diff options
author | Nick Kralevich <nnk@google.com> | 2015-03-25 17:42:37 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-03-25 17:42:37 -0700 |
commit | 8e553a415fafbc05c29ae998fb0710f1a988cf1c (patch) | |
tree | 79c07a335858e563d8cfa155610b7488a81e1ba5 | |
parent | 21186a1fc3019f44ce43260c15c7510a7d80004c (diff) | |
download | android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.gz android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.bz2 android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.zip |
runas: don't allow capabilities other than setuid/setgid
Add a compile time assertion that capabilities other than setuid
and setgid are never granted to run-as.
This is a compile time assertion only. No new capabilities are granted
or removed.
Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220
-rw-r--r-- | runas.te | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -25,3 +25,11 @@ security_access_policy(runas) selinux_check_context(runas) # validate context allow runas self:process setcurrent; allow runas non_system_app_set:process dyntransition; # setcon + +### +### neverallow rules +### + +# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID +neverallow runas self:capability ~{ setuid setgid }; +neverallow runas self:capability2 *; |