Merge "Coredomain can't execute vendor code."
am: 0338f7db2d
Change-Id: I349c7fa7ca008136cb3f7d7edbdd7e5a769d648a
This commit is contained in:
Tri Vo
android-build-merger
commit
26d3836acc
1 changed files with 19 additions and 0 deletions
|
|
@ -892,6 +892,25 @@ full_treble_only(`
|
|||
-crash_dump_exec
|
||||
-netutils_wrapper_exec
|
||||
}:file { entrypoint execute execute_no_trans };
|
||||
|
||||
# Do not allow system components to execute files from vendor
|
||||
# except for the ones whitelisted here.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-system_executes_vendor_violators
|
||||
-vendor_init
|
||||
} {
|
||||
vendor_file_type
|
||||
-same_process_hal_file
|
||||
-vndk_sp_file
|
||||
-vendor_app_file
|
||||
}:file execute;
|
||||
|
||||
neverallow {
|
||||
coredomain
|
||||
-system_executes_vendor_violators
|
||||
} vendor_file_type:file execute_no_trans;
|
||||
')
|
||||
|
||||
# Only authorized processes should be writing to files in /data/dalvik-cache
|
||||
|
|
|
|||
Loading…
Reference in a new issue