f9be765d66
Only HALs that manage networks need network capabilities and network
sockets.
Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
rules are compile time assertions and do not change the
on-device policy.
Bug: 36185625
Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
19 lines
519 B
Text
19 lines
519 B
Text
# only HALs responsible for network hardware should have privileged
|
|
# network capabilities
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_bluetooth_server
|
|
-hal_wifi_server
|
|
-hal_wifi_supplicant_server
|
|
-rild
|
|
} self:capability { net_admin net_raw };
|
|
|
|
# Unless a HAL's job is to manage network hardware, it should not be
|
|
# using network sockets.
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_gnss # TODO b/36085168 b/35757613
|
|
-hal_wifi_server
|
|
-hal_wifi_supplicant_server
|
|
-rild
|
|
} domain:{ tcp_socket udp_socket rawip_socket } *;
|