Commit graph

59 commits

Author SHA1 Message Date
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Ryan Savitski
8b26472177 traced_perf: allow RO tracefs access + fix neverallow
We're adding support for counting and/or sampling on the static kernel
tracepoints in traced_perf (via perf_event_open). This requires traslating
a human-readable tracepoint name to its id for the running kernel.
For that, we need to read the "id" files like:
  /sys/kernel/tracing/events/sched/sched_switch/id

While the current implementation should only need "file r_file_perms",
as it constructs the full path to the id file, I've also added the
directory-level rule to allow for a possible change in implementation,
as we might want to enumerate all available events ahead of time, which
would require listing the tracefs events/ dir.

The changed neverallow macro was a copypaste mistake.

Example denials without the change:
  avc: denied { read } for name="id" dev="tracefs" ino=5721
  scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0
  tclass=file permissive=1

  avc: denied { open } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

  avc: denied { getattr } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

Tested: collected a profile sampled on "sched/sched_switch" on
        crosshatch-userdebug.
Bug: 170284829
Bug: 178961752
Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6
2021-01-31 16:44:00 +00:00
Inseob Kim
e0ebc571bd Add ro.zygote.disable_gl_preload to policy
It's used by ZygoteInit, and vendor_init should be able to set it.

Bug: 176210699
Test: boot
Change-Id: I27bb59c145f3257281fb8d6007be60eb2bcc93ca
2021-01-18 02:11:57 +00:00
Inseob Kim
150355b1c3 Merge "Revert^2 "Make default_prop only readable from coredomain"" 2021-01-14 09:42:25 +00:00
Inseob Kim
5c011e57a5 Revert^2 "Make default_prop only readable from coredomain"
This reverts commit 32fbfbc016.

Reason for revert: Fixed breakages

Change-Id: I474ee7dd7b82b4f2e02353e8a3fb55e3c410941f
2021-01-14 04:08:16 +00:00
Florian Mayer
a8a3d8b1bf Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds.

Test: atest CtsPerfettoTestCases on user
Test: atest CtsPerfettoTestCases on userdebug
Test: atest perfetto_integrationtests on userdebug
Bug: 153139002
Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
2021-01-11 17:19:02 +00:00
Jackal Guo
32fbfbc016 Revert "Make default_prop only readable from coredomain"
This reverts commit 082ced1951.

Reason for revert: b/176784961

Change-Id: Ia85667216d63084e9e23aefe1d3bfd7942d51a2a
2021-01-05 08:47:57 +00:00
Hridya Valsaraju
8c9cf62edb Allow coredomain access to only approved categories of vendor heaps
One of the advantages of the DMA-BUF heaps framework over
ION is that each heap is a separate char device and hence
it is possible to create separate sepolicy permissions to restrict
access to each heap.
In the case of ION, allocation in every heap had to be done through
/dev/ion which meant that there was no away to restrict allocations in
a specific heap.

This patch intends to restrict coredomain access to only approved
categories of vendor heaps. Currently, the only identified category
as per partner feedback is the system-secure heap which is defined
as a heap that allocates from protected memory.

Test: Build, video playback works on CF with ION disabled and
without sepolicy denials
Bug: 175697666

Change-Id: I923d2931c631d05d569e97f6e49145ef71324f3b
2020-12-16 10:08:54 -08:00
Inseob Kim
082ced1951 Make default_prop only readable from coredomain
default_prop has been readable from coredomain and appdomain. It's too
broad, because default_prop is a context for properties which don't have
matching property_contexts entries.

From now on, only coredomain can read default_prop. It's still broad,
but at least random apps can't read default_prop anymore.

Bug: 170590987
Test: SELinux denial boot test for internal devices
Change-Id: Ieed7e60d7e4448705c70e4f1725b2290e4fbcb4a
2020-12-14 16:58:23 +09:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Inseob Kim
d5a0448a53 Add entries for some properties in default_prop
Currently default_prop is readable by coredomain and appdomain. That's
too broad, and we are going to restrict the access so every property
should be added to property_contexts.

This adds some missing properties to property_contexts. Newly added
property contexts are:

- wrap.*: used by zygote to give arguments. It's assigned as
zygote_wrap_prop, and will be readable from coredomain.

- partition.{mount_name}.verified: used by dm-verity. It's assigned as
vertiy_status_prop, and will only be accessible from init.

- (ro.)?setupwizard.*: used by setup wizard. It's assigned as
setupwizard_prop, and will be readable from coredomain.

Other properties, such as ro.gfx.*, media.stagefright.*,
ro.storage_manager.* are also added to existing contexts.

Bug: 170590987
Test: boot crosshatch and see no denials
Change-Id: Ife9d69a62ee8bd7395a70cd104271898c8a72540
2020-11-06 14:02:34 +09:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Inseob Kim
4ae7ec1915 Remove exported3_radio_prop
It's renamed to radio_control_prop

Bug: 162214733
Test: boot
Change-Id: Idede1a1ab471a354a6f5df12b6889abc7c1ad869
2020-08-03 09:23:39 +00:00
Jeff Sharkey
a0e7a6da28 Update language to comply with Android's inclusive language guidance
See https://source.android.com/setup/contribute/respectful-code for reference

Bug: 161896447
Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 12:28:11 -06:00
Inseob Kim
c97a97cd3f Move more properties out of exported3_default_prop
This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
2020-07-21 13:11:57 +09:00
Inseob Kim
c80b024241 Relabel various exported3_default_prop
This removes bad context names "exported*_prop". Property contexts of
following properties are changed. All properties are settable only by
vendor-init.

- ro.config.per_app_memcg
This becomes lmkd_config_prop.

- ro.zygote
This becomes dalvik_config_prop.

- ro.oem_unlock_supported
This becomes oem_unlock_prop. It's readable by system_app which includes
Settings apps.

- ro.storage_manager.enabled
This becomes storagemanagr_config_prop. It's readable by coredomain.
Various domains in coredomain seem to read it.

- sendbug.preferred.domain
This bcomes sendbug_config_prop. It's readable by appdomain.

There are still 3 more exported3_default_prop, which are going to be
tracked individually.

Bug: 155844385
Test: selinux denial check on Pixel devices
Change-Id: I340c903ca7bda98a92d0f157c65f6833ed00df05
2020-07-20 16:11:58 +09:00
Inseob Kim
98fe6847bd Merge "Add property contexts for vts props" 2020-07-16 10:24:08 +00:00
Inseob Kim
212e2b621a Add property contexts for vts props
vts_config_prop and vts_status_prop are added to remove exported*_prop.
ro.vts.coverage becomes vts_config_prop, and vts.native_server.on
becomes vts_status_prop.

Bug: 155844385
Test: Run some vts and then getprop, e.g. atest \
      VtsHalAudioEffectV4_0TargetTest && adb shell getprop
Test: ro.vts.coverage is read without denials
Change-Id: Ic3532ef0ae7083db8d619d80e2b73249f87981ce
2020-07-16 16:26:17 +09:00
Calin Juravle
de7244cf23 Fix sepolicy for secondary dex files
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
2020-07-15 16:43:40 +00:00
Alexander Mishkovets
f0be89be1d Define sepolicy for locale filter property
Bug: 154133013
Test: Manual
Change-Id: I28ae279e4fd47553fcf4ab9421944f552490b49f
2020-07-09 20:32:58 +02:00
Treehugger Robot
8759915731 Merge "GPU Memory: add sepolicy rules around bpf for gpuservice" 2020-06-05 17:46:55 +00:00
Inseob Kim
ad6317018c Add contexts for exported telephony props
To remove bad context names, two contexts are added.

- telephony_config_prop
- telephony_status_prop

exported_radio_prop, exported2_radio_prop are removed. Cleaning up
exported3_radio_prop will be a follow-up task.

Exempt-From-Owner-Approval: cherry-pick

Bug: 152471138
Bug: 155844385
Test: boot and see no denials
Test: usim works on blueline
Change-Id: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
Merged-In: Iff9a4635c709f3ebe266cd811df3a1b4d3a242c2
(cherry picked from commit 4d36eae8af)
2020-06-04 16:10:44 +09:00
Yiwei Zhang
4b63ce9dd0 GPU Memory: add sepolicy rules around bpf for gpuservice
1. Allow gpuservice to access tracepoint id
2. Allow gpuservice to access bpf program
3. Allow gpuservice to attach bpf program to tracepoint
4. Allow gpuservice to access bpf filesystem
5. Allow gpuservice to run bpf program and read map through bpfloader
6. Allow gpuservice to check a property to ensure bpf program loaded

Bug: 136023082
Test: adb shell dumpsys gpu --gpumem
Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8
2020-06-03 11:23:16 -07:00
Inseob Kim
26408bda38 Fix denial of reading init_service_status_prop
Exported properties init.svc.* were world-readable, so making them
world-readable again to fix selinux denials.

Bug: 157474281
Test: m selinux_policy
Change-Id: I6d5a28b68061896e9cd2584c47aa60f6d36ed53f
2020-05-28 09:04:36 +09:00
Inseob Kim
dbcc459b90 Take new types out of compatible_property_only
compatible_property_only is meaningless to new types introduced after
Android P because the macro is for types which should have different
accessibilities depending on the device's launching API level.

Bug: N/A
Test: system/sepolicy/tools/build_policies.sh
Change-Id: If6b1cf5e4203c74ee65f170bd18c3a354dca2fd4
2020-05-25 17:31:26 +09:00
Inseob Kim
15e5e0a470 Add contexts for init.svc.* props
To remove bad context names "exported*_prop". Other init.svc.*
properties explicitly become system internal prop.

Bug: 155844385
Test: boot and see no denials
Change-Id: I7a3b4103a4cea77035a6e831e3b6a49a45f15a35
2020-05-20 12:08:02 +09:00
Inseob Kim
dc1e5019d6 Rename system_radio_prop
For whatever reason sys.usb.config* has been labeled as
system_radio_prop, which doesn't make sense. Changing context name as
usb_prop. For the same reason exported_system_radio_prop is also
renamed to usb-related names.

Bug: 71814576
Bug: 154885206
Test: m selinux_policy
Change-Id: If30bc620dbeac926a8b9bcde908357fda739a6c1
Merged-In: If30bc620dbeac926a8b9bcde908357fda739a6c1
(cherry picked from commit 44fbcdb677)
2020-05-15 15:06:10 +09:00
Inseob Kim
1337e15717 Add new context dalvik_runtime_prop
persist.sys.dalvik.vm.lib.2 is moved to a new context
dalvik_runtime_prop from bad context name.

Bug: 154885206
Test: boot device and see logcat
Change-Id: I9dea95105c266088d5f071bf2d890048f0999b0b
2020-05-13 23:33:03 +09:00
Inseob Kim
df0008802e Add hdmi_config_prop for hdmi properties
To remove bad context names.

Bug: 154885206
Bug: 155844385
Test: m selinux_policy
Change-Id: I5712bf836e07b3b26a51c3433234b986843076ea
2020-05-12 23:04:51 +09:00
Inseob Kim
8880f7700a Merge "Rename contexts of ffs props" 2020-05-12 03:52:18 +00:00
Inseob Kim
a28428e7bf Move camera config props to camera_config_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: Iebe81d9af48e68e6499272bd5815e959f5945567
2020-05-11 21:55:26 +09:00
Inseob Kim
bfb3708234 Rename contexts of ffs props
Bug: 71814576
Bug: 154885206
Test: m sepolicy_test
Change-Id: Idacc3635851b14b833bccca177d784f4bb92c763
2020-05-11 21:23:37 +09:00
Inseob Kim
cc4d888f52 Move ro.lmk. properties to lmkd_config_prop
Bug: 155844385
Test: sepolicy_tests
Change-Id: I6a4412b3e7d3c46eae699bd8e7d2941f56b31773
2020-05-08 12:19:54 +09:00
Jeongik Cha
832a8a9389 mediaserver, mediaextractor, drmserver: allow vendor_overlay_file
MediaPlayer cannot load a video from RRO packages.
So, add allow rules which is necessary to play the video.

Bug: b/154795779
Test: check if MediaPlayer can load a video in RRO
Change-Id: I06eed146b6e70a548b6b4f4faf56ba2bccd68140
2020-04-29 11:52:45 +09:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00
Connor O'Brien
e3f0b2ca13 Allow system_server to attach bpf programs to tracepoints
In order to track time in state data using eBPF, system_server needs
to be able to attach BPF programs to tracepoints, which involves:
- calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl
- running BPF programs
- reading tracepoint ids from tracefs

Grant system_server the necessary permissions for these tasks

Test: modify system_server to try to attach programs; check for
denials
Bug: 138317993
Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328
Signed-off-by: Connor O'Brien <connoro@google.com>
2020-01-31 19:47:24 -08:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00
Igor Murashkin
9f74a428c4 sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
2019-10-22 12:45:46 -07:00
Tri Vo
bfcddbe25e sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-27 17:43:53 +00:00
Elliott Hughes
132b081ee3 Remove perfprofd references.
perfprofd was never finished, and has been removed.

Test: treehugger
Change-Id: I4fc8aa9b737360a66d89c5be39651284ee2d6ffd
2019-07-19 11:15:12 -07:00
Andreas Gampe
30186cf611 Sepolicy: Allow otapreopt access to vendor overlay files
A handful of APKs are vendor overlay files. Allow access.

Test: m
Change-Id: I791fa37a3bcb07729386047f0cda178753af9de5
2019-03-22 12:13:53 -07:00
Tri Vo
73d0a67b06 sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
2019-02-05 21:38:14 +00:00
Jiyong Park
9d9333ac86 init can call setns
init now creates two mount namespaces one for pre-apexd processes and
the other for post-apexd processes. This is to mount different files to
the same mount point at /bionic. For pre-apexd processes, the bootstrap
Bionic is mounted. For post-apexd processes, the default Bionic (from
the runtime APEX) is mounted.

Using unshare and setns, init first starts with the mount namespace for
the pre-apexd and then switches to the other mount namespace when APEXes
are ready. It then occasionally switches to pre-apexd mount namespace
when it has to re-launch a pre-apexd process (e.g. the process has
crashed, etc.)

In doing so, read access to /proc/self/ns/mnt is granted to init as
well.

Bug: 120266448
Bug: 122717176
Test: m device boots
Change-Id: Idbf15cbf5cc36b9993d718d4d887cd8f23a94666
2019-01-31 13:44:21 +09:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Tri Vo
1e99de5779 Apply full_treble_only to whole rule.
The way we build and run CTS expects full_treble_only and
compatible_property_only macros to be applied to whole rules and not be
nested inside other rules.

Fixes: 122601363
Test: corresponding neverallow rule in auto-generated
SELinuxNeverallowRulesTest.java is parsed correctly.
Change-Id: Ibf5187cedca72510fe74c6dc55a75a54a86c02ff
2019-01-09 16:57:09 -08:00
Nick Kralevich
0eb0a16fbd bless app created renderscript files
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00
Tri Vo
2725edc658 Wider neverallow rules for coredomain /dev access.
"iio_device", "radio_device" must not be accessed by coredomain on all
devices. And "tee_device" must not be accessed by coredomain on Treble
devices.

Bug: 110962171
Test: m selinux_policy
Test: mmma system/sepolicy
Change-Id: I27029b6579b41109c01c35c6ab5a992413f2de5c
2018-11-29 19:01:48 -08:00