Merge "Add vendor_executes_system_violators attribute" into oc-dev

80cab7de · TreeHugger Robot · Android (Google) Code Review · e506cda3 · b99676ee · 80cab7de
Commit 80cab7de authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/public/attributes
+++ b/public/attributes
@@ -141,6 +141,11 @@ attribute binder_in_vendor_violators;
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;

+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients

--- a/public/domain.te
+++ b/public/domain.te
@@ -680,20 +680,18 @@ full_treble_only(`

    # Do not allow vendor components to execute files from system
    # except for the ones whitelist here.
-    # TODO:(b/36463595) Make this a neverallow
-    userdebug_or_eng(`
-        auditallow {
-            domain
-            -coredomain
-            -appdomain
-            -rild
-        } {
-            exec_type
-            -vendor_file_type
-            -crash_dump_exec
-            -netutils_wrapper_exec
-        }:file { entrypoint execute execute_no_trans };
-    ')
+    neverallow {
+        domain
+        -coredomain
+        -appdomain
+        -rild
+        -vendor_executes_system_violators
+    } {
+        exec_type
+        -vendor_file_type
+        -crash_dump_exec
+        -netutils_wrapper_exec
+    }:file { entrypoint execute execute_no_trans };
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache