Merge "Neverallow vendor code access to files on /system."

am: a8131148

Change-Id: Idf41a715fd959069be989a2d2000c21afad6290b

public/domain.te

@@ -1086,9 +1086,10 @@ full_treble_only(`
         -vendor_executes_system_violators
         -vendor_init
     } {
-        exec_type
+        system_file_type
+        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+        -system_lib_file
         -system_linker_exec
-        -vendor_file_type
         -crash_dump_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
@@ -1151,17 +1152,33 @@ full_treble_only(`
   }:file *;
 ')
 
-# TODO(b/111243627): Uncomment once all violations are cleaned up.
-#full_treble_only(`
-#  # Do not allow vendor components access to /system files except for the
-#  # ones whitelisted here.
-#  neverallow {
-#    domain
-#    -appdomain
-#    -coredomain
-#    -vendor_executes_system_violators
-#  } system_file_type:file *;
-#')
+full_treble_only(`
+  # Do not allow vendor components access to /system files except for the
+  # ones whitelisted here.
+  neverallow {
+    domain
+    -appdomain
+    -coredomain
+    -vendor_executes_system_violators
+    # vendor_init needs access to init_exec for domain transition. vendor_init
+    # neverallows are covered in public/vendor_init.te
+    -vendor_init
+  } {
+    system_file_type
+    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+    -crash_dump_exec
+    -file_contexts_file
+    -netutils_wrapper_exec
+    -property_contexts_file
+    -system_lib_file
+    -system_linker_exec
+    -system_linker_config_file
+    -system_seccomp_policy_file
+    -system_security_cacerts_file
+    -system_zoneinfo_file
+    userdebug_or_eng(`-tcpdump_exec')
+  }:file *;
+')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {