commit 3692b3189e77c3b058b81f70dd9a1b60837a8138
author Sandeep Patil <sspatil@google.com> Fri Jun 16 17:14:29 2017 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Fri Jun 16 17:14:31 2017 +0000
tree b373baea407abfd0fbf48020ee20ee5335534a66
parent e9381d5e0152ece8b7044e5f14ab50527f060ada
parent cfb6f3523159d87d444ace1b4c24fa09a11b31f0

Merge changes from topic 'fix-neverallow-violation' into oc-dev

* changes:
  build: run neverallow checks on platform sepolicy
  radio: disalllow radio and rild socket for treble devices

Android.mk

diff --git a/Android.mk b/Android.mk
index 7ab0f44..b1d64f4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -329,7 +329,7 @@
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
 
 built_plat_cil := $(LOCAL_BUILT_MODULE)
 plat_policy.conf :=

public/radio.te

diff --git a/public/radio.te b/public/radio.te
index 87329d9..6f29a70 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,9 +5,8 @@
 bluetooth_domain(radio)
 binder_service(radio)
 
-# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
+# Talks to rild via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
 
 # Data file accesses.
 allow radio radio_data_file:dir create_dir_perms;