Relax neverallows for vendor to use /system/bin/sh Follows AOSP: https://github.com/LineageOS/android_system_sepolicy/commit/9a123be4347d47fb77c1963554a4df513e3246d1 Change-Id: I9860897e4c968e5b8f3f6fac9da9b1df18006ce1

commit: 43714c63647061e877283bbef440f727c446b596 [log] [tgz]
author: Bruno Martins <bgcngm@gmail.com> Sat Jun 15 23:38:24 2024 +0100
committer: Bruno Martins <bgcngm@gmail.com> Sun Jun 16 10:03:53 2024 +0100
tree: 68514bd2d64d945dc1747bdb86cf567aa5991fd2
parent: 82710e97262e6751cebea361c384b6611285c41b [diff]
diff --git a/generic/vendor/common/vndr_hal_neverallow.te b/generic/vendor/common/vndr_hal_neverallow.te
index 079979c..097845a 100644
--- a/generic/vendor/common/vndr_hal_neverallow.te
+++ b/generic/vendor/common/vndr_hal_neverallow.te

@@ -67,6 +67,12 @@
 neverallow {
   vendor_halserverdomain
   - vendor_qtidataservices_app
-} { file_type fs_type }:file execute_no_trans;
+} {
+  file_type
+  fs_type
+  # May invoke shell commands via /system/bin/sh
+  -shell_exec
+  -toolbox_exec
+}:file execute_no_trans;
 neverallow { domain -init } vendor_halserverdomain:process transition;
 neverallow *  { vendor_halserverdomain - vendor_qtidataservices_app }:process dyntransition;
commit	43714c63647061e877283bbef440f727c446b596	[log] [tgz]
author	Bruno Martins <bgcngm@gmail.com>	Sat Jun 15 23:38:24 2024 +0100
committer	Bruno Martins <bgcngm@gmail.com>	Sun Jun 16 10:03:53 2024 +0100
tree	68514bd2d64d945dc1747bdb86cf567aa5991fd2
parent	82710e97262e6751cebea361c384b6611285c41b [diff]