Merge "Restrict HAL network access to HALS that manage network hardware"

am: b9b63706 Change-Id: I32c85f2ba81e8be3b0065ac0d8e737cd323f86a1

Merge "Restrict HAL network access to HALS that manage network hardware"
3b896623 · Jeff Vander Stoep · android-build-merger · fa633e52 · b9b63706 · 3b896623
Commit 3b896623 authored 8 years ago by Jeff Vander Stoep Committed by android-build-merger 8 years ago
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+  halserverdomain
+  -hal_bluetooth_server
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} self:capability { net_admin net_raw };
+# Unless a HAL's job is to manage network hardware, it should not be
+# using network sockets.
+neverallow {
+  halserverdomain
+  -hal_gnss # TODO b/36085168 b/35757613
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;