gs201: Manual fixes to make sepolicy build

Change-Id: I9f9057fd572388a0dfb00554e9b6a3bb63795461

sepolicy/vendor/mediacodec_google.te

@@ -17,6 +17,7 @@ allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow mediacodec_google gpu_device:chr_file rw_file_perms;
 allow mediacodec_google video_device:chr_file rw_file_perms;
 
-neverallow mediacodec_google domain:{ rawip_socket tcp_socket udp_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediacodec_google domain:{ rawip_socket udp_socket } *;
 neverallow mediacodec_google file_type:file execute_no_trans;
 neverallow mediacodec_google fs_type:file execute_no_trans;

sepolicy/vendor/mediacodec_samsung.te

@@ -25,6 +25,7 @@ allow mediacodec_samsung sysfs_mfc:dir r_dir_perms;
 allow mediacodec_samsung sysfs_mfc:file r_file_perms;
 allow mediacodec_samsung video_device:chr_file rw_file_perms;
 
-neverallow mediacodec_samsung domain:{ rawip_socket tcp_socket udp_socket } *;
+neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediacodec_samsung domain:{ rawip_socket udp_socket } *;
 neverallow mediacodec_samsung file_type:file execute_no_trans;
 neverallow mediacodec_samsung fs_type:file execute_no_trans;

sepolicy/vendor/uwb_vendor_app.te

@@ -1,9 +1,15 @@
+not_recovery(`
 binder_call(uwb_vendor_app, hal_uwb_vendor_default)
+')
 
 get_prop(uwb_vendor_app, vendor_secure_element_prop)
 
+not_recovery(`
 hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
+')
 
 set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code)
 
+not_recovery(`
 allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
+')