commit a4e83bc5f36d908b19aff88eb2a6829ff6053134
author Tri Vo <trong@google.com> Fri Jan 12 18:10:34 2018 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Fri Jan 12 18:10:34 2018 +0000
tree ec5f178e878e2900c88e7f8f7e873b0c67de3499
parent cba25d2c0afe4b465729459555849f1080b17e1f
parent d2315bdf6a9f08a725125bc7e0e78e48332c537b

Merge "Revert "Coredomain can't execute vendor code.""

public/attributes

diff --git a/public/attributes b/public/attributes
index 2a8a40a..c25f1eb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -154,12 +154,6 @@
 attribute data_between_core_and_vendor_violators;
 expandattribute data_between_core_and_vendor_violators false;
 
-# All system domains which violate the requirement of not executing vendor
-# binaries/libraries.
-# TODO(b/62041836)
-attribute system_executes_vendor_violators;
-expandattribute system_executes_vendor_violators false;
-
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 2a8c843..e64b644 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -891,20 +891,6 @@
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
-
-    # Do not allow system components to execute files from vendor
-    # except for the ones whitelist here.
-    neverallow {
-      coredomain
-      -init
-      -system_executes_vendor_violators
-      -vendor_init
-    } {
-      vendor_file_type
-      -same_process_hal_file
-      -vndk_sp_file
-      -vendor_app_file
-    }:file { execute execute_no_trans };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache