Merge "Allow to specify platform sepolicy dir mult. times"
diff --git a/public/attributes b/public/attributes
index ed6b97f..f833943 100644
--- a/public/attributes
+++ b/public/attributes
@@ -214,6 +214,12 @@
attribute halclientdomain;
expandattribute halclientdomain true;
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
# TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts
# can be resolve.
attribute hal_audio;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 017fcce..0f05d8a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -11,8 +11,13 @@
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network. Using this exemption for non-automotive builds
+# will result in CTS failure.
neverallow {
halserverdomain
+ -hal_automotive_socket_exemption
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server