| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 1 | # only HALs responsible for network hardware should have privileged |
| 2 | # network capabilities |
| 3 | neverallow { |
| 4 | halserverdomain |
| 5 | -hal_bluetooth_server |
| Tomasz Wasilczyk | 602b303 | 2019-07-23 17:38:51 -0700 | [diff] [blame] | 6 | -hal_can_controller_server |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 7 | -hal_wifi_server |
| Roshan Pius | d7b34a4 | 2017-12-22 15:03:15 -0800 | [diff] [blame] | 8 | -hal_wifi_hostapd_server |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 9 | -hal_wifi_supplicant_server |
| Amit Mahajan | 3007344 | 2018-03-12 17:12:09 +0000 | [diff] [blame] | 10 | -hal_telephony_server |
| Michael Ayoubi | 0be7c67 | 2021-06-10 02:01:52 +0000 | [diff] [blame] | 11 | -hal_uwb_server |
| Benjamin Gordon | 9b2e0cb | 2017-11-09 15:51:26 -0700 | [diff] [blame] | 12 | } self:global_capability_class_set { net_admin net_raw }; |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 13 | |
| Jeff Vander Stoep | d75a2c0 | 2017-06-21 12:46:21 -0700 | [diff] [blame] | 14 | # Unless a HAL's job is to communicate over the network, or control network |
| 15 | # hardware, it should not be using network sockets. |
| Pavel Maltsev | 8d7f503 | 2018-05-15 14:16:57 -0700 | [diff] [blame] | 16 | # NOTE: HALs for automotive devices have an exemption from this rule because in |
| 17 | # a car it is common to have external modules and HALs need to communicate to |
| 18 | # those modules using network. Using this exemption for non-automotive builds |
| 19 | # will result in CTS failure. |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 20 | neverallow { |
| 21 | halserverdomain |
| Pavel Maltsev | 8d7f503 | 2018-05-15 14:16:57 -0700 | [diff] [blame] | 22 | -hal_automotive_socket_exemption |
| Tomasz Wasilczyk | 602b303 | 2019-07-23 17:38:51 -0700 | [diff] [blame] | 23 | -hal_can_controller_server |
| Jeff Vander Stoep | d75a2c0 | 2017-06-21 12:46:21 -0700 | [diff] [blame] | 24 | -hal_tetheroffload_server |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 25 | -hal_wifi_server |
| Roshan Pius | d7b34a4 | 2017-12-22 15:03:15 -0800 | [diff] [blame] | 26 | -hal_wifi_hostapd_server |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 27 | -hal_wifi_supplicant_server |
| Amit Mahajan | 3007344 | 2018-03-12 17:12:09 +0000 | [diff] [blame] | 28 | -hal_telephony_server |
| Michael Ayoubi | 0be7c67 | 2021-06-10 02:01:52 +0000 | [diff] [blame] | 29 | -hal_uwb_server |
| Yifan Hong | be04b09 | 2021-06-07 12:37:31 -0700 | [diff] [blame] | 30 | } domain:{ udp_socket rawip_socket } *; |
| 31 | |
| 32 | neverallow { |
| 33 | halserverdomain |
| 34 | -hal_automotive_socket_exemption |
| 35 | -hal_can_controller_server |
| 36 | -hal_tetheroffload_server |
| 37 | -hal_wifi_server |
| 38 | -hal_wifi_hostapd_server |
| 39 | -hal_wifi_supplicant_server |
| 40 | -hal_telephony_server |
| Michael Ayoubi | 0be7c67 | 2021-06-10 02:01:52 +0000 | [diff] [blame] | 41 | -hal_uwb_server |
| Yifan Hong | be04b09 | 2021-06-07 12:37:31 -0700 | [diff] [blame] | 42 | } { |
| 43 | domain |
| 44 | userdebug_or_eng(`-su') |
| 45 | }:tcp_socket *; |
| Jeff Vander Stoep | 84b96a6 | 2017-03-20 14:52:58 -0700 | [diff] [blame] | 46 | |
| 47 | ### |
| 48 | # HALs are defined as an attribute and so a given domain could hypothetically |
| 49 | # have multiple HALs in it (or even all of them) with the subsequent policy of |
| 50 | # the domain comprised of the union of all the HALs. |
| 51 | # |
| 52 | # This is a problem because |
| 53 | # 1) Security sensitive components should only be accessed by specific HALs. |
| 54 | # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in |
| 55 | # the platform. |
| 56 | # 3) The platform cannot reason about defense in depth if there are |
| 57 | # monolithic domains etc. |
| 58 | # |
| 59 | # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while |
| 60 | # its OK for them to share a process its not OK with them to share processes |
| 61 | # with other hals. |
| 62 | # |
| 63 | # The following neverallow rules, in conjuntion with CTS tests, assert that |
| 64 | # these security principles are adhered to. |
| 65 | # |
| 66 | # Do not allow a hal to exec another process without a domain transition. |
| 67 | # TODO remove exemptions. |
| 68 | neverallow { |
| 69 | halserverdomain |
| 70 | -hal_dumpstate_server |
| Amit Mahajan | 3007344 | 2018-03-12 17:12:09 +0000 | [diff] [blame] | 71 | -hal_telephony_server |
| Jeff Vander Stoep | 84b96a6 | 2017-03-20 14:52:58 -0700 | [diff] [blame] | 72 | } { file_type fs_type }:file execute_no_trans; |
| 73 | # Do not allow a process other than init to transition into a HAL domain. |
| 74 | neverallow { domain -init } halserverdomain:process transition; |
| 75 | # Only allow transitioning to a domain by running its executable. Do not |
| 76 | # allow transitioning into a HAL domain by use of seclabel in an |
| 77 | # init.*.rc script. |
| 78 | neverallow * halserverdomain:process dyntransition; |