sepolicy: auditallow vendor components to execute files from /system
Adds a rule to audit vendor domains from executing programs from /system
with the exception of domains whitelisted in the rule.
Bug: 36463595
Test: Boot sailfish
Test: Run SELinuxHostTests with the tests that checks for new violators
(without the API check) to ensure it fails for sailfish. The API
check will allow the test to skip the check.
Change-Id: Id19f32141bceba4db4bd939394ff3ee0b3c4b437
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/public/domain.te b/public/domain.te
index 513e6e1..a689788 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -715,7 +715,7 @@
coredomain
-appdomain
-idmap
- -init
+ -init
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
@@ -724,7 +724,7 @@
coredomain
-appdomain
-idmap
- -init
+ -init
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -735,6 +735,21 @@
coredomain
-init
} vendor_shell_exec:file { execute execute_no_trans };
+
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ # TODO:(b/36463595) Make this a neverallow
+ userdebug_or_eng(`
+ auditallow {
+ domain
+ -coredomain
+ -appdomain
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ }:file { entrypoint execute execute_no_trans };
+ ')
')
# Only authorized processes should be writing to files in /data/dalvik-cache