# Toolbox installation for vendor binaries / scripts # Non-vendor processes are not allowed to execute the binary # and is always executed without transition. type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # Do not allow domains to transition to vendor toolbox # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init -modprobe } vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; ')