platform_system_sepolicy/public/vendor_toolbox.te

17 lines
599 B
Text
Raw Normal View History

# Toolbox installation for vendor binaries / scripts
# Non-vendor processes are not allowed to execute the binary
# and is always executed without transition.
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
# Do not allow domains to transition to vendor toolbox
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
# to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
-modprobe
} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
')