Home | History | Annotate | Download | only in public 
      1 # only HALs responsible for network hardware should have privileged
      2 # network capabilities
      3 neverallow {
      4   halserverdomain
      5   -hal_bluetooth_server
      6   -hal_wifi_server
      7   -hal_wifi_hostapd_server
      8   -hal_wifi_supplicant_server
      9   -hal_telephony_server
     10 } self:global_capability_class_set { net_admin net_raw };
     11 
     12 # Unless a HAL's job is to communicate over the network, or control network
     13 # hardware, it should not be using network sockets.
     14 # NOTE: HALs for automotive devices have an exemption from this rule because in
     15 # a car it is common to have external modules and HALs need to communicate to
     16 # those modules using network.  Using this exemption for non-automotive builds
     17 # will result in CTS failure.
     18 neverallow {
     19   halserverdomain
     20   -hal_automotive_socket_exemption
     21   -hal_tetheroffload_server
     22   -hal_wifi_server
     23   -hal_wifi_hostapd_server
     24   -hal_wifi_supplicant_server
     25   -hal_telephony_server
     26 } domain:{ tcp_socket udp_socket rawip_socket } *;
     27 
     28 ###
     29 # HALs are defined as an attribute and so a given domain could hypothetically
     30 # have multiple HALs in it (or even all of them) with the subsequent policy of
     31 # the domain comprised of the union of all the HALs.
     32 #
     33 # This is a problem because
     34 # 1) Security sensitive components should only be accessed by specific HALs.
     35 # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
     36 #    the platform.
     37 # 3) The platform cannot reason about defense in depth if there are
     38 #    monolithic domains etc.
     39 #
     40 # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
     41 # its OK for them to share a process its not OK with them to share processes
     42 # with other hals.
     43 #
     44 # The following neverallow rules, in conjuntion with CTS tests, assert that
     45 # these security principles are adhered to.
     46 #
     47 # Do not allow a hal to exec another process without a domain transition.
     48 # TODO remove exemptions.
     49 neverallow {
     50   halserverdomain
     51   -hal_dumpstate_server
     52   -hal_telephony_server
     53 } { file_type fs_type }:file execute_no_trans;
     54 # Do not allow a process other than init to transition into a HAL domain.
     55 neverallow { domain -init } halserverdomain:process transition;
     56 # Only allow transitioning to a domain by running its executable. Do not
     57 # allow transitioning into a HAL domain by use of seclabel in an
     58 # init.*.rc script.
     59 neverallow * halserverdomain:process dyntransition;
     60