Wider neverallow rules for coredomain /dev access.

am: 2725edc6 Change-Id: Id49312c4ad3edf1b2837d041c80cfc9a02e927ae

Wider neverallow rules for coredomain /dev access.
75425e23 · Tri Vo · android-build-merger · 989ecdbf · 2725edc6 · 75425e23
Commit 75425e23 authored Nov 30, 2018 by Tri Vo Committed by android-build-merger Nov 30, 2018
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,12 +169,12 @@ full_treble_only(`
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
-# Following /dev nodes must not be directly accessed by coredomain after Treble,
+# Following /dev nodes must not be directly accessed by coredomain, but should
-# but should instead be wrapped by HALs.
+# instead be wrapped by HALs.
-full_treble_only(`
 neverallow coredomain {
  iio_device
  radio_device
-    tee_device
+  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
+  # on non-Treble devices.
+  full_treble_only(`tee_device')
 }:chr_file { open read append write ioctl };
-')