Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9

commit: be04b091bbfcdddcac39b474631c77ed47a1a4aa [log] [tgz]
author: Yifan Hong <elsk@google.com> Mon Jun 07 12:37:31 2021 -0700
committer: Yifan Hong <elsk@google.com> Tue Jun 08 10:39:02 2021 -0700
tree: f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent: c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..0214e2a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te

@@ -25,7 +25,21 @@
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+  halserverdomain
+  -hal_automotive_socket_exemption
+  -hal_can_controller_server
+  -hal_tetheroffload_server
+  -hal_wifi_server
+  -hal_wifi_hostapd_server
+  -hal_wifi_supplicant_server
+  -hal_telephony_server
+} {
+  domain
+  userdebug_or_eng(`-su')
+}:tcp_socket *;
 
 ###
 # HALs are defined as an attribute and so a given domain could hypothetically
commit	be04b091bbfcdddcac39b474631c77ed47a1a4aa	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Mon Jun 07 12:37:31 2021 -0700
committer	Yifan Hong <elsk@google.com>	Tue Jun 08 10:39:02 2021 -0700
tree	f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent	c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]