Don't allow gpsd to have capabilities other than block_suspend
Add a compile time assertion that gpsd never has capabilities other than block_suspend. Bug: 19908228 Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d
This commit is contained in:
Nick Kralevich
parent
e491020f3a
commit
a711ec00b3
1 changed files with 8 additions and 0 deletions
8
gpsd.te
8
gpsd.te
|
|
@ -18,3 +18,11 @@ allow gpsd gps_device:chr_file rw_file_perms;
|
|||
# Execute the shell or system commands.
|
||||
allow gpsd shell_exec:file rx_file_perms;
|
||||
allow gpsd system_file:file rx_file_perms;
|
||||
|
||||
###
|
||||
### neverallow
|
||||
###
|
||||
|
||||
# gpsd can never have capabilities other than block_suspend
|
||||
neverallow gpsd self:capability *;
|
||||
neverallow gpsd self:capability2 ~block_suspend;
|
||||
|
|
|
|||
Loading…
Reference in a new issue