Merge "restore permissions to /vendor for non-treble devices" into oc-dev

0b999249 · TreeHugger Robot · Android (Google) Code Review · 6c80fcba · f627e558 · 0b999249
Commit 0b999249 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -87,8 +87,9 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;

--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@ allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 # dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
 allow dhcp toolbox_exec:file rx_file_perms;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@ allow dumpstate self:capability {
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
 allow dumpstate toolbox_exec:file rx_file_perms;
 # Create and write into /data/anr/

--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
+not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
 allow install_recovery toolbox_exec:file rx_file_perms;

--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@ allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
 allow netd devpts:chr_file rw_file_perms;
 # Acquire advisory lock on /system/etc/xtables.lock

--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@ allow racoon self:capability { net_admin net_bind_service net_raw };
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;

--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;