Merge changes from topic 'fix-neverallow-violation' into oc-dev

* changes: build: run neverallow checks on platform sepolicy radio: disalllow radio and rild socket for treble devices

Merge changes from topic 'fix-neverallow-violation' into oc-dev
3692b318 · Sandeep Patil · Android (Google) Code Review · e9381d5e · cfb6f352 · 3692b318
Commit 3692b318 authored Jun 16, 2017 by Sandeep Patil Committed by Android (Google) Code Review Jun 16, 2017
--- a/Android.mk
+++ b/Android.mk
@@ -329,7 +329,7 @@ $(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
 	@mkdir -p $(dir $@)
 	$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
 	$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
 built_plat_cil := $(LOCAL_BUILT_MODULE)
 plat_policy.conf :=

--- a/public/radio.te
+++ b/public/radio.te
@@ -5,9 +5,8 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
-# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
+# Talks to rild via the rild socket only for devices without full treble
-# Talks to rild via the rild socket.
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
-unix_socket_connect(radio, rild, rild)
 # Data file accesses.
 allow radio radio_data_file:dir create_dir_perms;