Useful neverallow errors am: 7636d607 am: 172d7a84

am: 64b61535

Change-Id: Ida581950c8591eb64c232ca752d16c4f8cd34c45

public/domain.te

@@ -619,12 +619,16 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # restrictions for vendor apps are declared lower down
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } service_manager_type:service_manager find;
+')
+full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
   neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
     -vr_hwc_service
     -vr_manager_service
   }:service_manager find;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
     userdebug_or_eng(`-su')
     -ueventd # uevent is granted create for this device, but we still neverallow I/O below
   } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
     userdebug_or_eng(`-su')
   } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
@@ -792,6 +804,8 @@ full_treble_only(`
     data_file_type
     -core_data_file_type
   }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -887,7 +901,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:dir { open read getattr search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -899,7 +915,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Limit access to /vendor/overlay
     neverallow {
         coredomain
@@ -911,7 +929,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -922,7 +942,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Non-vendor domains are not allowed to file execute shell
     # from vendor
     neverallow {
@@ -930,7 +952,9 @@ full_treble_only(`
         -init
         -shell
     } vendor_shell_exec:file { execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
     neverallow {
@@ -946,7 +970,9 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow system components to execute files from vendor
     # except for the ones whitelisted here.
     neverallow {
@@ -960,7 +986,9 @@ full_treble_only(`
       -vndk_sp_file
       -vendor_app_file
     }:file execute;
+')
 
+full_treble_only(`
     neverallow {
       coredomain
       -shell