runas: don't allow capabilities other than setuid/setgid

Add a compile time assertion that capabilities other than setuid and setgid are never granted to run-as. This is a compile time assertion only. No new capabilities are granted or removed. Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220

runas: don't allow capabilities other than setuid/setgid
8e553a41 · Nick Kralevich · 21186a1f · 8e553a41
Commit 8e553a41 authored 10 years ago by Nick Kralevich
--- a/runas.te
+++ b/runas.te
@@ -25,3 +25,11 @@ security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:capability ~{ setuid setgid };
+neverallow runas self:capability2 *;