Merge "Reland "Neverallow vendor code access to files on /system.""

93d34842 · Tri Vo · Gerrit Code Review · 24e2b824 · e6b1a4ca · 93d34842
Commit 93d34842 authored 6 years ago by Tri Vo Committed by Gerrit Code Review 6 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -1091,9 +1091,10 @@ full_treble_only(`
        -vendor_executes_system_violators
        -vendor_init
    } {
-        exec_type
+        system_file_type
+        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+        -system_lib_file
        -system_linker_exec
-        -vendor_file_type
        -crash_dump_exec
        -netutils_wrapper_exec
        userdebug_or_eng(`-tcpdump_exec')
@@ -1156,17 +1157,33 @@ full_treble_only(`
  }:file *;
 ')
-# TODO(b/111243627): Uncomment once all violations are cleaned up.
+full_treble_only(`
-#full_treble_only(`
+  # Do not allow vendor components access to /system files except for the
-#  # Do not allow vendor components access to /system files except for the
+  # ones whitelisted here.
-#  # ones whitelisted here.
+  neverallow {
-#  neverallow {
+    domain
-#    domain
+    -appdomain
-#    -appdomain
+    -coredomain
-#    -coredomain
+    -vendor_executes_system_violators
-#    -vendor_executes_system_violators
+    # vendor_init needs access to init_exec for domain transition. vendor_init
-#  } system_file_type:file *;
+    # neverallows are covered in public/vendor_init.te
-#')
+    -vendor_init
+  } {
+    system_file_type
+    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+    -crash_dump_exec
+    -file_contexts_file
+    -netutils_wrapper_exec
+    -property_contexts_file
+    -system_lib_file
+    -system_linker_exec
+    -system_linker_config_file
+    -system_seccomp_policy_file
+    -system_security_cacerts_file
+    -system_zoneinfo_file
+    userdebug_or_eng(`-tcpdump_exec')
+  }:file *;
+')
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {