From 1637a8b407c85f67f0b2ca5c6d852cef3c999087 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Sat, 5 Aug 2017 12:13:21 -0400
Subject: [PATCH] Add nnp_nosuid_transition policycap and related class/perm
 definitions.

---
 policy/flask/access_vectors   | 5 +++++
 policy/flask/security_classes | 2 ++
 policy/policy_capabilities    | 8 ++++++++
 3 files changed, 15 insertions(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 5d539e951..9c9db71bf 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -388,6 +388,11 @@ class process
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index ce3268da0..3ff1b72d2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -188,4 +188,6 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket
 
+class process2
+
 # FLASK
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 78484a91e..4f2a97afb 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -83,3 +83,11 @@ policycap open_perms;
 # Requires libsepol 2.7+ to build policy with this enabled.
 #
 policycap extended_socket_class;
+
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+#policycap nnp_nosuid_transition;