From d75a2c0cc8a9c5ff1a6f534f01099e4d51939b09 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 21 Jun 2017 12:46:21 -0700
Subject: [PATCH] Exempt tetheroffload hal from network socket restrictions

The tetheroffload hal must be able to use network sockets as part of
its job.

Bug: 62870833
Test: neverallow-only change builds.
Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7
---
 public/hal_neverallows.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index feadcdadb..036e1d2dc 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,10 +8,11 @@ neverallow {
   -rild
 } self:capability { net_admin net_raw };
 
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
 neverallow {
   halserverdomain
+  -hal_tetheroffload_server
   -hal_wifi_server
   -hal_wifi_supplicant_server
   -rild
-- 
GitLab