Merge "restore permissions to /vendor for non-treble devices" into oc-dev
diff --git a/Android.mk b/Android.mk
index 03970b7..1281695 100644
--- a/Android.mk
+++ b/Android.mk
@@ -322,7 +322,7 @@
# sailfish-eng).
grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
# Confirm that the resulting policy compiles
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -452,7 +452,7 @@
# sailfish-eng).
grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
# Confirm that the resulting policy compiles combined with platform and mapping policies
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_nonplat_cil := $(LOCAL_BUILT_MODULE)
@@ -515,7 +515,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
diff --git a/private/app.te b/private/app.te
index 6518000..2ee3bee 100644
--- a/private/app.te
+++ b/private/app.te
@@ -178,6 +178,9 @@
# TODO(b/34454312): only allow getting and talking to mediacodec service
hwbinder_use(appdomain)
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
@@ -268,11 +271,8 @@
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
-# App can access configstore HAL which is read only
-binder_call({ appdomain -isolated_app }, hal_configstore)
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d05a21f..45b5710 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -33,6 +33,9 @@
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index c31ec06..81b0aae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,6 +191,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
@@ -265,6 +266,8 @@
# Vendor files
#
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -492,6 +495,28 @@
/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+###########################################
+# debug-only tracing
+#
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
new file mode 100644
index 0000000..f7fe32a
--- /dev/null
+++ b/private/netutils_wrapper.te
@@ -0,0 +1,28 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:capability net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:capability net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/private/priv_app.te b/private/priv_app.te
index 4ce142f..bb7598e 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -31,6 +31,7 @@
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
@@ -72,9 +73,6 @@
allow priv_app perfprofd_data_file:dir r_dir_perms;
')
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
diff --git a/private/service_contexts b/private/service_contexts
index 03bfe26..8ba1b0c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -105,6 +105,7 @@
network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
diff --git a/private/shell.te b/private/shell.te
index c24bfd3..c0b4ee5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -7,6 +7,10 @@
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
+userdebug_or_eng(`
+ allow shell tracing_shell_writable_debug:file rw_file_perms;
+')
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9f5e4fa..eeea185 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
-binder_call(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_configstore)
# Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index 2711a8c..404a253 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -175,7 +175,7 @@
hal_client_domain(system_server, hal_fingerprint)
binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir)
binder_call(system_server, hal_light)
@@ -199,6 +199,11 @@
hal_client_domain(system_server, hal_wifi_supplicant)
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
@@ -622,7 +627,6 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
r_dir_file(system_server, proc)
r_dir_file(system_server, proc_meminfo)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index abc21a7..ccbae10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,16 @@
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
; Domains hosting Camera HAL implementations are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
diff --git a/public/attributes b/public/attributes
index e120c8f..adad87f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -44,15 +44,6 @@
# All types in /vendor
attribute vendor_file_type;
-# All vendor domains which violate the requirement of not accessing
-# data outside /data/vendor.
-# TODO(b/34980020): Remove this once there are no violations
-attribute coredata_in_vendor_violators;
-# All core domains which violate the requirement of not accessing vendor
-# owned data.
-# TODO(b/34980020): Remove this once there are no violations
-attribute vendordata_in_core_violators;
-
# All types use for sysfs files.
attribute sysfs_type;
@@ -150,6 +141,11 @@
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 46083f5..2a243cc 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -14,6 +14,9 @@
allow cameraserver ion_device:chr_file rw_file_perms;
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index 9c591db..e75ce1a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -545,64 +545,6 @@
} servicemanager:binder { call transfer };
')
-##
-# On full TREBLE devices core android components and vendor components may
-# not directly access each other's data types. All communication must occur
-# over HW binder. Open file descriptors may be passed and read/write/stat
-# operations my be performed on those FDs. Disallow all other operations.
-full_treble_only(`
- # do not allow vendor component access to coredomains data types
- neverallow {
- domain
- -coredomain
- -appdomain
- -coredata_in_vendor_violators
- }
- core_data_file_type
- -zoneinfo_data_file # Stable API provided by libc
- :{
- file_class_set
- } ~{ append getattr ioctl read write };
- # do not allow vendor component access to coredomains data directories.
- # /data has the system_data_file type. Allow all domains to have dir
- # search permissions which allows path traversal.
- neverallow {
- domain
- -coredomain
- -appdomain
- -coredata_in_vendor_violators
- } {
- core_data_file_type
- -system_data_file
- -zoneinfo_data_file # Stable API provided by libc
- }:dir *;
- neverallow {
- domain
- -coredomain
- -appdomain
- -coredata_in_vendor_violators
- } system_data_file:dir ~search;
- # do not allow coredomains to directly access vendor data. Exempt init
- # because it is responsible for dir/file creation in init.rc scripts.
- # Also exempt halclientdomain to exclude rules for passthrough mode.
- neverallow {
- coredomain
- -halclientdomain
- -init
- -vendordata_in_core_violators
- } {
- data_file_type
- -core_data_file_type
- }:file_class_set ~{ append getattr ioctl read write };
- # do not allow coredomain to access vendor data directories.
- neverallow {
- coredomain
- -halclientdomain
- -init
- -vendordata_in_core_violators
- } { data_file_type -core_data_file_type }:dir *;
-')
-
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
@@ -715,7 +657,7 @@
coredomain
-appdomain
-idmap
- -init
+ -init
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -724,10 +666,32 @@
coredomain
-appdomain
-idmap
- -init
+ -init
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ } vendor_shell_exec:file { execute execute_no_trans };
+
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_executes_system_violators
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ }:file { entrypoint execute execute_no_trans };
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/file.te b/public/file.te
index 35bbd6d..eacfc2c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -69,6 +69,8 @@
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type tracing_shell_writable, fs_type, debugfs_type;
+type tracing_shell_writable_debug, fs_type, debugfs_type;
+
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
new file mode 100644
index 0000000..1a8b88b
--- /dev/null
+++ b/public/hal_configstore.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
diff --git a/public/init.te b/public/init.te
index 0deb8cd..e997e13 100644
--- a/public/init.te
+++ b/public/init.te
@@ -395,6 +395,8 @@
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
###
### neverallow rules
diff --git a/public/mediacodec.te b/public/mediacodec.te
index b8cde80..3445c7a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -8,16 +8,24 @@
# and use macro hal_server_domain
get_prop(mediacodec, hwservicemanager_prop)
-binder_use(mediacodec)
+full_treble_only(`
+ # on full-Treble devices, route all /dev/binder traffic to /dev/vndbinder
+ vndbinder_use(mediacodec)
+')
+not_full_treble(`
+ # on legacy devices, continue to allow /dev/binder traffic
+ binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
+')
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
-# TODO(b/36604251): Remove this once OMX HAL stops using Binder
-typeattribute mediacodec binder_in_vendor_violators;
-add_service(mediacodec, mediacodec_service)
-allow mediacodec mediametrics_service:service_manager find;
-allow mediacodec surfaceflinger_service:service_manager find;
+# Allow mediacodec access to composer sync fences
+allow mediacodec hal_graphics_composer:fd use;
+
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 94ff76f..eccefc6 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -19,6 +19,7 @@
add_service(mediadrmserver, mediacasserver_service)
+binder_call(mediadrmserver, mediacodec)
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 01cc4d8..8c9ef31 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,8 @@
hal_client_domain(mediaserver, hal_allocator)
+binder_call(mediaserver, mediacodec)
+
###
### neverallow rules
###
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
new file mode 100644
index 0000000..c844762
--- /dev/null
+++ b/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/public/recovery.te b/public/recovery.te
index 784596d..886f4fd 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -93,8 +93,7 @@
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
# Read /sys/class/thermal/*/temp for thermal info.
- allow recovery sysfs_thermal:dir search;
- allow recovery sysfs_thermal:file r_file_perms;
+ r_dir_file(recovery, sysfs_thermal)
# Read files on /oem.
r_dir_file(recovery, oemfs);
diff --git a/public/rild.te b/public/rild.te
index 77f146b..e4b0186 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -19,9 +19,6 @@
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
-# TODO (b/36601950) remove RILD's access to radio_data_file and
-# system_data_file. Remove coredata_in_vendor_violators attribute.
-typeattribute rild coredata_in_vendor_violators;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
diff --git a/public/service.te b/public/service.te
index 96a692a..efd4c86 100644
--- a/public/service.te
+++ b/public/service.te
@@ -98,6 +98,7 @@
type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
new file mode 100644
index 0000000..b330542
--- /dev/null
+++ b/public/vendor_shell.te
@@ -0,0 +1,4 @@
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
new file mode 100644
index 0000000..39462f8
--- /dev/null
+++ b/public/vendor_toolbox.te
@@ -0,0 +1,12 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox
+ neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index a10a6cf..9c38819 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -7,7 +7,3 @@
hal_client_domain(hal_audio_default, hal_allocator)
typeattribute hal_audio_default socket_between_core_and_vendor_violators;
-# TODO (b/36601590) move hal_audio's data file to
-# /data/vendor/hardware/hal_audio. Remove coredata_in_vendor_violators
-# attribute.
-typeattribute hal_audio_default coredata_in_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 60b6a5c..8f86a27 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,8 +3,3 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
-
-# TODO (b/36601397) move hal_camera's data file to
-# /data/vendor/hardware/hal_camera. Remove coredata_in_vendor_violators
-# attribute.
-typeattribute hal_camera_default coredata_in_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 3aeec06..b79c3b5 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,8 +6,3 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
-
-# TODO (b/36601695) remove hal_drm's access to /data or move to
-# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
-# attribute.
-typeattribute hal_drm_default coredata_in_vendor_violators;
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 322c104..638b603 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,7 +3,3 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
-
-# TODO (b/36644492) move hal_fingerprint's data file to
-# /data/vendor/. Remove coredata_in_vendor_violators attribute.
-typeattribute hal_fingerprint_default coredata_in_vendor_violators;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index 2f1c092..6a1002f 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -4,8 +4,4 @@
type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
-# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators and
-# socket_between_core_and_vendor_violators attribute associations below.
-typeattribute hal_nfc_default coredata_in_vendor_violators;
typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index c2bdc73..62b03be 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -11,8 +11,3 @@
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
-
-# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
-# Remove coredata_in_vendor_violators attribute.
-# wpa supplicant or equivalent
-typeattribute hal_wifi_supplicant_default coredata_in_vendor_violators;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index d20581e..2c62cf0 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -31,7 +31,3 @@
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;
-
-# TODO (b/36646171) Move hostapd's data access to /data/vendor
-# Remove coredata_in_vendor_violators attribute.
-typeattribute hostapd coredata_in_vendor_violators;
diff --git a/vendor/tee.te b/vendor/tee.te
index e5e8b2d..f7c2cb5 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -15,7 +15,5 @@
allow tee ion_device:chr_file r_file_perms;
r_dir_file(tee, sysfs_type)
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
-typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:file { getattr read };
allow tee system_data_file:lnk_file r_file_perms;