Add user namespace capability object classes.

Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00 · 2016-04-06 14:52:26 -04:00 · 0be4f9ba0f
parent 599e5cf7f5
commit 0be4f9ba0f
2 changed files with 72 additions and 49 deletions
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@ -120,6 +120,60 @@ common x_device
 	destroy
 }
 #
 # Define a common for capability access vectors.
 #
 common cap
 {
 	# The capabilities are defined in include/linux/capability.h
 	# Capabilities >= 32 are defined in the cap2 common.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)
 	chown
 	dac_override
 	dac_read_search
 	fowner
 	fsetid
 	kill
 	setgid
 	setuid
 	setpcap
 	linux_immutable
 	net_bind_service
 	net_broadcast
 	net_admin
 	net_raw
 	ipc_lock
 	ipc_owner
 	sys_module
 	sys_rawio
 	sys_chroot
 	sys_ptrace
 	sys_pacct
 	sys_admin
 	sys_boot
 	sys_nice
 	sys_resource
 	sys_time
 	sys_tty_config
 	mknod
 	lease
 	audit_write
 	audit_control
 	setfcap
 }
 common cap2
 {
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
 	syslog
 	wake_alarm
 	block_suspend
 	audit_read
 }
 #
 # Define the access vectors.
 #
@ -407,59 +461,14 @@ class system
 }
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 class capability
-{
+inherits cap
 	# The capabilities are defined in include/linux/capability.h
 	# Capabilities >= 32 are defined in the capability2 class.
 	# Care should be taken to ensure that these are consistent with
 	# those definitions. (Order matters)
 	chown           
 	dac_override    
 	dac_read_search 
 	fowner          
 	fsetid          
 	kill            
 	setgid           
 	setuid           
 	setpcap          
 	linux_immutable  
 	net_bind_service 
 	net_broadcast    
 	net_admin        
 	net_raw          
 	ipc_lock         
 	ipc_owner        
 	sys_module       
 	sys_rawio        
 	sys_chroot       
 	sys_ptrace       
 	sys_pacct        
 	sys_admin        
 	sys_boot         
 	sys_nice         
 	sys_resource     
 	sys_time         
 	sys_tty_config  
 	mknod
 	lease
 	audit_write
 	audit_control
 	setfcap
 }
 class capability2
-{
+inherits cap2
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
 	syslog
 	wake_alarm
 	block_suspend
 	audit_read
 }
 #
 # Define the access vector interpretation for controlling
@ -931,3 +940,13 @@ class service
 	enable
 	disable
 }
 #
 # Define the access vector interpretation for controlling capabilities
 # in user namespaces
 #
 class cap_userns
 inherits cap
 class cap2_userns
 inherits cap2
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@ -147,4 +147,8 @@ class db_language		# userspace
 class service			# userspace
 # Capability checks when on a non-init user namespace
 class cap_userns
 class cap2_userns
 # FLASK