diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
new file mode 100644
index 0000000000000000000000000000000000000000..61b15cab24837625cf99419b182c1ed9d0b05f64
--- /dev/null
+++ b/public/hal_neverallows.te
@@ -0,0 +1,19 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+  halserverdomain
+  -hal_bluetooth_server
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} self:capability { net_admin net_raw };
+
+# Unless a HAL's job is to manage network hardware, it should not be
+# using network sockets.
+neverallow {
+  halserverdomain
+  -hal_gnss # TODO b/36085168 b/35757613
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;