domain: neverallow on setfcap

Filesystem capabilities should only be set by the build tools or by recovery during an update. Place a neverallow ensuring this property. Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610 Signed-off-by: William Roberts <william.c.roberts@intel.com>

domain: neverallow on setfcap
Filesystem capabilities should only be set by the build tools or by recovery during an update. Place a neverallow ensuring this property. Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610 Signed-off-by: William Roberts <william.c.roberts@intel.com>
c3f1da99 · William Roberts · ce3b2a41 · c3f1da99
Commit c3f1da99 authored 8 years ago by William Roberts
--- a/public/domain.te
+++ b/public/domain.te
@@ -653,3 +653,10 @@ neverallow {
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
 neverallow * ~{ system_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+  domain
+  -recovery
+} self:capability setfcap;