From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1BBCF13825A for ; Fri, 13 May 2016 05:37:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CFE1F21C04E; Fri, 13 May 2016 05:37:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F1CEE21C043 for ; Fri, 13 May 2016 05:37:26 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B8B8F340A7B for ; Fri, 13 May 2016 05:37:25 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A27D996D for ; Fri, 13 May 2016 05:37:22 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1463116053.3c97654bc0a4134f249e1ea73ceb8a320dc238c9.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/flask/access_vectors policy/flask/security_classes X-VCS-Directories: policy/flask/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 3c97654bc0a4134f249e1ea73ceb8a320dc238c9 X-VCS-Branch: master Date: Fri, 13 May 2016 05:37:22 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0475ca21-afc0-458b-a489-99161d894d70 X-Archives-Hash: 6aec9a49ba25c058fe9e7df2e06550f1 commit: 3c97654bc0a4134f249e1ea73ceb8a320dc238c9 Author: Chris PeBenito tresys com> AuthorDate: Wed Apr 6 18:52:26 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c97654b Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions. policy/flask/access_vectors | 117 ++++++++++++++++++++++++------------------ policy/flask/security_classes | 4 ++ 2 files changed, 72 insertions(+), 49 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 3fe2bb9..8adec70 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -121,6 +121,60 @@ common x_device } # +# Define a common for capability access vectors. +# +common cap +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the cap2 common. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +common cap2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog + wake_alarm + block_suspend + audit_read +} + +# # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } @@ -407,59 +461,14 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) +inherits cap - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} - -class capability2 -{ - mac_override # unused by SELinux - mac_admin # unused by SELinux - syslog - wake_alarm - block_suspend - audit_read -} +class capability2 +inherits cap2 # # Define the access vector interpretation for controlling @@ -931,3 +940,13 @@ class service enable disable } + +# +# Define the access vector interpretation for controlling capabilities +# in user namespaces +# +class cap_userns +inherits cap + +class cap2_userns +inherits cap2 diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 8b6f1ed..16768c2 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -147,4 +147,8 @@ class db_language # userspace class service # userspace +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns + # FLASK