Allow to use sockets from hal server for auto

Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Merged-In: I27976443dad4fc5b7425c089512cac65bb54d6d9

(cherry picked from commit 4cafae77a4)

Change-Id: I58e25a0f86579073aa568379b10b6599212134c6

public/attributes

@@ -214,6 +214,12 @@ attribute halserverdomain;
 attribute halclientdomain;
 expandattribute halclientdomain true;
 
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
 # TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts
 # can be resolve.
 attribute hal_audio;

public/hal_neverallows.te

@@ -11,8 +11,13 @@ neverallow {
 
 # Unless a HAL's job is to communicate over the network, or control network
 # hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network.  Using this exemption for non-automotive builds
+# will result in CTS failure.
 neverallow {
   halserverdomain
+  -hal_automotive_socket_exemption
   -hal_tetheroffload_server
   -hal_wifi_server
   -hal_wifi_hostapd_server