tighten up neverallow rules for init binder operations

Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.

This change expands on commit a730e50b,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.

Change-Id: I12547a75cf68517d54784873846bdadcb60c5112

domain.te

@@ -51,7 +51,7 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
-  binder_call(domain, su)
+  binder_call({ domain -init }, su)
 
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
@@ -245,9 +245,9 @@ neverallow { domain -init } proc_security:file { append write };
 # No domain should be allowed to ptrace init.
 neverallow domain init:process ptrace;
 
-# Init can't receive binder calls. If this neverallow rule is being
+# Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
-neverallow domain init:binder call;
+neverallow domain init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type

servicemanager.te

@@ -11,7 +11,7 @@ init_daemon_domain(servicemanager)
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder transfer;
+allow servicemanager { domain -init }:binder transfer;
 
 # Check SELinux permissions.
 selinux_check_access(servicemanager)