From c3f1da99b2bbb38e63ca65b8133e37869ed6c7f7 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 27 Oct 2016 12:45:20 -0700
Subject: [PATCH] domain: neverallow on setfcap

Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 public/domain.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index b464fc6bf..f732676d5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -653,3 +653,10 @@ neverallow {
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
 neverallow * ~{ system_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+  domain
+  -recovery
+} self:capability setfcap;
-- 
GitLab