[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

Jason Zaman Thu, 12 May 2016 22:38:00 -0700

commit:     3c97654bc0a4134f249e1ea73ceb8a320dc238c9
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr  6 18:52:26 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c97654b


Add user namespace capability object classes.

Define cap and cap2 commons to manage the permissions.

 policy/flask/access_vectors   | 117 ++++++++++++++++++++++++------------------
 policy/flask/security_classes |   4 ++
 2 files changed, 72 insertions(+), 49 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3fe2bb9..8adec70 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -121,6 +121,60 @@ common x_device
 }
 
 #
+# Define a common for capability access vectors.
+#
+common cap
+{
+       # The capabilities are defined in include/linux/capability.h
+       # Capabilities >= 32 are defined in the cap2 common.
+       # Care should be taken to ensure that these are consistent with
+       # those definitions. (Order matters)
+
+       chown
+       dac_override
+       dac_read_search
+       fowner
+       fsetid
+       kill
+       setgid
+       setuid
+       setpcap
+       linux_immutable
+       net_bind_service
+       net_broadcast
+       net_admin
+       net_raw
+       ipc_lock
+       ipc_owner
+       sys_module
+       sys_rawio
+       sys_chroot
+       sys_ptrace
+       sys_pacct
+       sys_admin
+       sys_boot
+       sys_nice
+       sys_resource
+       sys_time
+       sys_tty_config
+       mknod
+       lease
+       audit_write
+       audit_control
+       setfcap
+}
+
+common cap2
+{
+       mac_override    # unused by SELinux
+       mac_admin       # unused by SELinux
+       syslog
+       wake_alarm
+       block_suspend
+       audit_read
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -407,59 +461,14 @@ class system
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-       # The capabilities are defined in include/linux/capability.h
-       # Capabilities >= 32 are defined in the capability2 class.
-       # Care should be taken to ensure that these are consistent with
-       # those definitions. (Order matters)
+inherits cap
 
-       chown           
-       dac_override    
-       dac_read_search 
-       fowner          
-       fsetid          
-       kill            
-       setgid           
-       setuid           
-       setpcap          
-       linux_immutable  
-       net_bind_service 
-       net_broadcast    
-       net_admin        
-       net_raw          
-       ipc_lock         
-       ipc_owner        
-       sys_module       
-       sys_rawio        
-       sys_chroot       
-       sys_ptrace       
-       sys_pacct        
-       sys_admin        
-       sys_boot         
-       sys_nice         
-       sys_resource     
-       sys_time         
-       sys_tty_config  
-       mknod
-       lease
-       audit_write
-       audit_control
-       setfcap
-}
-
-class capability2 
-{
-       mac_override    # unused by SELinux
-       mac_admin       # unused by SELinux
-       syslog
-       wake_alarm
-       block_suspend
-       audit_read
-}
+class capability2
+inherits cap2
 
 #
 # Define the access vector interpretation for controlling
@@ -931,3 +940,13 @@ class service
        enable
        disable
 }
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8b6f1ed..16768c2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -147,4 +147,8 @@ class db_language           # userspace
 
 class service                  # userspace
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # FLASK

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/

Reply via email to