fff3fe2f08
Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.
(cherry-pick of commit: 5c6a227ebb)
Bug: 37896931
Bug: 37916906
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
17 lines
599 B
Plaintext
17 lines
599 B
Plaintext
# Toolbox installation for vendor binaries / scripts
|
|
# Non-vendor processes are not allowed to execute the binary
|
|
# and is always executed without transition.
|
|
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
# Do not allow domains to transition to vendor toolbox
|
|
# or read, execute the vendor_toolbox file.
|
|
full_treble_only(`
|
|
# Do not allow non-vendor domains to transition
|
|
# to vendor toolbox except for the whitelisted domains.
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-modprobe
|
|
} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
|
|
')
|