Merge "neverallow fwk access to /vendor"

commit: fdbd8519346b75d253ef062025b2546236690b25 [log] [tgz]
author: Tri Vo <trong@google.com> Tue Aug 14 00:21:04 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Aug 14 00:21:04 2018 +0000
tree: 946751b8180c5ea37dd76a243d6a1b7f1ddddfe1
parent: 29940d7a286f620f1c14336da6d31c350f5b7f2b [diff]
parent: 44b7d5b80c577e270d30f3b2c708f781a72c755a [diff]
diff --git a/public/domain.te b/public/domain.te
index ce6ec3a..0f472c7 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1042,6 +1042,32 @@
     }:file execute_no_trans;
 ')
 
+full_treble_only(`
+  # Do not allow system components access to /vendor files except for the
+  # ones whitelisted here.
+  neverallow {
+    coredomain
+    # TODO(b/37168747): clean up fwk access to /vendor
+    -crash_dump
+    -init # starts vendor executables
+    -kernel # loads /vendor/firmware
+    userdebug_or_eng(`-perfprofd')
+    -shell
+    -system_executes_vendor_violators
+    -system_server # reads vendor input files
+    -ueventd # reads /vendor/ueventd.rc
+  } {
+    vendor_file_type
+    -same_process_hal_file
+    -vendor_app_file
+    -vendor_configs_file
+    -vendor_framework_file
+    -vendor_overlay_file
+    -vendor_public_lib_file
+    -vndk_sp_file
+  }:file *;
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain
commit	fdbd8519346b75d253ef062025b2546236690b25	[log] [tgz]
author	Tri Vo <trong@google.com>	Tue Aug 14 00:21:04 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Aug 14 00:21:04 2018 +0000
tree	946751b8180c5ea37dd76a243d6a1b7f1ddddfe1
parent	29940d7a286f620f1c14336da6d31c350f5b7f2b [diff]
parent	44b7d5b80c577e270d30f3b2c708f781a72c755a [diff]