| # only HALs responsible for network hardware should have privileged |
| # network capabilities |
| neverallow { |
| halserverdomain |
| -hal_bluetooth_server |
| -hal_can_controller_server |
| -hal_wifi_server |
| -hal_wifi_hostapd_server |
| -hal_wifi_supplicant_server |
| -hal_telephony_server |
| -hal_uwb_server |
| } self:global_capability_class_set { net_admin net_raw }; |
| |
| # Unless a HAL's job is to communicate over the network, or control network |
| # hardware, it should not be using network sockets. |
| # NOTE: HALs for automotive devices have an exemption from this rule because in |
| # a car it is common to have external modules and HALs need to communicate to |
| # those modules using network. Using this exemption for non-automotive builds |
| # will result in CTS failure. |
| neverallow { |
| halserverdomain |
| -hal_automotive_socket_exemption |
| -hal_can_controller_server |
| -hal_tetheroffload_server |
| -hal_wifi_server |
| -hal_wifi_hostapd_server |
| -hal_wifi_supplicant_server |
| -hal_telephony_server |
| -hal_uwb_server |
| } domain:{ tcp_socket udp_socket rawip_socket } *; |
| |
| # The UWB HAL is not actually a networking HAL but may need to bring up and down |
| # interfaces. Restrict it to only these networking operations. |
| neverallow hal_uwb_server self:global_capability_class_set { net_raw }; |
| |
| # Subset of socket_class_set likely to be usable for communication or accessible through net_admin. |
| # udp_socket is required to use interface ioctls. |
| neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; |
| |
| ### |
| # HALs are defined as an attribute and so a given domain could hypothetically |
| # have multiple HALs in it (or even all of them) with the subsequent policy of |
| # the domain comprised of the union of all the HALs. |
| # |
| # This is a problem because |
| # 1) Security sensitive components should only be accessed by specific HALs. |
| # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in |
| # the platform. |
| # 3) The platform cannot reason about defense in depth if there are |
| # monolithic domains etc. |
| # |
| # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while |
| # its OK for them to share a process its not OK with them to share processes |
| # with other hals. |
| # |
| # The following neverallow rules, in conjuntion with CTS tests, assert that |
| # these security principles are adhered to. |
| # |
| # Do not allow a hal to exec another process without a domain transition. |
| # TODO remove exemptions. |
| neverallow { |
| halserverdomain |
| -hal_dumpstate_server |
| -hal_telephony_server |
| } { file_type fs_type }:file execute_no_trans; |
| # Do not allow a process other than init to transition into a HAL domain. |
| neverallow { domain -init } halserverdomain:process transition; |
| # Only allow transitioning to a domain by running its executable. Do not |
| # allow transitioning into a HAL domain by use of seclabel in an |
| # init.*.rc script. |
| neverallow * halserverdomain:process dyntransition; |