# Toolbox installation for vendor binaries / scripts | |
# Non-vendor processes are not allowed to execute the binary | |
# and is always executed without transition. | |
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; | |
# Do not allow domains to transition to vendor toolbox | |
# or read, execute the vendor_toolbox file. | |
full_treble_only(` | |
# Do not allow non-vendor domains to transition | |
# to vendor toolbox | |
neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; | |
') |