From ee253beede9a8008112e00cf2fbe3b596b4d4a98 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Mon, 21 Aug 2023 20:44:45 +0900
Subject: [PATCH] Start tracking vendor seapp coredomain violations (1)

As part of Treble, enforce that vendor's seapp_contexts can't label apps
using coredomains. Apps installed to system/system_ext/product should be
labeled with platform side sepolicy.

This change marks violating domains that need to be fixed.

Bug: 296512192
Test: build and see build log
Change-Id: I755657e538ada8807313bd0063c880264e4b79be
---
 camera/sepolicy/vendor_pbcs_app.te | 3 +++
 camera/sepolicy/vendor_pcs_app.te  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/camera/sepolicy/vendor_pbcs_app.te b/camera/sepolicy/vendor_pbcs_app.te
index 2a56b2d..880ff5d 100644
--- a/camera/sepolicy/vendor_pbcs_app.te
+++ b/camera/sepolicy/vendor_pbcs_app.te
@@ -1,5 +1,8 @@
 type vendor_pbcs_app, domain, coredomain;
 
+# TODO(b/296512192): move vendor_pbcs_app out of vendor sepolicy
+typeattribute vendor_pbcs_app vendor_seapp_assigns_coredomain_violators;
+
 app_domain(vendor_pbcs_app);
 
 dontaudit vendor_pbcs_app system_app_data_file:dir *;
diff --git a/camera/sepolicy/vendor_pcs_app.te b/camera/sepolicy/vendor_pcs_app.te
index c179255..a736be5 100644
--- a/camera/sepolicy/vendor_pcs_app.te
+++ b/camera/sepolicy/vendor_pcs_app.te
@@ -1,5 +1,8 @@
 type vendor_pcs_app, domain, coredomain;
 
+# TODO(b/296512192): move vendor_pcs_app out of vendor sepolicy
+typeattribute vendor_pcs_app vendor_seapp_assigns_coredomain_violators;
+
 app_domain(vendor_pcs_app);
 
 allow vendor_pcs_app {