Don't allow gpsd to have capabilities other than block_suspend

Add a compile time assertion that gpsd never has capabilities other than block_suspend. Bug: 19908228 Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d

Don't allow gpsd to have capabilities other than block_suspend
Add a compile time assertion that gpsd never has capabilities other than block_suspend. Bug: 19908228 Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d
a711ec00 · Nick Kralevich · e491020f · a711ec00
Commit a711ec00 authored 10 years ago by Nick Kralevich
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,3 +18,11 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+
+###
+### neverallow
+###
+
+# gpsd can never have capabilities other than block_suspend
+neverallow gpsd self:capability *;
+neverallow gpsd self:capability2 ~block_suspend;