1# Toolbox installation for vendor binaries / scripts
2# Non-vendor processes are not allowed to execute the binary
3# and is always executed without transition.
4type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
5
6# Do not allow domains to transition to vendor toolbox
7# or read, execute the vendor_toolbox file.
8full_treble_only(`
9    # Do not allow non-vendor domains to transition
10    # to vendor toolbox except for the whitelisted domains.
11    neverallow {
12        coredomain
13        -init
14        -modprobe
15    } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
16')
17