Useful neverallow errors am: 7636d607

am: 172d7a84 Change-Id: I4d2f74a5e4a55677fb4f0707b56336588a687571

Useful neverallow errors am: 7636d607
64b61535 · Jeff Vander Stoep · android-build-merger · d044177a · 172d7a84 · 64b61535
Commit 64b61535 authored 7 years ago by Jeff Vander Stoep Committed by android-build-merger 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -619,12 +619,16 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
  neverallow {
    domain
    -coredomain
    -appdomain # restrictions for vendor apps are declared lower down
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } service_manager_type:service_manager find;
+')
+full_treble_only(`
  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
  # services which can change any time framework/core is updated, breakage is likely.
  neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
    -vr_hwc_service
    -vr_manager_service
  }:service_manager find;
+')
+full_treble_only(`
  neverallow {
    domain
    -coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
    userdebug_or_eng(`-su')
    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
  } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
  neverallow {
    coredomain
    -shell
    userdebug_or_eng(`-su')
  } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
  neverallow {
    coredomain
    -shell
@@ -791,6 +803,8 @@ full_treble_only(`
    data_file_type
    -core_data_file_type
  }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
  neverallow {
    coredomain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -885,7 +899,9 @@ full_treble_only(`
        -postinstall_dexopt
        -system_server
    } vendor_app_file:dir { open read getattr search };
+')
+full_treble_only(`
    neverallow {
        coredomain
        -appdomain
@@ -897,7 +913,9 @@ full_treble_only(`
        -postinstall_dexopt
        -system_server
    } vendor_app_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
    # Limit access to /vendor/overlay
    neverallow {
        coredomain
@@ -909,7 +927,9 @@ full_treble_only(`
        -webview_zygote
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
+')
+full_treble_only(`
    neverallow {
        coredomain
        -appdomain
@@ -920,7 +940,9 @@ full_treble_only(`
        -webview_zygote
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
    # Non-vendor domains are not allowed to file execute shell
    # from vendor
    neverallow {
@@ -928,7 +950,9 @@ full_treble_only(`
        -init
        -shell
    } vendor_shell_exec:file { execute execute_no_trans };
+')
+full_treble_only(`
    # Do not allow vendor components to execute files from system
    # except for the ones whitelist here.
    neverallow {
@@ -944,7 +968,9 @@ full_treble_only(`
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
+')
+full_treble_only(`
    # Do not allow system components to execute files from vendor
    # except for the ones whitelisted here.
    neverallow {
@@ -958,7 +984,9 @@ full_treble_only(`
      -vndk_sp_file
      -vendor_app_file
    }:file execute;
+')
+full_treble_only(`
    neverallow {
      coredomain
      -shell