commit 69fcac4c7ea6ac83a37e663d7a52d9ca3557560a
author Tom Cherry <tomcherry@google.com> Wed Apr 29 11:29:54 2020 -0700
committer Tom Cherry <tomcherry@google.com> Wed Apr 29 14:02:43 2020 -0700
tree 92a27ca60f916d53c02a8e8eb4af5eccbf43c19f
parent 2ea9264ea3ed4f7381a56c5127952c0652b1582c

Prevent transition to coredomain except for system files and vice versa

Add a neverallow to prevent coredomain from accessing entrypoint for
files other than system_file_type and postinstall_file.  Add the
complementary neverallow to prevent domains other than coredomain from
accessing entrypoint for files other than vendor_file_type and
init_exec (for vendor_init).

Bug: 155124994
Test: build
Change-Id: I6e0cb7fb445b96b82e434e949b59c299aee1ad8b

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 8e6e150..0ab5f22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -948,6 +948,23 @@
 ')
 
 full_treble_only(`
+    # Do not allow coredomain to access entrypoint for files other
+    # than system_file_type and postinstall_file
+    neverallow coredomain {
+        file_type
+        -system_file_type
+        -postinstall_file
+    }:file entrypoint;
+    # Do not allow domains other than coredomain to access entrypoint
+    # for anything but vendor_file_type and init_exec for vendor_init.
+    neverallow { domain -coredomain } {
+        file_type
+        -vendor_file_type
+        -init_exec
+    }:file entrypoint;
+')
+
+full_treble_only(`
     # Do not allow system components to execute files from vendor
     # except for the ones whitelisted here.
     neverallow {