Unbreak user builds

This unbreaks user builds broken by recently landed changes to secilc which is now aggressively removing attributes which aren't used in allow rules, even when they are used in other places, such as being referenced from *_contexts files. User builds are broken by vndservice_manager_type not being found when checkfc is run for *vndservice_contexts targets. Test: On a clean user build: mmma system/sepolicy Bug: 37319524 Bug: 36508258 Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304

Unbreak user builds
d9745f3d · Alex Klyubin · 4641f672 · d9745f3d · d9745f3d
Commit d9745f3d authored 7 years ago by Alex Klyubin
--- a/public/domain.te
+++ b/public/domain.te
@@ -214,7 +214,12 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

 # TODO(b/34454312) remove this when the correct policy is in place
 allow domain default_android_hwservice:hwservice_manager { add find };
-allow domain hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };

 ###
 ### neverallow rules

--- a/public/te_macros
+++ b/public/te_macros
@@ -509,8 +509,7 @@ define(`add_service', `
 # others from adding it.
 define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
-# TODO(b/34454312): Uncomment the neverallow once issues on user builds are resolved
-#  neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow { domain -$1 } $2:hwservice_manager add;
 ')

 ##########################################