Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
This commit is contained in:
Chris PeBenito
parent
599e5cf7f5
commit
0be4f9ba0f
|
|
@ -120,6 +120,60 @@ common x_device
|
|||
destroy
|
||||
}
|
||||
|
||||
#
|
||||
# Define a common for capability access vectors.
|
||||
#
|
||||
common cap
|
||||
{
|
||||
# The capabilities are defined in include/linux/capability.h
|
||||
# Capabilities >= 32 are defined in the cap2 common.
|
||||
# Care should be taken to ensure that these are consistent with
|
||||
# those definitions. (Order matters)
|
||||
|
||||
chown
|
||||
dac_override
|
||||
dac_read_search
|
||||
fowner
|
||||
fsetid
|
||||
kill
|
||||
setgid
|
||||
setuid
|
||||
setpcap
|
||||
linux_immutable
|
||||
net_bind_service
|
||||
net_broadcast
|
||||
net_admin
|
||||
net_raw
|
||||
ipc_lock
|
||||
ipc_owner
|
||||
sys_module
|
||||
sys_rawio
|
||||
sys_chroot
|
||||
sys_ptrace
|
||||
sys_pacct
|
||||
sys_admin
|
||||
sys_boot
|
||||
sys_nice
|
||||
sys_resource
|
||||
sys_time
|
||||
sys_tty_config
|
||||
mknod
|
||||
lease
|
||||
audit_write
|
||||
audit_control
|
||||
setfcap
|
||||
}
|
||||
|
||||
common cap2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
}
|
||||
|
||||
#
|
||||
# Define the access vectors.
|
||||
#
|
||||
|
|
@ -407,59 +461,14 @@ class system
|
|||
}
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controling capabilies
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
#
|
||||
|
||||
class capability
|
||||
{
|
||||
# The capabilities are defined in include/linux/capability.h
|
||||
# Capabilities >= 32 are defined in the capability2 class.
|
||||
# Care should be taken to ensure that these are consistent with
|
||||
# those definitions. (Order matters)
|
||||
|
||||
chown
|
||||
dac_override
|
||||
dac_read_search
|
||||
fowner
|
||||
fsetid
|
||||
kill
|
||||
setgid
|
||||
setuid
|
||||
setpcap
|
||||
linux_immutable
|
||||
net_bind_service
|
||||
net_broadcast
|
||||
net_admin
|
||||
net_raw
|
||||
ipc_lock
|
||||
ipc_owner
|
||||
sys_module
|
||||
sys_rawio
|
||||
sys_chroot
|
||||
sys_ptrace
|
||||
sys_pacct
|
||||
sys_admin
|
||||
sys_boot
|
||||
sys_nice
|
||||
sys_resource
|
||||
sys_time
|
||||
sys_tty_config
|
||||
mknod
|
||||
lease
|
||||
audit_write
|
||||
audit_control
|
||||
setfcap
|
||||
}
|
||||
inherits cap
|
||||
|
||||
class capability2
|
||||
{
|
||||
mac_override # unused by SELinux
|
||||
mac_admin # unused by SELinux
|
||||
syslog
|
||||
wake_alarm
|
||||
block_suspend
|
||||
audit_read
|
||||
}
|
||||
inherits cap2
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controlling
|
||||
|
|
@ -931,3 +940,13 @@ class service
|
|||
enable
|
||||
disable
|
||||
}
|
||||
|
||||
#
|
||||
# Define the access vector interpretation for controlling capabilities
|
||||
# in user namespaces
|
||||
#
|
||||
class cap_userns
|
||||
inherits cap
|
||||
|
||||
class cap2_userns
|
||||
inherits cap2
|
||||
|
|
|
|||
|
|
@ -147,4 +147,8 @@ class db_language # userspace
|
|||
|
||||
class service # userspace
|
||||
|
||||
# Capability checks when on a non-init user namespace
|
||||
class cap_userns
|
||||
class cap2_userns
|
||||
|
||||
# FLASK
|
||||
|
|
|
|||
Loading…
Reference in New Issue