Blame - public/hal_neverallows.te - android_system_sepolicy

blob: 0f05d8ad3fa7415590347e2e60fd16c62edcfb98 [file] [log] [blame]

Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	1	# only HALs responsible for network hardware should have privileged
				2	# network capabilities
				3	neverallow {
				4	halserverdomain
				5	-hal_bluetooth_server
				6	-hal_wifi_server
Roshan Pius	d7b34a4	2017-12-22 15:03:15 -0800	[diff] [blame]	7	-hal_wifi_hostapd_server
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	8	-hal_wifi_supplicant_server
Amit Mahajan	3007344	2018-03-12 17:12:09 +0000	[diff] [blame]	9	-hal_telephony_server
Benjamin Gordon	9b2e0cb	2017-11-09 15:51:26 -0700	[diff] [blame]	10	} self:global_capability_class_set { net_admin net_raw };
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	11
Jeff Vander Stoep	d75a2c0	2017-06-21 12:46:21 -0700	[diff] [blame]	12	# Unless a HAL's job is to communicate over the network, or control network
				13	# hardware, it should not be using network sockets.
Pavel Maltsev	8d7f503	2018-05-15 14:16:57 -0700	[diff] [blame]	14	# NOTE: HALs for automotive devices have an exemption from this rule because in
				15	# a car it is common to have external modules and HALs need to communicate to
				16	# those modules using network. Using this exemption for non-automotive builds
				17	# will result in CTS failure.
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	18	neverallow {
				19	halserverdomain
Pavel Maltsev	8d7f503	2018-05-15 14:16:57 -0700	[diff] [blame]	20	-hal_automotive_socket_exemption
Jeff Vander Stoep	d75a2c0	2017-06-21 12:46:21 -0700	[diff] [blame]	21	-hal_tetheroffload_server
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	22	-hal_wifi_server
Roshan Pius	d7b34a4	2017-12-22 15:03:15 -0800	[diff] [blame]	23	-hal_wifi_hostapd_server
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	24	-hal_wifi_supplicant_server
Amit Mahajan	3007344	2018-03-12 17:12:09 +0000	[diff] [blame]	25	-hal_telephony_server
Jeff Vander Stoep	f9be765	2017-03-13 13:32:51 -0700	[diff] [blame]	26	} domain:{ tcp_socket udp_socket rawip_socket } *;
Jeff Vander Stoep	84b96a6	2017-03-20 14:52:58 -0700	[diff] [blame]	27
				28	###
				29	# HALs are defined as an attribute and so a given domain could hypothetically
				30	# have multiple HALs in it (or even all of them) with the subsequent policy of
				31	# the domain comprised of the union of all the HALs.
				32	#
				33	# This is a problem because
				34	# 1) Security sensitive components should only be accessed by specific HALs.
				35	# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
				36	# the platform.
				37	# 3) The platform cannot reason about defense in depth if there are
				38	# monolithic domains etc.
				39	#
				40	# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
				41	# its OK for them to share a process its not OK with them to share processes
				42	# with other hals.
				43	#
				44	# The following neverallow rules, in conjuntion with CTS tests, assert that
				45	# these security principles are adhered to.
				46	#
				47	# Do not allow a hal to exec another process without a domain transition.
				48	# TODO remove exemptions.
				49	neverallow {
				50	halserverdomain
				51	-hal_dumpstate_server
Amit Mahajan	3007344	2018-03-12 17:12:09 +0000	[diff] [blame]	52	-hal_telephony_server
Jeff Vander Stoep	84b96a6	2017-03-20 14:52:58 -0700	[diff] [blame]	53	} { file_type fs_type }:file execute_no_trans;
				54	# Do not allow a process other than init to transition into a HAL domain.
				55	neverallow { domain -init } halserverdomain:process transition;
				56	# Only allow transitioning to a domain by running its executable. Do not
				57	# allow transitioning into a HAL domain by use of seclabel in an
				58	# init.*.rc script.
				59	neverallow * halserverdomain:process dyntransition;