runas: don't allow capabilities other than setuid/setgid

Add a compile time assertion that capabilities other than setuid and setgid are never granted to run-as. This is a compile time assertion only. No new capabilities are granted or removed. Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220
author: Nick Kralevich <nnk@google.com> 2015-03-25 17:42:37 -0700
committer: Nick Kralevich <nnk@google.com> 2015-03-25 17:42:37 -0700
commit: 8e553a415fafbc05c29ae998fb0710f1a988cf1c (patch)
tree: 79c07a335858e563d8cfa155610b7488a81e1ba5
parent: 21186a1fc3019f44ce43260c15c7510a7d80004c (diff)
download: android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.gz
android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.bz2
android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/runas.te b/runas.te
index 97f31f7..e51515d 100644
--- a/runas.te
+++ b/runas.te
@@ -25,3 +25,11 @@ security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:capability ~{ setuid setgid };
+neverallow runas self:capability2 *;
author	Nick Kralevich <nnk@google.com>	2015-03-25 17:42:37 -0700
committer	Nick Kralevich <nnk@google.com>	2015-03-25 17:42:37 -0700
commit	8e553a415fafbc05c29ae998fb0710f1a988cf1c (patch)
tree	79c07a335858e563d8cfa155610b7488a81e1ba5
parent	21186a1fc3019f44ce43260c15c7510a7d80004c (diff)
download	android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.gz android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.tar.bz2 android_external_sepolicy-8e553a415fafbc05c29ae998fb0710f1a988cf1c.zip