From 2ab99a1389c92a4d8023d6ad2e2f4530f6429cf9 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 27 Mar 2017 15:34:39 -0700
Subject: [PATCH] Allow violators of "no Binder in vendor" access to
 /dev/binder

In f5446eb1486816c00136b2b5f0a3cc4a01706000 I forgot to let violators
of "no Binder in vendor" rule keep their access to /dev/binder. This
commit fixes the issue.

Test: mmm system/sepolicy
Bug: 35870313
Bug: 36657020
Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae
---
 public/domain.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index 8a42336fb..5cda0ec7a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -67,7 +67,12 @@ allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+  coredomain
+  appdomain
+  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  -hwservicemanager
+} binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
-- 
GitLab