Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 14:27:32 -07:00 · 2017-03-23 14:27:32 -07:00 · f5446eb148
commit f5446eb148
parent 93f99cb1d9
103 changed files with 216 additions and 104 deletions
--- a/Android.mk
+++ b/Android.mk
@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@

 reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@

 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

--- a/private/adbd.te
+++ b/private/adbd.te
@ -1,5 +1,6 @@
 ### ADB daemon

+typeattribute adbd coredomain;
 typeattribute adbd mlstrustedsubject;

 domain_auto_trans(adbd, shell_exec, shell)
--- a/private/atrace.te
+++ b/private/atrace.te
@ -3,7 +3,7 @@
 type atrace_exec, exec_type, file_type;

 userdebug_or_eng(`
-  type atrace, domain, domain_deprecated;
+  type atrace, domain, coredomain, domain_deprecated;

  init_daemon_domain(atrace)

--- a/private/audioserver.te
+++ b/private/audioserver.te
@ -1,5 +1,7 @@
 # audioserver - audio services daemon

+typeattribute audioserver coredomain;
+
 type audioserver_exec, exec_type, file_type;
 init_daemon_domain(audioserver)

--- a/private/binder_in_vendor_violators.te
+++ b/private/binder_in_vendor_violators.te
@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
--- a/private/blkid.te
+++ b/private/blkid.te
@ -1,5 +1,7 @@
 # blkid called from vold

+typeattribute blkid coredomain;
+
 type blkid_exec, exec_type, file_type;

 # Allowed read-only access to encrypted devices to extract UUID/label
--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@ -1,5 +1,7 @@
 # blkid for untrusted block devices

+typeattribute blkid_untrusted coredomain;
+
 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;
 allow blkid_untrusted vold_device:blk_file r_file_perms;
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@ -1,5 +1,6 @@
 # bluetooth subsystem

+typeattribute bluetooth coredomain;
 typeattribute bluetooth domain_deprecated;

 app_domain(bluetooth)
--- a/private/bootanim.te
+++ b/private/bootanim.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
 init_daemon_domain(bootanim)
--- a/private/bootstat.te
+++ b/private/bootstat.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
 init_daemon_domain(bootstat)
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@ -1 +1,3 @@
+typeattribute bufferhubd coredomain;
+
 init_daemon_domain(bufferhubd)
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
 init_daemon_domain(cameraserver)
--- a/private/charger.te
+++ b/private/charger.te
@ -0,0 +1 @@
+typeattribute charger coredomain;
--- a/private/clatd.te
+++ b/private/clatd.te
@ -0,0 +1 @@
+typeattribute clatd coredomain;
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(cppreopts)
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@ -1,5 +1,5 @@
 # dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, exec_type, file_type;

 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
--- a/private/dhcp.te
+++ b/private/dhcp.te
@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
--- a/private/dnsmasq.te
+++ b/private/dnsmasq.te
@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
--- a/private/drmserver.te
+++ b/private/drmserver.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute drmserver coredomain;
+
 init_daemon_domain(drmserver)

 type_transition drmserver apk_data_file:sock_file drmserver_socket;
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dumpstate coredomain;
+
 init_daemon_domain(dumpstate)

 # Execute and transition to the vdc domain
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -11,6 +11,8 @@
 ###
 ### PackageManager flags an app as ephemeral at install time.

+typeattribute ephemeral_app coredomain;
+
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)

--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fingerprintd coredomain;
+
 init_daemon_domain(fingerprintd)
--- a/private/fsck.te
+++ b/private/fsck.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fsck coredomain;
+
 init_daemon_domain(fsck)
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute gatekeeperd coredomain;
+
 init_daemon_domain(gatekeeperd)
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@ -1,4 +1,4 @@
-type hal_allocator_default, domain;
+type hal_allocator_default, domain, coredomain;
 hal_server_domain(hal_allocator_default, hal_allocator)

 type hal_allocator_default_exec, exec_type, file_type;
--- a/private/healthd.te
+++ b/private/healthd.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute healthd coredomain;
+
 init_daemon_domain(healthd)

 # Allow callback to storaged batteryproperties listener
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute hwservicemanager coredomain;
+
 init_daemon_domain(hwservicemanager)
--- a/private/idmap.te
+++ b/private/idmap.te
@ -0,0 +1 @@
+typeattribute idmap coredomain;
--- a/private/incident.te
+++ b/private/incident.te
@ -1,3 +1,5 @@
+typeattribute incident coredomain;
+
 type incident_exec, exec_type, file_type;

 # switch to incident domain for incident command
--- a/private/incidentd.te
+++ b/private/incidentd.te
@ -1,3 +1,5 @@
+typeattribute incidentd coredomain;
+
 init_daemon_domain(incidentd)
 type incidentd_exec, exec_type, file_type;
 binder_use(incidentd)
--- a/private/init.te
+++ b/private/init.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute init coredomain;
+
 tmpfs_domain(init)

 # Transitions to seclabel processes in init.rc
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute inputflinger coredomain;
+
 init_daemon_domain(inputflinger)
--- a/private/install_recovery.te
+++ b/private/install_recovery.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute install_recovery coredomain;
+
 init_daemon_domain(install_recovery)
--- a/private/installd.te
+++ b/private/installd.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute installd coredomain;
+
 init_daemon_domain(installd)

 # Run dex2oat in its own sandbox.
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -6,6 +6,8 @@
 ### and AID_ISOLATED_END (99999).
 ###

+typeattribute isolated_app coredomain;
+
 app_domain(isolated_app)

 # Access already open app data files received over Binder or local socket IPC.
--- a/private/kernel.te
+++ b/private/kernel.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute kernel coredomain;
+
 domain_auto_trans(kernel, init_exec, init)
--- a/private/keystore.te
+++ b/private/keystore.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute keystore coredomain;
+
 init_daemon_domain(keystore)
--- a/private/lmkd.te
+++ b/private/lmkd.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
 init_daemon_domain(lmkd)
--- a/private/logd.te
+++ b/private/logd.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
 init_daemon_domain(logd)

 # logd is not allowed to write anywhere other than /data/misc/logd, and then
--- a/private/logpersist.te
+++ b/private/logpersist.te
@ -1,3 +1,5 @@
+typeattribute logpersist coredomain;
+
 # android debug log storage in logpersist domains (eng and userdebug only)
 userdebug_or_eng(`

--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@ -1,5 +1,6 @@
 # mdns daemon

+typeattribute mdnsd coredomain;
 typeattribute mdnsd mlstrustedsubject;

 type mdnsd_exec, exec_type, file_type;
--- a/private/mediacodec.te
+++ b/private/mediacodec.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
 init_daemon_domain(mediacodec)
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
 init_daemon_domain(mediadrmserver)
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
 init_daemon_domain(mediaextractor)
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
 init_daemon_domain(mediametrics)
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
 init_daemon_domain(mediaserver)
--- a/private/modprobe.te
+++ b/private/modprobe.te
@ -0,0 +1 @@
+typeattribute modprobe coredomain;
--- a/private/mtp.te
+++ b/private/mtp.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
 init_daemon_domain(mtp)
--- a/private/netd.te
+++ b/private/netd.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
 init_daemon_domain(netd)

 # Allow netd to spawn dnsmasq in it's own domain
--- a/private/nfc.te
+++ b/private/nfc.te
@ -1,4 +1,5 @@
 # nfc subsystem
+typeattribute nfc coredomain;
 app_domain(nfc)
 net_domain(nfc)

--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(otapreopt_slot)
--- a/private/performanced.te
+++ b/private/performanced.te
@ -1 +1,3 @@
+typeattribute performanced coredomain;
+
 init_daemon_domain(performanced)
--- a/private/platform_app.te
+++ b/private/platform_app.te
@ -2,6 +2,7 @@
 ### Apps signed with the platform key.
 ###

+typeattribute platform_app coredomain;
 typeattribute platform_app domain_deprecated;

 app_domain(platform_app)
--- a/private/postinstall.te
+++ b/private/postinstall.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
--- a/private/ppp.te
+++ b/private/ppp.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
 domain_auto_trans(mtp, ppp_exec, ppp)
--- a/private/preopt2cachename.te
+++ b/private/preopt2cachename.te
@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -2,6 +2,7 @@
 ### A domain for further sandboxing privileged apps.
 ###

+typeattribute priv_app coredomain;
 app_domain(priv_app)

 # Access the network.
--- a/private/profman.te
+++ b/private/profman.te
@ -0,0 +1 @@
+typeattribute profman coredomain;
--- a/private/racoon.te
+++ b/private/racoon.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute racoon coredomain;
+
 init_daemon_domain(racoon)
--- a/private/radio.te
+++ b/private/radio.te
@ -1,3 +1,5 @@
+typeattribute radio coredomain;
+
 app_domain(radio)

 read_runtime_log_tags(radio)
--- a/private/recovery.te
+++ b/private/recovery.te
@ -0,0 +1 @@
+typeattribute recovery coredomain;
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_persist coredomain;
+
 init_daemon_domain(recovery_persist)

 # recovery_persist is not allowed to write anywhere other than recovery_data_file
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_refresh coredomain;
+
 init_daemon_domain(recovery_refresh)

 # recovery_refresh is not allowed to write anywhere
--- a/private/runas.te
+++ b/private/runas.te
@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute runas coredomain;
+
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute sdcardd coredomain;
+
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
--- a/private/sensord.te
+++ b/private/sensord.te
@ -1 +1,3 @@
+typeattribute sensord coredomain;
+
 init_daemon_domain(sensord)
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute servicemanager coredomain;
+
 init_daemon_domain(servicemanager)

 read_runtime_log_tags(servicemanager)
--- a/private/sgdisk.te
+++ b/private/sgdisk.te
@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@ -1,3 +1,5 @@
+typeattribute shared_relro coredomain;
+
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.
 app_domain(shared_relro)
--- a/private/shell.te
+++ b/private/shell.te
@ -1,3 +1,5 @@
+typeattribute shell coredomain;
+
 # systrace support - allow atrace to run
 allow shell debugfs_tracing:dir r_dir_perms;
 allow shell debugfs_tracing:file r_file_perms;
--- a/private/slideshow.te
+++ b/private/slideshow.te
@ -0,0 +1 @@
+typeattribute slideshow coredomain;
--- a/private/storaged.te
+++ b/private/storaged.te
@ -1,5 +1,5 @@
 # storaged daemon
-type storaged, domain, mlstrustedsubject;
+type storaged, domain, coredomain, mlstrustedsubject;
 type storaged_exec, exec_type, file_type;

 init_daemon_domain(storaged)
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@ -1,5 +1,7 @@
 # surfaceflinger - display compositor service

+typeattribute surfaceflinger coredomain;
+
 type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)

--- a/private/system_app.te
+++ b/private/system_app.te
@ -4,6 +4,7 @@
 ### server.
 ###

+typeattribute system_app coredomain;
 typeattribute system_app domain_deprecated;

 app_domain(system_app)
--- a/private/system_server.te
+++ b/private/system_server.te
@ -3,6 +3,7 @@
 # Most of the framework services run in this process.
 #

+typeattribute system_server coredomain;
 typeattribute system_server domain_deprecated;
 typeattribute system_server mlstrustedsubject;

--- a/private/tee.te
+++ b/private/tee.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tee coredomain;
+
 init_daemon_domain(tee)
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tombstoned coredomain;
+
 init_daemon_domain(tombstoned)
--- a/private/toolbox.te
+++ b/private/toolbox.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute toolbox coredomain;
+
 init_daemon_domain(toolbox)
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tzdatacheck coredomain;
+
 init_daemon_domain(tzdatacheck)
--- a/private/ueventd.te
+++ b/private/ueventd.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ueventd coredomain;
+
 tmpfs_domain(ueventd)
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute uncrypt coredomain;
+
 init_daemon_domain(uncrypt)
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@ -17,6 +17,8 @@
 ### seapp_contexts.
 ###

+typeattribute untrusted_app coredomain;
+
 app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -19,6 +19,8 @@
 ### seapp_contexts.
 ###

+typeattribute untrusted_app_25 coredomain;
+
 app_domain(untrusted_app_25)
 untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@ -1,6 +1,9 @@
 ###
 ### Untrusted v2 sandbox apps.
 ###
+
+typeattribute untrusted_v2_app coredomain;
+
 app_domain(untrusted_v2_app)
 net_domain(untrusted_v2_app)
 bluetooth_domain(untrusted_v2_app)
--- a/private/update_engine.te
+++ b/private/update_engine.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_engine coredomain;
+
 init_daemon_domain(update_engine);
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_verifier coredomain;
+
 init_daemon_domain(update_verifier)
--- a/private/vdc.te
+++ b/private/vdc.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vdc coredomain;
+
 init_daemon_domain(vdc)
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@ -1 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
 init_daemon_domain(virtual_touchpad)
--- a/private/vold.te
+++ b/private/vold.te
@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vold coredomain;
+
 init_daemon_domain(vold)

 # Switch to more restrictive domains when executing common tools
--- a/private/watchdogd.te
+++ b/private/watchdogd.te
@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@ -1,6 +1,8 @@
 # webview_zygote is an auxiliary zygote process that is used to spawn
 # isolated_app processes for rendering untrusted web content.

+typeattribute webview_zygote coredomain;
+
 # The webview_zygote needs to be able to transition domains.
 typeattribute webview_zygote mlstrustedsubject;

--- a/private/wificond.te
+++ b/private/wificond.te
@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute wificond coredomain;
+
 init_daemon_domain(wificond)
--- a/private/zygote.te
+++ b/private/zygote.te
@ -1,4 +1,5 @@
 # zygote
+typeattribute zygote coredomain;
 typeattribute zygote domain_deprecated;
 typeattribute zygote mlstrustedsubject;

--- a/public/attributes
+++ b/public/attributes
@ -115,6 +115,13 @@ attribute binderservicedomain;
 # recovery for A/B devices.
 attribute update_engine_common;

+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
--- a/public/domain.te
+++ b/public/domain.te
@ -66,7 +66,10 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
@ -420,6 +423,24 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;

+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } binder_device:chr_file rw_file_perms;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } servicemanager:binder { call transfer };
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
  domain
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;`