ipc_lock         
-	ipc_owner        
-	sys_module       
-	sys_rawio        
-	sys_chroot       
-	sys_ptrace       
-	sys_pacct        
-	sys_admin        
-	sys_boot         
-	sys_nice         
-	sys_resource     
-	sys_time         
-	sys_tty_config  
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
-
-class capability2 
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
+class capability2
+inherits cap2
 
 #
 # Define the access vector interpretation for controlling
@@ -931,3 +940,13 @@ class service
 	enable
 	disable
 }
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8b6f1ed3f..16768c228 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -147,4 +147,8 @@ class db_language		# userspace
 
 class service			# userspace
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # FLASK