Allow violators of "no Binder in vendor" access to /dev/binder In f5446eb1486816c00136b2b5f0a3cc4a01706000 I forgot to let violators of "no Binder in vendor" rule keep their access to /dev/binder. This commit fixes the issue. Test: mmm system/sepolicy Bug: 35870313 Bug: 36657020 Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae

commit: 2ab99a1389c92a4d8023d6ad2e2f4530f6429cf9 [log] [tgz]
author: Alex Klyubin <klyubin@google.com> Mon Mar 27 15:34:39 2017 -0700
committer: Alex Klyubin <klyubin@google.com> Mon Mar 27 15:46:58 2017 -0700
tree: 5ceb4e24a550c6bd516ca5b18f32bf35480596d1
parent: b16aaef36f31fc13b431fc9f405bb8cd461773ea [diff]
diff --git a/public/domain.te b/public/domain.te
index 8a42336..5cda0ec 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -67,7 +67,12 @@
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+  coredomain
+  appdomain
+  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  -hwservicemanager
+} binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
commit	2ab99a1389c92a4d8023d6ad2e2f4530f6429cf9	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Mon Mar 27 15:34:39 2017 -0700
committer	Alex Klyubin <klyubin@google.com>	Mon Mar 27 15:46:58 2017 -0700
tree	5ceb4e24a550c6bd516ca5b18f32bf35480596d1
parent	b16aaef36f31fc13b431fc9f405bb8cd461773ea [diff]