Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bb..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;