From f0ba32292638182e730ddca74f94ca237d99f1b1 Mon Sep 17 00:00:00 2001
From: Jooyung Han <jooyung@google.com>
Date: Thu, 15 Feb 2024 13:18:40 +0900
Subject: [PATCH] Relax neverallows for vendor to use /system/bin/sh

Since 202404, vendor components will use /system/bin/sh for system(3),
popen(3), etc.

Bug: 324142245
Test: system("readlink /proc/$$/exe") in vendor HALs
Change-Id: I521499678e87a7d0216a276e014888867f495803
---
 public/domain.te          | 6 ++++++
 public/hal_neverallows.te | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index d630a2433..030e8a9ba 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -913,6 +913,9 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
+        # Vendor components still can invoke shell commands via /system/bin/sh
+        -shell_exec
+        -toolbox_exec
     }:file { entrypoint execute execute_no_trans };
 ')
 
@@ -993,6 +996,9 @@ full_treble_only(`
     -task_profiles_api_file
     -task_profiles_file
     userdebug_or_eng(`-tcpdump_exec')
+    # Vendor components still can invoke shell commands via /system/bin/sh
+    -shell_exec
+    -toolbox_exec
   }:file *;
 ')
 
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 621a0b87a..6730c322d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -85,7 +85,13 @@ neverallow {
   halserverdomain
   -hal_dumpstate_server
   -hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
+} {
+  file_type
+  fs_type
+  # May invoke shell commands via /system/bin/sh
+  -shell_exec
+  -toolbox_exec
+}:file execute_no_trans;
 # Do not allow a process other than init to transition into a HAL domain.
 neverallow { domain -init } halserverdomain:process transition;
 # Only allow transitioning to a domain by running its executable. Do not