Merge "domain: neverallow on setfcap"

am: e112faea

Change-Id: I57d5ed15ae69613145a9ef4efc9e16ec72ad420b

public/domain.te

@@ -653,3 +653,10 @@ neverallow {
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
 neverallow * ~{ system_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+  domain
+  -recovery
+} self:capability setfcap;