sepolicy: auditallow vendor components to execute files from /system

Adds a rule to audit vendor domains from executing programs from /system with the exception of domains whitelisted in the rule. Bug: 36463595 Test: Boot sailfish Test: Run SELinuxHostTests with the tests that checks for new violators (without the API check) to ensure it fails for sailfish. The API check will allow the test to skip the check. Change-Id: Id19f32141bceba4db4bd939394ff3ee0b3c4b437 Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy: auditallow vendor components to execute files from /system
0ca17178 · Sandeep Patil · c96bb1ed · 0ca17178
Commit 0ca17178 authored 8 years ago by Sandeep Patil
--- a/public/domain.te
+++ b/public/domain.te
@@ -715,7 +715,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
@@ -724,7 +724,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -735,6 +735,21 @@ full_treble_only(`
        coredomain
        -init
    } vendor_shell_exec:file { execute execute_no_trans };
+
+    # Do not allow vendor components to execute files from system
+    # except for the ones whitelist here.
+    # TODO:(b/36463595) Make this a neverallow
+    userdebug_or_eng(`
+        auditallow {
+            domain
+            -coredomain
+            -appdomain
+        } {
+            exec_type
+            -vendor_file_type
+            -crash_dump_exec
+        }:file { entrypoint execute execute_no_trans };
+    ')
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache