| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 1 | # only HALs responsible for network hardware should have privileged |
| 2 | # network capabilities |
| 3 | neverallow { |
| 4 | halserverdomain |
| 5 | -hal_bluetooth_server |
| 6 | -hal_wifi_server |
| 7 | -hal_wifi_supplicant_server |
| 8 | -rild |
| 9 | } self:capability { net_admin net_raw }; |
| 10 | |
| 11 | # Unless a HAL's job is to manage network hardware, it should not be |
| 12 | # using network sockets. |
| 13 | neverallow { |
| 14 | halserverdomain |
| Jeff Vander Stoep | f9be765 | 2017-03-13 13:32:51 -0700 | [diff] [blame] | 15 | -hal_wifi_server |
| 16 | -hal_wifi_supplicant_server |
| 17 | -rild |
| 18 | } domain:{ tcp_socket udp_socket rawip_socket } *; |
| Jeff Vander Stoep | 84b96a6 | 2017-03-20 14:52:58 -0700 | [diff] [blame] | 19 | |
| 20 | ### |
| 21 | # HALs are defined as an attribute and so a given domain could hypothetically |
| 22 | # have multiple HALs in it (or even all of them) with the subsequent policy of |
| 23 | # the domain comprised of the union of all the HALs. |
| 24 | # |
| 25 | # This is a problem because |
| 26 | # 1) Security sensitive components should only be accessed by specific HALs. |
| 27 | # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in |
| 28 | # the platform. |
| 29 | # 3) The platform cannot reason about defense in depth if there are |
| 30 | # monolithic domains etc. |
| 31 | # |
| 32 | # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while |
| 33 | # its OK for them to share a process its not OK with them to share processes |
| 34 | # with other hals. |
| 35 | # |
| 36 | # The following neverallow rules, in conjuntion with CTS tests, assert that |
| 37 | # these security principles are adhered to. |
| 38 | # |
| 39 | # Do not allow a hal to exec another process without a domain transition. |
| 40 | # TODO remove exemptions. |
| 41 | neverallow { |
| 42 | halserverdomain |
| 43 | -hal_dumpstate_server |
| 44 | -rild |
| 45 | } { file_type fs_type }:file execute_no_trans; |
| 46 | # Do not allow a process other than init to transition into a HAL domain. |
| 47 | neverallow { domain -init } halserverdomain:process transition; |
| 48 | # Only allow transitioning to a domain by running its executable. Do not |
| 49 | # allow transitioning into a HAL domain by use of seclabel in an |
| 50 | # init.*.rc script. |
| 51 | neverallow * halserverdomain:process dyntransition; |