public/vendor_toolbox.te - platform/system/sepolicy - Git at Google

 # Toolbox installation for vendor binaries / scripts
 # Non-vendor processes are not allowed to execute the binary
 # and is always executed without transition.
 type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;

 # Do not allow domains to transition to vendor toolbox
 # or read, execute the vendor_toolbox file.
 full_treble_only(`
     # Do not allow non-vendor domains to transition
     # to vendor toolbox
     neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
 ')
	# Toolbox installation for vendor binaries / scripts
	# Non-vendor processes are not allowed to execute the binary
	# and is always executed without transition.
	type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;

	# Do not allow domains to transition to vendor toolbox
	# or read, execute the vendor_toolbox file.
	full_treble_only(`
	# Do not allow non-vendor domains to transition
	# to vendor toolbox
	neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
	')