Merge "Neverallow vendor code access to files on /system."
diff --git a/public/domain.te b/public/domain.te
index 2bdc53c..c34ef4f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1086,9 +1086,10 @@
-vendor_executes_system_violators
-vendor_init
} {
- exec_type
+ system_file_type
+ -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+ -system_lib_file
-system_linker_exec
- -vendor_file_type
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
@@ -1151,17 +1152,33 @@
}:file *;
')
-# TODO(b/111243627): Uncomment once all violations are cleaned up.
-#full_treble_only(`
-# # Do not allow vendor components access to /system files except for the
-# # ones whitelisted here.
-# neverallow {
-# domain
-# -appdomain
-# -coredomain
-# -vendor_executes_system_violators
-# } system_file_type:file *;
-#')
+full_treble_only(`
+ # Do not allow vendor components access to /system files except for the
+ # ones whitelisted here.
+ neverallow {
+ domain
+ -appdomain
+ -coredomain
+ -vendor_executes_system_violators
+ # vendor_init needs access to init_exec for domain transition. vendor_init
+ # neverallows are covered in public/vendor_init.te
+ -vendor_init
+ } {
+ system_file_type
+ -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+ -crash_dump_exec
+ -file_contexts_file
+ -netutils_wrapper_exec
+ -property_contexts_file
+ -system_lib_file
+ -system_linker_exec
+ -system_linker_config_file
+ -system_seccomp_policy_file
+ -system_security_cacerts_file
+ -system_zoneinfo_file
+ userdebug_or_eng(`-tcpdump_exec')
+ }:file *;
+')
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {