Don't allow gpsd to have capabilities other than block_suspend

Add a compile time assertion that gpsd never has capabilities other than block_suspend. Bug: 19908228 Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d
author: Nick Kralevich <nnk@google.com> 2015-03-24 10:32:42 -0700
committer: Nick Kralevich <nnk@google.com> 2015-03-24 13:23:34 -0700
commit: a711ec00b3491586e737d30053eb349ccc7a7af6 (patch)
tree: ffa5a1e823a717c0a7c1a7e484925d9e40689a51
parent: e491020f3a5beedc5239de7c054960ee8d04da42 (diff)
download: android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.tar.gz
android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.tar.bz2
android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/gpsd.te b/gpsd.te
index 33b1df6..2e05092 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,3 +18,11 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+
+###
+### neverallow
+###
+
+# gpsd can never have capabilities other than block_suspend
+neverallow gpsd self:capability *;
+neverallow gpsd self:capability2 ~block_suspend;
author	Nick Kralevich <nnk@google.com>	2015-03-24 10:32:42 -0700
committer	Nick Kralevich <nnk@google.com>	2015-03-24 13:23:34 -0700
commit	a711ec00b3491586e737d30053eb349ccc7a7af6 (patch)
tree	ffa5a1e823a717c0a7c1a7e484925d9e40689a51
parent	e491020f3a5beedc5239de7c054960ee8d04da42 (diff)
download	android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.tar.gz android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.tar.bz2 android_external_sepolicy-a711ec00b3491586e737d30053eb349ccc7a7af6.zip