From 52e11be07a20df128f0420192847393d7636a1a3 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Mon, 18 Dec 2017 10:15:06 -0800
Subject: [PATCH] Disallow most coredomains from accessing vendor_files on
 Treble.

Test: Built the policy for many devices.
Change-Id: Ic61023dc2d597865504d1a4bc955bd1bc973f83c
---
 public/domain.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index ec0532d5a..f9b66880e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1114,3 +1114,16 @@ neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
 # be passthrough only (i.e., run in the process of their clients instead of a
 # separate server process).
 neverallow * same_process_hwservice:hwservice_manager add;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -ueventd
+    -crash_dump
+    -perfprofd
+    -vendor_init
+  } vendor_file:file { create_file_perms x_file_perms };
+')
-- 
GitLab