neverallow fwk access to /vendor

This rule prevents adding further fwk->vendor access. Left a TODO to clean up already existing access. Bug: 37168747 Test: build sailfish, walleye policies Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904

neverallow fwk access to /vendor
This rule prevents adding further fwk->vendor access. Left a TODO to clean up already existing access. Bug: 37168747 Test: build sailfish, walleye policies Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904
44b7d5b8 · Tri Vo · 383471c2 · 44b7d5b8
Commit 44b7d5b8 authored 7 years ago by Tri Vo
--- a/public/domain.te
+++ b/public/domain.te
@@ -1042,6 +1042,32 @@ full_treble_only(`
    }:file execute_no_trans;
 ')
+full_treble_only(`
+  # Do not allow system components access to /vendor files except for the
+  # ones whitelisted here.
+  neverallow {
+    coredomain
+    # TODO(b/37168747): clean up fwk access to /vendor
+    -crash_dump
+    -init # starts vendor executables
+    -kernel # loads /vendor/firmware
+    userdebug_or_eng(`-perfprofd')
+    -shell
+    -system_executes_vendor_violators
+    -system_server # reads vendor input files
+    -ueventd # reads /vendor/ueventd.rc
+  } {
+    vendor_file_type
+    -same_process_hal_file
+    -vendor_app_file
+    -vendor_configs_file
+    -vendor_framework_file
+    -vendor_overlay_file
+    -vendor_public_lib_file
+    -vndk_sp_file
+  }:file *;
+')
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
  domain