From 1242c940ef57b4c38b30000003c3a3dfbb095765 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 28 Feb 2018 10:01:37 -0800
Subject: [PATCH] kernel: exempt from vendor_file restrictions

The kernel is unusual in that it's both a core process, but vendor
provided. Exempt it from the restriction against accessing files from
on /vendor. Also, rework the neverallow rule so that it disallows
opening/modifying files, but allows reading files passed over IPC.

Bug: 68213100
Test: build (this is a build-time test)
Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446
---
 public/domain.te | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index eb66b30f5..fc9c0a95a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1284,11 +1284,12 @@ full_treble_only(`
     coredomain
     -appdomain
     -bootanim
-    -init
-    -ueventd
     -crash_dump
+    -init
+    -kernel
     -perfprofd
-  } vendor_file:file { create_file_perms x_file_perms };
+    -ueventd
+  } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')
 
 # Minimize dac_override and dac_read_search.
-- 
GitLab