vendor_shell: add sepolicy for vendor shell

Bug: 36463595 Test: Boot sailfish and make sure all vendor services that are shell scripts work. (Checke exited status) Change-Id: I3d1d564114a914dec8179fb93a9e94493c2808da Signed-off-by: Sandeep Patil <sspatil@google.com>

vendor_shell: add sepolicy for vendor shell
c96bb1ed · Sandeep Patil · 4fe441fb · c96bb1ed · c96bb1ed · c96bb1ed
Commit c96bb1ed authored 7 years ago by Sandeep Patil
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -265,6 +265,7 @@
 # Vendor files
 #
 /(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh                 u:object_r:vendor_shell_exec:s0
 /(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0


--- a/public/domain.te
+++ b/public/domain.te
@@ -728,6 +728,13 @@ full_treble_only(`
        -system_server
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+    # Non-vendor domains are not allowed to file execute shell
+    # from vendor
+    neverallow {
+        coredomain
+        -init
+    } vendor_shell_exec:file { execute execute_no_trans };
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/public/init.te
+++ b/public/init.te
@@ -395,6 +395,8 @@ allow init proc_meminfo:file r_file_perms;
 allow init system_data_file:file { getattr read };
 allow init system_data_file:lnk_file r_file_perms;

+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;

 ###
 ### neverallow rules

--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;