From d9745f3dec53e9df1a944982d3cdc00510bffb54 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 13 Apr 2017 13:28:35 -0700
Subject: [PATCH] Unbreak user builds

This unbreaks user builds broken by recently landed changes to secilc
which is now aggressively removing attributes which aren't used in
allow rules, even when they are used in other places, such as being
referenced from *_contexts files.

User builds are broken by vndservice_manager_type not being found when
checkfc is run for *vndservice_contexts targets.

Test: On a clean user build: mmma system/sepolicy
Bug: 37319524
Bug: 36508258
Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304
---
 public/domain.te | 7 ++++++-
 public/te_macros | 3 +--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 91e1671b9..9c591db59 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -214,7 +214,12 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 # TODO(b/34454312) remove this when the correct policy is in place
 allow domain default_android_hwservice:hwservice_manager { add find };
-allow domain hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
 
 ###
 ### neverallow rules
diff --git a/public/te_macros b/public/te_macros
index b931f1e0e..beec54640 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -509,8 +509,7 @@ define(`add_service', `
 # others from adding it.
 define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
-# TODO(b/34454312): Uncomment the neverallow once issues on user builds are resolved
-#  neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow { domain -$1 } $2:hwservice_manager add;
 ')
 
 ##########################################
-- 
GitLab