Useful neverallow errors

Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.

This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.

Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
    tests)

Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db

public/domain.te

@@ -619,12 +619,16 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # restrictions for vendor apps are declared lower down
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } service_manager_type:service_manager find;
+')
+full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
   neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
     -vr_hwc_service
     -vr_manager_service
   }:service_manager find;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
     userdebug_or_eng(`-su')
     -ueventd # uevent is granted create for this device, but we still neverallow I/O below
   } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
     userdebug_or_eng(`-su')
   } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
@@ -791,6 +803,8 @@ full_treble_only(`
     data_file_type
     -core_data_file_type
   }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -885,7 +899,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:dir { open read getattr search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -897,7 +913,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Limit access to /vendor/overlay
     neverallow {
         coredomain
@@ -909,7 +927,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -920,7 +940,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Non-vendor domains are not allowed to file execute shell
     # from vendor
     neverallow {
@@ -928,7 +950,9 @@ full_treble_only(`
         -init
         -shell
     } vendor_shell_exec:file { execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
     neverallow {
@@ -944,7 +968,9 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow system components to execute files from vendor
     # except for the ones whitelisted here.
     neverallow {
@@ -958,7 +984,9 @@ full_treble_only(`
       -vndk_sp_file
       -vendor_app_file
     }:file execute;
+')
 
+full_treble_only(`
     neverallow {
       coredomain
       -shell