Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

Android.mk

@@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 
 reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 
 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
@@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 

private/adbd.te

 ### ADB daemon
 
+typeattribute adbd coredomain;
 typeattribute adbd mlstrustedsubject;
 
 domain_auto_trans(adbd, shell_exec, shell)

private/atrace.te

@@ -3,7 +3,7 @@
 type atrace_exec, exec_type, file_type;
 
 userdebug_or_eng(`
-  type atrace, domain, domain_deprecated;
+  type atrace, domain, coredomain, domain_deprecated;
 
   init_daemon_domain(atrace)
 

private/audioserver.te

 # audioserver - audio services daemon
 
+typeattribute audioserver coredomain;
+
 type audioserver_exec, exec_type, file_type;
 init_daemon_domain(audioserver)
 

private/binder_in_vendor_violators.te

+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;

private/blkid.te

 # blkid called from vold
 
+typeattribute blkid coredomain;
+
 type blkid_exec, exec_type, file_type;
 
 # Allowed read-only access to encrypted devices to extract UUID/label

private/blkid_untrusted.te

 # blkid for untrusted block devices
 
+typeattribute blkid_untrusted coredomain;
+
 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;
 allow blkid_untrusted vold_device:blk_file r_file_perms;

private/bluetooth.te

 # bluetooth subsystem
 
+typeattribute bluetooth coredomain;
 typeattribute bluetooth domain_deprecated;
 
 app_domain(bluetooth)

private/bootanim.te

-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
 init_daemon_domain(bootanim)

private/bootstat.te

-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
 init_daemon_domain(bootstat)

private/bufferhubd.te

+typeattribute bufferhubd coredomain;
+
 init_daemon_domain(bufferhubd)

private/cameraserver.te

-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
 init_daemon_domain(cameraserver)

private/charger.te

+typeattribute charger coredomain;

private/clatd.te

+typeattribute clatd coredomain;

private/cppreopts.te

-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(cppreopts)

private/crash_dump.te

+typeattribute crash_dump coredomain;

private/dex2oat.te

+typeattribute dex2oat coredomain;

private/dexoptanalyzer.te

 # dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, exec_type, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.

private/dhcp.te

-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;

private/dnsmasq.te

+typeattribute dnsmasq coredomain;