From e26da71344a2cfe54a4f711b0f01b7984287690d Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 16 Jan 2018 09:56:44 -0800
Subject: [PATCH] Coredomain can't execute vendor code.

Bug: 62041836
Test: policies for internal devices build successfully

Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab
---
 public/domain.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index d458510cb..76318ecf1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -892,6 +892,25 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+
+    # Do not allow system components to execute files from vendor
+    # except for the ones whitelisted here.
+    neverallow {
+      coredomain
+      -init
+      -system_executes_vendor_violators
+      -vendor_init
+    } {
+      vendor_file_type
+      -same_process_hal_file
+      -vndk_sp_file
+      -vendor_app_file
+    }:file execute;
+
+    neverallow {
+      coredomain
+      -system_executes_vendor_violators
+    } vendor_file_type:file execute_no_trans;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
-- 
GitLab