Allow violators of "no Binder in vendor" access to /dev/binder

In f5446eb1 I forgot to let violators of "no Binder in vendor" rule keep their access to /dev/binder. This commit fixes the issue. Test: mmm system/sepolicy Bug: 35870313 Bug: 36657020 Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae

Allow violators of "no Binder in vendor" access to /dev/binder
2ab99a13 · Alex Klyubin · b16aaef3 · 2ab99a13
Commit 2ab99a13 authored 7 years ago by Alex Klyubin
--- a/public/domain.te
+++ b/public/domain.te
@@ -67,7 +67,12 @@ allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+  coredomain
+  appdomain
+  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  -hwservicemanager
+} binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;