Annotate violators of "no sockets between core and vendor" rule
These vendor domains use communicate with core domains over sockets,
which is not permitted. This commit thus temporarily associates these
domains with socket_between_core_and_vendor_violators attribute which
permits this banned behavior to continue for now. This is a temporary
workaround. The fix is to fix these domains to not communicate with
core domains over sockets.
NOTE: Some of the domains on the list are there for a benign reason:
passthrough HALs. Core domains which host passthrough HAL
implementations may initiate socket connections to vendor domains and
this is completely permitted. I could've whitelisted all HAL client
domains in the neverallow rules (using halclientdomain attribute) but
this increases the risk of not noticing banned communications from
these domains. Thus, as a workaround until we stop using passthrough
HALs (b/34274385), I added the affected vendor domains to the list of
exemptions.
Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I525a60e571141117e105e96b2b7e28aed791d56f
12 files changed