kernel: exempt from vendor_file restrictions

The kernel is unusual in that it's both a core process, but vendor provided. Exempt it from the restriction against accessing files from on /vendor. Also, rework the neverallow rule so that it disallows opening/modifying files, but allows reading files passed over IPC. Bug: 68213100 Test: build (this is a build-time test) Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446

kernel: exempt from vendor_file restrictions
1242c940 · Jeff Vander Stoep · Jeffrey Vander Stoep · e32d9406 · 1242c940
Commit 1242c940 authored 7 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -1284,11 +1284,12 @@ full_treble_only(`
    coredomain
    -appdomain
    -bootanim
-    -init
-    -ueventd
    -crash_dump
+    -init
+    -kernel
    -perfprofd
-  } vendor_file:file { create_file_perms x_file_perms };
+    -ueventd
+  } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')

 # Minimize dac_override and dac_read_search.