Skip to content
Snippets Groups Projects
Commit 44b7d5b8 authored by Tri Vo's avatar Tri Vo
Browse files

neverallow fwk access to /vendor

This rule prevents adding further fwk->vendor access.
Left a TODO to clean up already existing access.

Bug: 37168747
Test: build sailfish, walleye policies
Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904
parent 383471c2
No related branches found
No related tags found
No related merge requests found
...@@ -1042,6 +1042,32 @@ full_treble_only(` ...@@ -1042,6 +1042,32 @@ full_treble_only(`
}:file execute_no_trans; }:file execute_no_trans;
') ')
full_treble_only(`
# Do not allow system components access to /vendor files except for the
# ones whitelisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
-shell
-system_executes_vendor_violators
-system_server # reads vendor input files
-ueventd # reads /vendor/ueventd.rc
} {
vendor_file_type
-same_process_hal_file
-vendor_app_file
-vendor_configs_file
-vendor_framework_file
-vendor_overlay_file
-vendor_public_lib_file
-vndk_sp_file
}:file *;
')
# Only authorized processes should be writing to files in /data/dalvik-cache # Only authorized processes should be writing to files in /data/dalvik-cache
neverallow { neverallow {
domain domain
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment