4fe441fb5f
The vendor toybox MUST always be executed without transition and
non-vendor processes are not allowed to execute the binary.
Bug: 36463595
Test: Boot and test if system shell can run /vendor/bin/echo
Result: requires 'su'
Change-Id: Ifb9aa61f247f91fb870b99d60ac7f849ee9c6adc
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c112cd18e8999c0242a2560219033231a0e19898)
12 lines
515 B
Text
12 lines
515 B
Text
# Toolbox installation for vendor binaries / scripts
|
|
# Non-vendor processes are not allowed to execute the binary
|
|
# and is always executed without transition.
|
|
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
# Do not allow domains to transition to vendor toolbox
|
|
# or read, execute the vendor_toolbox file.
|
|
full_treble_only(`
|
|
# Do not allow non-vendor domains to transition
|
|
# to vendor toolbox
|
|
neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
|
|
')
|