1 # Toolbox installation for vendor binaries / scripts 2 # Non-vendor processes are not allowed to execute the binary 3 # and is always executed without transition. 4 type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; 5 6 # Do not allow domains to transition to vendor toolbox 7 # or read, execute the vendor_toolbox file. 8 full_treble_only(` 9 # Do not allow non-vendor domains to transition 10 # to vendor toolbox except for the whitelisted domains. 11 neverallow { 12 coredomain 13 -init 14 -modprobe 15 } vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; 16 ') 17
