Merge "Coredomain can't execute vendor code."

0338f7db · Tri Vo · Gerrit Code Review · 536d1954 · e26da713 · 0338f7db
Commit 0338f7db authored 7 years ago by Tri Vo Committed by Gerrit Code Review 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -892,6 +892,25 @@ full_treble_only(`
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
+
+    # Do not allow system components to execute files from vendor
+    # except for the ones whitelisted here.
+    neverallow {
+      coredomain
+      -init
+      -system_executes_vendor_violators
+      -vendor_init
+    } {
+      vendor_file_type
+      -same_process_hal_file
+      -vndk_sp_file
+      -vendor_app_file
+    }:file execute;
+
+    neverallow {
+      coredomain
+      -system_executes_vendor_violators
+    } vendor_file_type:file execute_no_trans;
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache