From 8e553a415fafbc05c29ae998fb0710f1a988cf1c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 25 Mar 2015 17:42:37 -0700
Subject: [PATCH] runas: don't allow capabilities other than setuid/setgid

Add a compile time assertion that capabilities other than setuid
and setgid are never granted to run-as.

This is a compile time assertion only. No new capabilities are granted
or removed.

Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220
---
 runas.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/runas.te b/runas.te
index 97f31f728..e51515d98 100644
--- a/runas.te
+++ b/runas.te
@@ -25,3 +25,11 @@ security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:capability ~{ setuid setgid };
+neverallow runas self:capability2 *;
-- 
GitLab