From 07dd2c9e89ec6b588a1842a3d1ef0a305e175257 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 20 Dec 2017 15:38:35 -0800
Subject: [PATCH] Coredomain can't execute vendor code.

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c
---
 public/attributes |  6 ++++++
 public/domain.te  | 14 ++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/public/attributes b/public/attributes
index c25f1ebc8..2a8a40ada 100644
--- a/public/attributes
+++ b/public/attributes
@@ -154,6 +154,12 @@ expandattribute vendor_executes_system_violators false;
 attribute data_between_core_and_vendor_violators;
 expandattribute data_between_core_and_vendor_violators false;
 
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the
diff --git a/public/domain.te b/public/domain.te
index 70d8ae20f..fb468e0db 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -829,6 +829,20 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+
+    # Do not allow system components to execute files from vendor
+    # except for the ones whitelist here.
+    neverallow {
+      coredomain
+      -init
+      -system_executes_vendor_violators
+      -vendor_init
+    } {
+      vendor_file_type
+      -same_process_hal_file
+      -vndk_sp_file
+      -vendor_app_file
+    }:file { execute execute_no_trans };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
-- 
GitLab