Tighten isolated_app -> *Binder policy

* isolated_app is no longer permitted to access /dev/hwbinder -- this
  was granted by mistake.
* There are now neverallows which enforce that isolated_app can't
  access HwBinder and VendorBinder.
* There are now neverallows which enforce that isolated_app can't add
  Binder and VendorBinder services to servicemanager and
  vndservicemanager.

Test: mmm system/sepolicy
Bug: 34454312
Change-Id: I8ba90a0dcb6a9fccd8f50c78cbd2409381376f7a

private/isolated_app.te

@@ -62,6 +62,17 @@ neverallow isolated_app app_data_file:file open;
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;
 
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.

public/domain.te

@@ -75,7 +75,7 @@ allow {
 } binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;