From 1e99de5779a130fa4d450791a8eb88d4b9cad5c4 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 9 Jan 2019 16:37:04 -0800
Subject: [PATCH] Apply full_treble_only to whole rule.

The way we build and run CTS expects full_treble_only and
compatible_property_only macros to be applied to whole rules and not be
nested inside other rules.

Fixes: 122601363
Test: corresponding neverallow rule in auto-generated
SELinuxNeverallowRulesTest.java is parsed correctly.
Change-Id: Ibf5187cedca72510fe74c6dc55a75a54a86c02ff
---
 private/coredomain.te | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/private/coredomain.te b/private/coredomain.te
index 741351531..1fc3b8a1c 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -178,7 +178,10 @@ full_treble_only(`
 neverallow coredomain {
   iio_device
   radio_device
-  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
-  # on non-Treble devices.
-  full_treble_only(`tee_device')
 }:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+  neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
-- 
GitLab