diff --git a/public/domain.te b/public/domain.te
index 3f8eb66322aaa306c1977814f8105827bbe22947..77200b3d37b9d0bb448eace24b8bc93b5e84866d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -442,19 +442,36 @@ full_treble_only(`
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ }:service_manager find;
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+')
- ##
- # On full TREBLE devices core android components and vendor components may
- # not directly access each other data types. All communication must occur
- # over HW binder. Open file descriptors may be passed and read/write/stat
- # operations my be performed on those FDs. Disallow all other operations.
- #
+##
+# On full TREBLE devices core android components and vendor components may
+# not directly access each other's data types. All communication must occur
+# over HW binder. Open file descriptors may be passed and read/write/stat
+# operations my be performed on those FDs. Disallow all other operations.
+full_treble_only(`
# do not allow vendor component access to coredomains data types
neverallow {
domain
@@ -479,7 +496,6 @@ full_treble_only(`
-appdomain
-coredata_in_vendor_violators
} system_data_file:dir ~search;
-
')
# On full TREBLE devices, socket communications between core components and vendor components are