Coredomain can't execute vendor code.
Bug: 62041836
Test: policies for internal devices build successfully
Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab
diff --git a/public/domain.te b/public/domain.te
index d458510..76318ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -892,6 +892,25 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+
+ # Do not allow system components to execute files from vendor
+ # except for the ones whitelisted here.
+ neverallow {
+ coredomain
+ -init
+ -system_executes_vendor_violators
+ -vendor_init
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ }:file execute;
+
+ neverallow {
+ coredomain
+ -system_executes_vendor_violators
+ } vendor_file_type:file execute_no_trans;
')
# Only authorized processes should be writing to files in /data/dalvik-cache