From 4fe441fb5fa75ba7d07d35fbee3855223f86e2c7 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Wed, 12 Apr 2017 15:19:12 -0700
Subject: [PATCH] toolbox: add sepolicy for vendor toybox

The vendor toybox MUST always be executed without transition and
non-vendor processes are not allowed to execute the binary.

Bug: 36463595
Test: Boot and test if system shell can run /vendor/bin/echo
      Result: requires 'su'

Change-Id: Ifb9aa61f247f91fb870b99d60ac7f849ee9c6adc
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c112cd18e8999c0242a2560219033231a0e19898)
---
 private/file_contexts    |  1 +
 public/vendor_toolbox.te | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 public/vendor_toolbox.te

diff --git a/private/file_contexts b/private/file_contexts
index c31ec06e3..1bc17162e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -265,6 +265,7 @@
 # Vendor files
 #
 /(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
new file mode 100644
index 000000000..39462f8e7
--- /dev/null
+++ b/public/vendor_toolbox.te
@@ -0,0 +1,12 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+    # Do not allow non-vendor domains to transition
+    # to vendor toolbox
+    neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
-- 
GitLab