From b99676eece98d8fa732dc64dabca4dd2cbbbcac5 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 14 Apr 2017 21:26:57 -0700
Subject: [PATCH] Add vendor_executes_system_violators attribute

Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish

Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
          --skip-device-info --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a

Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 public/attributes |  5 +++++
 public/domain.te  | 26 ++++++++++++--------------
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/public/attributes b/public/attributes
index 2d5db7f15..adad87ff6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -141,6 +141,11 @@ attribute binder_in_vendor_violators;
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
 
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
diff --git a/public/domain.te b/public/domain.te
index dfccfdd9c..e75ce1a4b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -680,20 +680,18 @@ full_treble_only(`
 
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
-    # TODO:(b/36463595) Make this a neverallow
-    userdebug_or_eng(`
-        auditallow {
-            domain
-            -coredomain
-            -appdomain
-            -rild
-        } {
-            exec_type
-            -vendor_file_type
-            -crash_dump_exec
-            -netutils_wrapper_exec
-        }:file { entrypoint execute execute_no_trans };
-    ')
+    neverallow {
+        domain
+        -coredomain
+        -appdomain
+        -rild
+        -vendor_executes_system_violators
+    } {
+        exec_type
+        -vendor_file_type
+        -crash_dump_exec
+        -netutils_wrapper_exec
+    }:file { entrypoint execute execute_no_trans };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
-- 
GitLab