Coredomain can't execute vendor code. Bug: 62041836 Test: policies for internal devices build successfully Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab

commit: e26da71344a2cfe54a4f711b0f01b7984287690d [log] [tgz]
author: Tri Vo <trong@google.com> Tue Jan 16 09:56:44 2018 -0800
committer: Tri Vo <trong@google.com> Wed Jan 17 16:18:11 2018 -0800
tree: bf8cda7e5df978c847770310866161d256b6ad43
parent: 65565c1cfdbd431dc62a5af76ed16b22082f2965 [diff]
diff --git a/public/domain.te b/public/domain.te
index d458510..76318ec 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -892,6 +892,25 @@
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+
+    # Do not allow system components to execute files from vendor
+    # except for the ones whitelisted here.
+    neverallow {
+      coredomain
+      -init
+      -system_executes_vendor_violators
+      -vendor_init
+    } {
+      vendor_file_type
+      -same_process_hal_file
+      -vndk_sp_file
+      -vendor_app_file
+    }:file execute;
+
+    neverallow {
+      coredomain
+      -system_executes_vendor_violators
+    } vendor_file_type:file execute_no_trans;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
commit	e26da71344a2cfe54a4f711b0f01b7984287690d	[log] [tgz]
author	Tri Vo <trong@google.com>	Tue Jan 16 09:56:44 2018 -0800
committer	Tri Vo <trong@google.com>	Wed Jan 17 16:18:11 2018 -0800
tree	bf8cda7e5df978c847770310866161d256b6ad43
parent	65565c1cfdbd431dc62a5af76ed16b22082f2965 [diff]