sepolicy: adding vendor_persist_type attribute.

adding neverallow so that coredomain should not access persist file.

Change-Id: If8ab44db78e08e347cb33239bf2544c22c362b5b

generic/vendor/common/domain.te

@@ -50,3 +50,9 @@ dontaudit domain kernel:system module_request;
 # For compliance testing test suite reads vendor_security_path_level
 # Which is the public readable property “ ro.vendor.build.security_patch
 get_prop(domain, vendor_security_patch_level_prop)
+neverallow {
+     coredomain
+     -init
+     -ueventd
+     -vold
+     } vendor_persist_type: { dir file } *;

generic/vendor/common/file.te

@@ -108,7 +108,8 @@ type location_data_file, file_type, data_file_type;
 type vendor_audio_data_file, file_type, data_file_type;
 type vendor_radio_data_file, file_type, data_file_type;
 type wifi_vendor_log_data_file, file_type, data_file_type;
-
+# for mount /persist
+typeattribute mnt_vendor_file vendor_persist_type;
 type persist_file, file_type, vendor_persist_type;
 type persist_data_file, file_type , vendor_persist_type;
 type persist_display_file, file_type;

generic/vendor/common/kernel.te

@@ -40,5 +40,3 @@ r_dir_file(kernel, firmware_file)
 r_dir_file(kernel, vendor_firmware_file)
 
 dontaudit kernel kernel:system module_request;
-
-allow kernel persist_file:dir search;

generic/vendor/common/system_server.te

@@ -33,10 +33,6 @@ binder_call(system_server, hal_graphics_composer)
 
 # location
 binder_call(system_server, location);
-
-allow system_server persist_file:dir search;
-allow system_server persist_sensors_file:dir search;
-allow system_server persist_sensors_file:file r_file_perms;
 allow system_server wlan_device:chr_file rw_file_perms;
 allow system_server hal_audio_default:file w_file_perms;