Assert ban on framework <-> vendor comms over VndBinder

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

private/app_neverallows.te

@@ -21,6 +21,10 @@ neverallow all_untrusted_apps debugfs_type:file read;
 # services.
 neverallow all_untrusted_apps service_manager_type:service_manager add;
 
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
 # Do not allow untrusted apps to connect to the property service
 # or set properties. b/10243159
 neverallow all_untrusted_apps property_socket:sock_file write;

public/domain.te

@@ -559,6 +559,27 @@ full_treble_only(`
   } servicemanager:binder { call transfer };
 ')
 
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+  } vndbinder_device:chr_file rw_file_perms;
+  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservice_manager_type:service_manager *;
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservicemanager:binder *;
+')
+
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
 full_treble_only(`

public/init.te

@@ -205,7 +205,13 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read
 
 # init should not be able to read or open generic devices
 # TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+  dev_type
+  -kmem_device
+  -port_device
+  -device
+  -vndbinder_device
+  }:chr_file { read open };
 auditallow init {
   dev_type
   -alarm_device

public/servicemanager.te

@@ -9,7 +9,12 @@ type servicemanager_exec, exec_type, file_type;
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+  domain
+  -init
+  -hwservicemanager
+  -vndservicemanager
+}:binder transfer;
 
 # Access to all (system and vendor) service_contexts
 # TODO(b/36866029) access to nonplat_service_contexts