From d75a2c0cc8a9c5ff1a6f534f01099e4d51939b09 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep <jeffv@google.com> Date: Wed, 21 Jun 2017 12:46:21 -0700 Subject: [PATCH] Exempt tetheroffload hal from network socket restrictions The tetheroffload hal must be able to use network sockets as part of its job. Bug: 62870833 Test: neverallow-only change builds. Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7 --- public/hal_neverallows.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te index feadcdadb..036e1d2dc 100644 --- a/public/hal_neverallows.te +++ b/public/hal_neverallows.te @@ -8,10 +8,11 @@ neverallow { -rild } self:capability { net_admin net_raw }; -# Unless a HAL's job is to manage network hardware, it should not be -# using network sockets. +# Unless a HAL's job is to communicate over the network, or control network +# hardware, it should not be using network sockets. neverallow { halserverdomain + -hal_tetheroffload_server -hal_wifi_server -hal_wifi_supplicant_server -rild -- GitLab