Revert "Revert "netd: restrict netd binder access to system_server""

This reverts commit b5594c2781.

Bug: 27239233
Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2

domain.te

@@ -38,7 +38,8 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
-  binder_call({ domain -init }, su)
+  allow { domain -init } su:binder { call transfer };
+  allow { domain -init } su:fd use;
 
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes

dumpstate.te

@@ -113,7 +113,7 @@ allow dumpstate tombstone_data_file:file r_file_perms;
 allow dumpstate cache_recovery_file:dir r_dir_perms;
 allow dumpstate cache_recovery_file:file r_file_perms;
 
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;

netd.te

@@ -57,7 +57,6 @@ set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
-binder_service(netd)
 allow netd netd_service:service_manager add;
 
 # Allow netd to call into the system server so it can check permissions.
@@ -84,3 +83,8 @@ neverallow netd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server may interact with netd over binder
+neverallow { domain -system_server } netd_service:service_manager find;
+neverallow { domain -system_server } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;

shell.te

@@ -83,7 +83,7 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
 
 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)

system_app.te

@@ -43,7 +43,7 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state