commit b75b047f44bfd7bb030466fd2c00da782db27f08
author Steven Moreland <smoreland@google.com> Tue Aug 20 22:42:58 2019 +0000
committer Steven Moreland <smoreland@google.com> Tue Aug 20 16:03:37 2019 -0700
tree f9ffe3ca9cf00c12a4de57948f1f73c8f548f738
parent 6b2eaade8201e49a746173ff13f9bd89f024eb81

Reland "Re-open /dev/binder access to all."

This reverts commit 6b2eaade8201e49a746173ff13f9bd89f024eb81.

Reason for revert: reland original CL

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index d496e90..a2223b2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -250,6 +250,11 @@
   -untrusted_app_visible_hwservice_violators
 }:hwservice_manager find;
 
+neverallow all_untrusted_apps {
+  vendor_service
+  vintf_service
+}:service_manager find;
+
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;