From 1b1d133be5350989cbd6c09e4f000e146f9ab7ae Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 7 Sep 2018 10:48:55 -0700
Subject: [PATCH] Add nnp_nosuid_transition policycap and related class/perm
 definitions.

https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef
allows a security policy writer to determine whether transitions under
nosuid / NO_NEW_PRIVS should be allowed or not.

Define these permissions, so that they're usable to policy writers.

This change is modeled after refpolicy
https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087

Test: policy compiles and device boots
Test Note: Because this requires a newer kernel, full testing on such
   kernels could not be done.
Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
---
 private/access_vectors      | 5 +++++
 private/policy_capabilities | 7 +++++++
 private/security_classes    | 2 ++
 3 files changed, 14 insertions(+)

diff --git a/private/access_vectors b/private/access_vectors
index 898c884cd..57ab3a8f0 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -330,6 +330,11 @@ class process
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects
diff --git a/private/policy_capabilities b/private/policy_capabilities
index ab55c15e3..9290e3ab3 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -11,3 +11,10 @@ policycap open_perms;
 # to the rawip_socket class.
 policycap extended_socket_class;
 
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/private/security_classes b/private/security_classes
index 251b72168..e0007d19c 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -130,6 +130,8 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket
 
+class process2
+
 # Property service
 class property_service          # userspace
 
-- 
GitLab