From 1637a8b407c85f67f0b2ca5c6d852cef3c999087 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sat, 5 Aug 2017 12:13:21 -0400 Subject: [PATCH] Add nnp_nosuid_transition policycap and related class/perm definitions. --- policy/flask/access_vectors | 5 +++++ policy/flask/security_classes | 2 ++ policy/policy_capabilities | 8 ++++++++ 3 files changed, 15 insertions(+) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 5d539e951..9c9db71bf 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -388,6 +388,11 @@ class process getrlimit } +class process2 +{ + nnp_transition + nosuid_transition +} # # Define the access vector interpretation for ipc-related objects diff --git a/policy/flask/security_classes b/policy/flask/security_classes index ce3268da0..3ff1b72d2 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -188,4 +188,6 @@ class kcm_socket class qipcrtr_socket class smc_socket +class process2 + # FLASK diff --git a/policy/policy_capabilities b/policy/policy_capabilities index 78484a91e..4f2a97afb 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -83,3 +83,11 @@ policycap open_perms; # Requires libsepol 2.7+ to build policy with this enabled. # policycap extended_socket_class; + +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). +# +# Checks enabled; +# process2: nnp_transition, nosuid_transition +# +#policycap nnp_nosuid_transition;