private/vendor_toolbox.te - android_system_sepolicy - Gitiles

 # Do not allow domains to transition to vendor toolbox
 # or read, execute the vendor_toolbox file.
 full_treble_only(`
     # Do not allow non-vendor domains to transition
     # to vendor toolbox except for the allowlisted domains.
     neverallow {
         coredomain
         -init
         -modprobe
         userdebug_or_eng(`-overlay_remounter')
     } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
 ')
	# Do not allow domains to transition to vendor toolbox
	# or read, execute the vendor_toolbox file.
	full_treble_only(`
	# Do not allow non-vendor domains to transition
	# to vendor toolbox except for the allowlisted domains.
	neverallow {
	coredomain
	-init
	-modprobe
	userdebug_or_eng(`-overlay_remounter')
	} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
	')