1 # only HALs responsible for network hardware should have privileged 2 # network capabilities 3 neverallow { 4 halserverdomain 5 -hal_bluetooth_server 6 -hal_wifi_server 7 -hal_wifi_hostapd_server 8 -hal_wifi_supplicant_server 9 -hal_telephony_server 10 } self:global_capability_class_set { net_admin net_raw }; 11 12 # Unless a HAL's job is to communicate over the network, or control network 13 # hardware, it should not be using network sockets. 14 # NOTE: HALs for automotive devices have an exemption from this rule because in 15 # a car it is common to have external modules and HALs need to communicate to 16 # those modules using network. Using this exemption for non-automotive builds 17 # will result in CTS failure. 18 neverallow { 19 halserverdomain 20 -hal_automotive_socket_exemption 21 -hal_tetheroffload_server 22 -hal_wifi_server 23 -hal_wifi_hostapd_server 24 -hal_wifi_supplicant_server 25 -hal_telephony_server 26 } domain:{ tcp_socket udp_socket rawip_socket } *; 27 28 ### 29 # HALs are defined as an attribute and so a given domain could hypothetically 30 # have multiple HALs in it (or even all of them) with the subsequent policy of 31 # the domain comprised of the union of all the HALs. 32 # 33 # This is a problem because 34 # 1) Security sensitive components should only be accessed by specific HALs. 35 # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in 36 # the platform. 37 # 3) The platform cannot reason about defense in depth if there are 38 # monolithic domains etc. 39 # 40 # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while 41 # its OK for them to share a process its not OK with them to share processes 42 # with other hals. 43 # 44 # The following neverallow rules, in conjuntion with CTS tests, assert that 45 # these security principles are adhered to. 46 # 47 # Do not allow a hal to exec another process without a domain transition. 48 # TODO remove exemptions. 49 neverallow { 50 halserverdomain 51 -hal_dumpstate_server 52 -hal_telephony_server 53 } { file_type fs_type }:file execute_no_trans; 54 # Do not allow a process other than init to transition into a HAL domain. 55 neverallow { domain -init } halserverdomain:process transition; 56 # Only allow transitioning to a domain by running its executable. Do not 57 # allow transitioning into a HAL domain by use of seclabel in an 58 # init.*.rc script. 59 neverallow * halserverdomain:process dyntransition; 60