Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 00a03d424fbaf96c62863eae8a5cf279fcd7b8ab / . / public / hal_neverallows.te
blob: 61b15cab24837625cf99419b182c1ed9d0b05f64 [file] [log] [blame]
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]1# only HALs responsible for network hardware should have privileged
2# network capabilities
3neverallow {
4 halserverdomain
5 -hal_bluetooth_server
6 -hal_wifi_server
7 -hal_wifi_supplicant_server
8 -rild
9} self:capability { net_admin net_raw };
10
11# Unless a HAL's job is to manage network hardware, it should not be
12# using network sockets.
13neverallow {
14 halserverdomain
15 -hal_gnss # TODO b/36085168 b/35757613
16 -hal_wifi_server
17 -hal_wifi_supplicant_server
18 -rild
19} domain:{ tcp_socket udp_socket rawip_socket } *;