From a711ec00b3491586e737d30053eb349ccc7a7af6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 24 Mar 2015 10:32:42 -0700
Subject: [PATCH] Don't allow gpsd to have capabilities other than
 block_suspend

Add a compile time assertion that gpsd never has capabilities other
than block_suspend.

Bug: 19908228
Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d
---
 gpsd.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gpsd.te b/gpsd.te
index 33b1df6cc..2e050920d 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,3 +18,11 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+
+###
+### neverallow
+###
+
+# gpsd can never have capabilities other than block_suspend
+neverallow gpsd self:capability *;
+neverallow gpsd self:capability2 ~block_suspend;