From 0ca17178a001df196b9c20ce6e8a072e0bb5e48d Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Tue, 11 Apr 2017 13:50:22 -0700
Subject: [PATCH] sepolicy: auditallow vendor components to execute files from
 /system

Adds a rule to audit vendor domains from executing programs from /system
with the exception of domains whitelisted in the rule.

Bug: 36463595
Test: Boot sailfish
Test: Run SELinuxHostTests with the tests that checks for new violators
      (without the API check) to ensure it fails for sailfish. The API
      check will allow the test to skip the check.

Change-Id: Id19f32141bceba4db4bd939394ff3ee0b3c4b437
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 public/domain.te | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 513e6e144..a689788a7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -715,7 +715,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -idmap
-	-init
+        -init
         -system_server
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
@@ -724,7 +724,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -idmap
-	-init
+        -init
         -system_server
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
@@ -735,6 +735,21 @@ full_treble_only(`
         coredomain
         -init
     } vendor_shell_exec:file { execute execute_no_trans };
+
+    # Do not allow vendor components to execute files from system
+    # except for the ones whitelist here.
+    # TODO:(b/36463595) Make this a neverallow
+    userdebug_or_eng(`
+        auditallow {
+            domain
+            -coredomain
+            -appdomain
+        } {
+            exec_type
+            -vendor_file_type
+            -crash_dump_exec
+        }:file { entrypoint execute execute_no_trans };
+    ')
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
-- 
GitLab