From bfe51254ee0f4386a07a15e79125891d02936ccc Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 1 Feb 2018 13:43:57 -0800
Subject: [PATCH] shell: remove from system_executes_vendor_violators.

And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
---
 public/domain.te | 2 ++
 public/shell.te  | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index b175ed436..67eafc286 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -912,6 +912,7 @@ full_treble_only(`
     neverallow {
       coredomain
       -init
+      -shell
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -922,6 +923,7 @@ full_treble_only(`
 
     neverallow {
       coredomain
+      -shell
       -system_executes_vendor_violators
     } vendor_file_type:file execute_no_trans;
 ')
diff --git a/public/shell.te b/public/shell.te
index 32ad7701d..5e2745be4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -190,8 +190,6 @@ allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
 # Allow shell to start up vendor shell
-# TODO(b/62041836): system processes should not run vendor executables.
-typeattribute shell system_executes_vendor_violators;
 allow shell vendor_shell_exec:file rx_file_perms;
 
 ###
-- 
GitLab