Remove duplicate neverallow for hal_audio_server
A vendor has an audio HAL implementation for Android Automotive that
controls amplifiers with tcp sockets. This violates a neverallow rule
in 'public/hal_audio.te':
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket
} *;
This rule prevents any audio HAL server from accessing sockets; But
public/hal_neverallows.te, line 19 exempts HAL servers on automotive
devices; because in a car it is common to have external modules
accessible over in-vehicle networks.
Therefore, the existing neverallow rule in hal_audio.te is a duplicate;
and this CL removes this rule.
Vendors on automotive devices should refer to 'vendor/hal_audio_default.te',
by (1) creating a new type; (2) associating the type with the
'hal_automotive_socket_exemption' attribute.
Bug: 150400684
Test: tested with the following rules in 'vendor/hal_audio_default.te'
Test: type harmon_amplifier, domain;
Test: typeattribute hal_audio_default hal_automotive_socket_exemption;
Test: allow hal_audio_default harmon_amplifier:tcp_socket connect;
Test: m -j should compile sepolicy without complaints
Change-Id: I517b050d0582d08f94f35ba815a030121385f319
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d54b2b2..5958f2c 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -30,10 +30,6 @@
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;