blob: 356288851c2767b583ed875fcfabbe17b2cdf780 [file] [log] [blame]
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -07001# only HALs responsible for network hardware should have privileged
2# network capabilities
3neverallow {
4 halserverdomain
5 -hal_bluetooth_server
Tomasz Wasilczyk602b3032019-07-23 17:38:51 -07006 -hal_can_controller_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -07007 -hal_wifi_server
Roshan Piusd7b34a42017-12-22 15:03:15 -08008 -hal_wifi_hostapd_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -07009 -hal_wifi_supplicant_server
Amit Mahajan30073442018-03-12 17:12:09 +000010 -hal_telephony_server
Roshan Pius329b0c82021-10-27 12:41:38 -070011 -hal_uwb_server
12 # TODO(b/196225233): Remove hal_uwb_vendor_server
Roshan Pius37ee61f2021-08-24 13:59:07 -070013 -hal_uwb_vendor_server
Chris Weir4ac3d742021-10-05 16:53:52 -070014 -hal_nlinterceptor_server
Sadiq Sadaf1fb6842024-07-15 23:59:04 +000015 -hal_tv_tuner_server
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070016} self:global_capability_class_set { net_admin net_raw };
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -070017
Jeff Vander Stoepd75a2c02017-06-21 12:46:21 -070018# Unless a HAL's job is to communicate over the network, or control network
19# hardware, it should not be using network sockets.
Pavel Maltsev8d7f5032018-05-15 14:16:57 -070020# NOTE: HALs for automotive devices have an exemption from this rule because in
21# a car it is common to have external modules and HALs need to communicate to
22# those modules using network. Using this exemption for non-automotive builds
23# will result in CTS failure.
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -070024neverallow {
25 halserverdomain
Pavel Maltsev8d7f5032018-05-15 14:16:57 -070026 -hal_automotive_socket_exemption
Tomasz Wasilczyk602b3032019-07-23 17:38:51 -070027 -hal_can_controller_server
Jeff Vander Stoepd75a2c02017-06-21 12:46:21 -070028 -hal_tetheroffload_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -070029 -hal_wifi_server
Roshan Piusd7b34a42017-12-22 15:03:15 -080030 -hal_wifi_hostapd_server
Jeff Vander Stoepf9be7652017-03-13 13:32:51 -070031 -hal_wifi_supplicant_server
Amit Mahajan30073442018-03-12 17:12:09 +000032 -hal_telephony_server
Roshan Pius329b0c82021-10-27 12:41:38 -070033 -hal_uwb_server
34 # TODO(b/196225233): Remove hal_uwb_vendor_server
Roshan Pius37ee61f2021-08-24 13:59:07 -070035 -hal_uwb_vendor_server
Chris Weir4ac3d742021-10-05 16:53:52 -070036 -hal_nlinterceptor_server
Yanfei Zhou3a739f92023-07-09 18:13:15 +053037 -hal_bluetooth_server
Sadiq Sadaf1fb6842024-07-15 23:59:04 +000038 -hal_tv_tuner_server
Yifan Hongbe04b092021-06-07 12:37:31 -070039} domain:{ udp_socket rawip_socket } *;
40
41neverallow {
42 halserverdomain
43 -hal_automotive_socket_exemption
44 -hal_can_controller_server
45 -hal_tetheroffload_server
46 -hal_wifi_server
47 -hal_wifi_hostapd_server
48 -hal_wifi_supplicant_server
49 -hal_telephony_server
Chris Weir4ac3d742021-10-05 16:53:52 -070050 -hal_nlinterceptor_server
Sumit Deshmukh76e21762024-01-06 11:15:44 +053051 -hal_bluetooth_server
Sadiq Sadaf1fb6842024-07-15 23:59:04 +000052 -hal_tv_tuner_server
Yifan Hongbe04b092021-06-07 12:37:31 -070053} {
54 domain
55 userdebug_or_eng(`-su')
56}:tcp_socket *;
Jeff Vander Stoep84b96a62017-03-20 14:52:58 -070057
Michael Ayoubic3af6622021-06-24 02:02:07 +000058# The UWB HAL is not actually a networking HAL but may need to bring up and down
59# interfaces. Restrict it to only these networking operations.
Roshan Pius37ee61f2021-08-24 13:59:07 -070060neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
Michael Ayoubic3af6622021-06-24 02:02:07 +000061
62# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
63# udp_socket is required to use interface ioctls.
Roshan Pius37ee61f2021-08-24 13:59:07 -070064neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
Michael Ayoubic3af6622021-06-24 02:02:07 +000065
Jeff Vander Stoep84b96a62017-03-20 14:52:58 -070066###
67# HALs are defined as an attribute and so a given domain could hypothetically
68# have multiple HALs in it (or even all of them) with the subsequent policy of
69# the domain comprised of the union of all the HALs.
70#
71# This is a problem because
72# 1) Security sensitive components should only be accessed by specific HALs.
73# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
74# the platform.
75# 3) The platform cannot reason about defense in depth if there are
76# monolithic domains etc.
77#
78# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
79# its OK for them to share a process its not OK with them to share processes
80# with other hals.
81#
82# The following neverallow rules, in conjuntion with CTS tests, assert that
83# these security principles are adhered to.
84#
85# Do not allow a hal to exec another process without a domain transition.
86# TODO remove exemptions.
87neverallow {
88 halserverdomain
89 -hal_dumpstate_server
Amit Mahajan30073442018-03-12 17:12:09 +000090 -hal_telephony_server
Jooyung Han9a123be2024-02-16 11:06:40 +000091} {
92 file_type
93 fs_type
94 # May invoke shell commands via /system/bin/sh
95 -shell_exec
96 -toolbox_exec
97}:file execute_no_trans;
Jeff Vander Stoep84b96a62017-03-20 14:52:58 -070098# Do not allow a process other than init to transition into a HAL domain.
99neverallow { domain -init } halserverdomain:process transition;
100# Only allow transitioning to a domain by running its executable. Do not
101# allow transitioning into a HAL domain by use of seclabel in an
102# init.*.rc script.
103neverallow * halserverdomain:process dyntransition;