Useful neverallow errors am: 7636d607 am: 172d7a84

am: 64b61535 Change-Id: Ida581950c8591eb64c232ca752d16c4f8cd34c45

Useful neverallow errors am: 7636d607 am: 172d7a84
ebdf8f7e · Jeff Vander Stoep · android-build-merger · b827155c · 64b61535 · ebdf8f7e
Commit ebdf8f7e authored 7 years ago by Jeff Vander Stoep Committed by android-build-merger 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -619,12 +619,16 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
  neverallow {
    domain
    -coredomain
    -appdomain # restrictions for vendor apps are declared lower down
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } service_manager_type:service_manager find;
+')
+full_treble_only(`
  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
  # services which can change any time framework/core is updated, breakage is likely.
  neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
    -vr_hwc_service
    -vr_manager_service
  }:service_manager find;
+')
+full_treble_only(`
  neverallow {
    domain
    -coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
    userdebug_or_eng(`-su')
    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
  } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
  neverallow {
    coredomain
    -shell
    userdebug_or_eng(`-su')
  } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
  neverallow {
    coredomain
    -shell
@@ -792,6 +804,8 @@ full_treble_only(`
    data_file_type
    -core_data_file_type
  }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
  neverallow {
    coredomain
    -appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -887,7 +901,9 @@ full_treble_only(`
        -postinstall_dexopt
        -system_server
    } vendor_app_file:dir { open read getattr search };
+')
+full_treble_only(`
    neverallow {
        coredomain
        -appdomain
@@ -899,7 +915,9 @@ full_treble_only(`
        -postinstall_dexopt
        -system_server
    } vendor_app_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
    # Limit access to /vendor/overlay
    neverallow {
        coredomain
@@ -911,7 +929,9 @@ full_treble_only(`
        -webview_zygote
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
+')
+full_treble_only(`
    neverallow {
        coredomain
        -appdomain
@@ -922,7 +942,9 @@ full_treble_only(`
        -webview_zygote
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
    # Non-vendor domains are not allowed to file execute shell
    # from vendor
    neverallow {
@@ -930,7 +952,9 @@ full_treble_only(`
        -init
        -shell
    } vendor_shell_exec:file { execute execute_no_trans };
+')
+full_treble_only(`
    # Do not allow vendor components to execute files from system
    # except for the ones whitelist here.
    neverallow {
@@ -946,7 +970,9 @@ full_treble_only(`
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
+')
+full_treble_only(`
    # Do not allow system components to execute files from vendor
    # except for the ones whitelisted here.
    neverallow {
@@ -960,7 +986,9 @@ full_treble_only(`
      -vndk_sp_file
      -vendor_app_file
    }:file execute;
+')
+full_treble_only(`
    neverallow {
      coredomain
      -shell