shell: remove from system_executes_vendor_violators.

And grant explicit exemption from system_executes_vendor_violators neverallow rules. This does not change the policy, but is needed to test the violator attribute for emptiness. Bug: 72662597 Test: build sepolicy Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791

shell: remove from system_executes_vendor_violators.
And grant explicit exemption from system_executes_vendor_violators neverallow rules. This does not change the policy, but is needed to test the violator attribute for emptiness. Bug: 72662597 Test: build sepolicy Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791
bfe51254 · Tri Vo · 4e9b1c6b · bfe51254 · bfe51254
Commit bfe51254 authored 7 years ago by Tri Vo
--- a/public/domain.te
+++ b/public/domain.te
@@ -912,6 +912,7 @@ full_treble_only(`
    neverallow {
      coredomain
      -init
+      -shell
      -system_executes_vendor_violators
    } {
      vendor_file_type
@@ -922,6 +923,7 @@ full_treble_only(`

    neverallow {
      coredomain
+      -shell
      -system_executes_vendor_violators
    } vendor_file_type:file execute_no_trans;
 ')

--- a/public/shell.te
+++ b/public/shell.te
@@ -190,8 +190,6 @@ allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;

 # Allow shell to start up vendor shell
-# TODO(b/62041836): system processes should not run vendor executables.
-typeattribute shell system_executes_vendor_violators;
 allow shell vendor_shell_exec:file rx_file_perms;

 ###