blob: d26e1db7ab5fa380ef1139036523a8541fccf2ae [file] [log] [blame]
Alex Klyubin75ca4832017-04-17 13:08:44 -07001# HwBinder IPC from client to server
2binder_call(hal_configstore_client, hal_configstore_server)
Alex Klyubin53656c12017-04-13 19:05:27 -07003
Steven Morelandac88cb62018-06-06 12:55:06 -07004hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
Dan Cashman91d398d2017-09-26 12:58:29 -07005
6# hal_configstore runs with a strict seccomp filter. Use crash_dump's
7# fallback path to collect crash data.
8crash_dump_fallback(hal_configstore_server)
9
10###
11### neverallow rules
12###
13
14# Should never execute an executable without a domain transition
15neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
16
17# Should never need network access. Disallow sockets except for
18# for unix stream/dgram sockets used for logging/debugging.
19neverallow hal_configstore_server domain:{
20 rawip_socket tcp_socket udp_socket
21 netlink_route_socket netlink_selinux_socket
22 socket netlink_socket packet_socket key_socket appletalk_socket
23 netlink_tcpdiag_socket netlink_nflog_socket
24 netlink_xfrm_socket netlink_audit_socket
25 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
26 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
27 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
28 netlink_rdma_socket netlink_crypto_socket
29} *;
30neverallow hal_configstore_server {
31 domain
32 -hal_configstore_server
33 -logd
Pete Bentleye6da3b82022-09-16 15:31:39 +010034 -prng_seeder
Dan Cashman91d398d2017-09-26 12:58:29 -070035 userdebug_or_eng(`-su')
36 -tombstoned
37}:{ unix_dgram_socket unix_stream_socket } *;
38
39# Should never need access to anything on /data
40neverallow hal_configstore_server {
41 data_file_type
42 -anr_data_file # for crash dump collection
43 -tombstone_data_file # for crash dump collection
Pirama Arumuga Nainarce9c0c52019-06-13 15:05:15 -070044 with_native_coverage(`-method_trace_data_file')
Dan Cashman91d398d2017-09-26 12:58:29 -070045}:{ file fifo_file sock_file } *;
46
47# Should never need sdcard access
Jeff Sharkey000cafc2018-03-30 12:22:54 -060048neverallow hal_configstore_server {
49 sdcard_type
Alfred Piccioni30ae4272023-01-17 18:22:34 +010050 fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
Jeff Sharkey000cafc2018-03-30 12:22:54 -060051}:dir ~getattr;
52neverallow hal_configstore_server {
53 sdcard_type
Alfred Piccioni30ae4272023-01-17 18:22:34 +010054 fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
Jeff Sharkey000cafc2018-03-30 12:22:54 -060055}:file *;
Dan Cashman91d398d2017-09-26 12:58:29 -070056
57# Do not permit access to service_manager and vndservice_manager
58neverallow hal_configstore_server *:service_manager *;
59
60# No privileged capabilities
61neverallow hal_configstore_server self:capability_class_set *;
62
63# No ptracing other processes
64neverallow hal_configstore_server *:process ptrace;
65
66# no relabeling
67neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };