Merge "Allow violators of "no Binder in vendor" access to /dev/binder"

commit: e3531f63978faa514e7df1fd259a52db92bab663 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Tue Mar 28 02:50:06 2017 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Tue Mar 28 02:50:06 2017 +0000
tree: 13d4ecde6bd4d302eafe98641f05b6fd14152617
parent: 3dcc37f3c1d5341286bf4eec9b65a118ccee8f61 [diff]
parent: 2ab99a1389c92a4d8023d6ad2e2f4530f6429cf9 [diff]
diff --git a/public/domain.te b/public/domain.te
index 40ebb4d..b498cda 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -67,7 +67,12 @@
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+  coredomain
+  appdomain
+  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  -hwservicemanager
+} binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
commit	e3531f63978faa514e7df1fd259a52db92bab663	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Tue Mar 28 02:50:06 2017 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Tue Mar 28 02:50:06 2017 +0000
tree	13d4ecde6bd4d302eafe98641f05b6fd14152617
parent	3dcc37f3c1d5341286bf4eec9b65a118ccee8f61 [diff]
parent	2ab99a1389c92a4d8023d6ad2e2f4530f6429cf9 [diff]