From f9be765d66b7f784cffe26f8a8be046ba37c3e8d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 13 Mar 2017 13:32:51 -0700
Subject: [PATCH] Restrict HAL network access to HALS that manage network
 hardware

Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
---
 public/hal_neverallows.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 public/hal_neverallows.te

diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
new file mode 100644
index 000000000..61b15cab2
--- /dev/null
+++ b/public/hal_neverallows.te
@@ -0,0 +1,19 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+  halserverdomain
+  -hal_bluetooth_server
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} self:capability { net_admin net_raw };
+
+# Unless a HAL's job is to manage network hardware, it should not be
+# using network sockets.
+neverallow {
+  halserverdomain
+  -hal_gnss # TODO b/36085168 b/35757613
+  -hal_wifi_server
+  -hal_wifi_supplicant_server
+  -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;
-- 
GitLab