Revert "Relax neverallows for vendor to use /system/bin/sh"
Revert submission 2964802-sh_path
Reason for revert: <b/325569171>
Reverted changes: /q/submissionid:2964802-sh_path
Change-Id: I89e635e742d8f4f8a79afa1bb2646c7621705994
diff --git a/public/domain.te b/public/domain.te
index 030e8a9..d630a24 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -913,9 +913,6 @@
-crash_dump_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
- # Vendor components still can invoke shell commands via /system/bin/sh
- -shell_exec
- -toolbox_exec
}:file { entrypoint execute execute_no_trans };
')
@@ -996,9 +993,6 @@
-task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
- # Vendor components still can invoke shell commands via /system/bin/sh
- -shell_exec
- -toolbox_exec
}:file *;
')
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 6730c32..621a0b8 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -85,13 +85,7 @@
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
-} {
- file_type
- fs_type
- # May invoke shell commands via /system/bin/sh
- -shell_exec
- -toolbox_exec
-}:file execute_no_trans;
+} { file_type fs_type }:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not