From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/
Date: Fri, 13 May 2016 05:37:22 +0000 (UTC) [thread overview]
Message-ID: <1463116053.3c97654bc0a4134f249e1ea73ceb8a320dc238c9.perfinion@gentoo> (raw)
commit: 3c97654bc0a4134f249e1ea73ceb8a320dc238c9
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr 6 18:52:26 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c97654b
Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
policy/flask/access_vectors | 117 ++++++++++++++++++++++++------------------
policy/flask/security_classes | 4 ++
2 files changed, 72 insertions(+), 49 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 3fe2bb9..8adec70 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -121,6 +121,60 @@ common x_device
}
#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -407,59 +461,14 @@ class system
}
#
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
#
class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the capability2 class.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
+inherits cap
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-class capability2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
- audit_read
-}
+class capability2
+inherits cap2
#
# Define the access vector interpretation for controlling
@@ -931,3 +940,13 @@ class service
enable
disable
}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 8b6f1ed..16768c2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -147,4 +147,8 @@ class db_language # userspace
class service # userspace
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
# FLASK
next reply other threads:[~2016-05-13 5:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-13 5:37 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-03-01 19:56 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/ Kenton Groombridge
2022-03-31 3:31 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-03-26 10:17 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-06-08 10:07 Jason Zaman
2017-05-18 17:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-05-13 5:37 Jason Zaman
2015-10-26 5:48 Jason Zaman
2015-05-22 19:32 Jason Zaman
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-22 16:25 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2012-07-26 19:23 Sven Vermeulen
2012-06-24 7:40 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463116053.3c97654bc0a4134f249e1ea73ceb8a320dc238c9.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox