Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c4efcbdc069bbdba3171ab482ac936c1fed7d11e / . / public / hal_neverallows.te
blob: 411787826801915561e7feb0d82f1ce30673a441 [file] [log] [blame]
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]1# only HALs responsible for network hardware should have privileged
2# network capabilities
3neverallow {
4 halserverdomain
5 -hal_bluetooth_server
Tomasz Wasilczyk602b3032019-07-23 17:38:51 -0700[diff] [blame]6 -hal_can_controller_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]7 -hal_wifi_server
Roshan Piusd7b34a42017-12-22 15:03:15 -0800[diff] [blame]8 -hal_wifi_hostapd_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]9 -hal_wifi_supplicant_server
Amit Mahajan30073442018-03-12 17:12:09 +0000[diff] [blame]10 -hal_telephony_server
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -0700[diff] [blame]11} self:global_capability_class_set { net_admin net_raw };
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]12
Jeff Vander Stoepd75a2c02017-06-21 12:46:21 -0700[diff] [blame]13# Unless a HAL's job is to communicate over the network, or control network
14# hardware, it should not be using network sockets.
Pavel Maltsev8d7f5032018-05-15 14:16:57 -0700[diff] [blame]15# NOTE: HALs for automotive devices have an exemption from this rule because in
16# a car it is common to have external modules and HALs need to communicate to
17# those modules using network. Using this exemption for non-automotive builds
18# will result in CTS failure.
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]19neverallow {
20 halserverdomain
Pavel Maltsev8d7f5032018-05-15 14:16:57 -0700[diff] [blame]21 -hal_automotive_socket_exemption
Tomasz Wasilczyk602b3032019-07-23 17:38:51 -0700[diff] [blame]22 -hal_can_controller_server
Jeff Vander Stoepd75a2c02017-06-21 12:46:21 -0700[diff] [blame]23 -hal_tetheroffload_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]24 -hal_wifi_server
Roshan Piusd7b34a42017-12-22 15:03:15 -0800[diff] [blame]25 -hal_wifi_hostapd_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]26 -hal_wifi_supplicant_server
Amit Mahajan30073442018-03-12 17:12:09 +0000[diff] [blame]27 -hal_telephony_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -0700[diff] [blame]28} domain:{ tcp_socket udp_socket rawip_socket } *;
Jeff Vander Stoep84b96a62017-03-20 14:52:58 -0700[diff] [blame]29
30###
31# HALs are defined as an attribute and so a given domain could hypothetically
32# have multiple HALs in it (or even all of them) with the subsequent policy of
33# the domain comprised of the union of all the HALs.
34#
35# This is a problem because
36# 1) Security sensitive components should only be accessed by specific HALs.
37# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
38# the platform.
39# 3) The platform cannot reason about defense in depth if there are
40# monolithic domains etc.
41#
42# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
43# its OK for them to share a process its not OK with them to share processes
44# with other hals.
45#
46# The following neverallow rules, in conjuntion with CTS tests, assert that
47# these security principles are adhered to.
48#
49# Do not allow a hal to exec another process without a domain transition.
50# TODO remove exemptions.
51neverallow {
52 halserverdomain
53 -hal_dumpstate_server
Amit Mahajan30073442018-03-12 17:12:09 +0000[diff] [blame]54 -hal_telephony_server
Jeff Vander Stoep84b96a62017-03-20 14:52:58 -0700[diff] [blame]55} { file_type fs_type }:file execute_no_trans;
56# Do not allow a process other than init to transition into a HAL domain.
57neverallow { domain -init } halserverdomain:process transition;
58# Only allow transitioning to a domain by running its executable. Do not
59# allow transitioning into a HAL domain by use of seclabel in an
60# init.*.rc script.
61neverallow * halserverdomain:process dyntransition;