• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# only HALs responsible for network hardware should have privileged
2# network capabilities
3neverallow {
4  halserverdomain
5  -hal_bluetooth_server
6  -hal_can_controller_server
7  -hal_wifi_server
8  -hal_wifi_hostapd_server
9  -hal_wifi_supplicant_server
10  -hal_telephony_server
11  -hal_uwb_server
12  # TODO(b/196225233): Remove hal_uwb_vendor_server
13  -hal_uwb_vendor_server
14  -hal_nlinterceptor_server
15  -hal_tv_tuner_server
16} self:global_capability_class_set { net_admin net_raw };
17
18# Unless a HAL's job is to communicate over the network, or control network
19# hardware, it should not be using network sockets.
20# NOTE: HALs for automotive devices have an exemption from this rule because in
21# a car it is common to have external modules and HALs need to communicate to
22# those modules using network.  Using this exemption for non-automotive builds
23# will result in CTS failure.
24neverallow {
25  halserverdomain
26  -hal_automotive_socket_exemption
27  -hal_can_controller_server
28  -hal_tetheroffload_server
29  -hal_wifi_server
30  -hal_wifi_hostapd_server
31  -hal_wifi_supplicant_server
32  -hal_telephony_server
33  -hal_uwb_server
34  # TODO(b/196225233): Remove hal_uwb_vendor_server
35  -hal_uwb_vendor_server
36  -hal_nlinterceptor_server
37  -hal_bluetooth_server
38  -hal_tv_tuner_server
39} domain:{ udp_socket rawip_socket } *;
40
41neverallow {
42  halserverdomain
43  -hal_automotive_socket_exemption
44  -hal_can_controller_server
45  -hal_tetheroffload_server
46  -hal_wifi_server
47  -hal_wifi_hostapd_server
48  -hal_wifi_supplicant_server
49  -hal_telephony_server
50  -hal_nlinterceptor_server
51  -hal_bluetooth_server
52  -hal_tv_tuner_server
53} {
54  domain
55  userdebug_or_eng(`-su')
56}:tcp_socket *;
57
58# The UWB HAL is not actually a networking HAL but may need to bring up and down
59# interfaces. Restrict it to only these networking operations.
60neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
61
62# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
63# udp_socket is required to use interface ioctls.
64neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
65
66###
67# HALs are defined as an attribute and so a given domain could hypothetically
68# have multiple HALs in it (or even all of them) with the subsequent policy of
69# the domain comprised of the union of all the HALs.
70#
71# This is a problem because
72# 1) Security sensitive components should only be accessed by specific HALs.
73# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
74#    the platform.
75# 3) The platform cannot reason about defense in depth if there are
76#    monolithic domains etc.
77#
78# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
79# its OK for them to share a process its not OK with them to share processes
80# with other hals.
81#
82# The following neverallow rules, in conjuntion with CTS tests, assert that
83# these security principles are adhered to.
84#
85# Do not allow a hal to exec another process without a domain transition.
86# TODO remove exemptions.
87neverallow {
88  halserverdomain
89  -hal_dumpstate_server
90  -hal_telephony_server
91} {
92  file_type
93  fs_type
94  # May invoke shell commands via /system/bin/sh
95  -shell_exec
96  -toolbox_exec
97}:file execute_no_trans;
98# Do not allow a process other than init to transition into a HAL domain.
99neverallow { domain -init } halserverdomain:process transition;
100# Only allow transitioning to a domain by running its executable. Do not
101# allow transitioning into a HAL domain by use of seclabel in an
102# init.*.rc script.
103neverallow * halserverdomain:process dyntransition;
104