1# only HALs responsible for network hardware should have privileged 2# network capabilities 3neverallow { 4 halserverdomain 5 -hal_bluetooth_server 6 -hal_can_controller_server 7 -hal_wifi_server 8 -hal_wifi_hostapd_server 9 -hal_wifi_supplicant_server 10 -hal_telephony_server 11 -hal_uwb_server 12 # TODO(b/196225233): Remove hal_uwb_vendor_server 13 -hal_uwb_vendor_server 14 -hal_nlinterceptor_server 15} self:global_capability_class_set { net_admin net_raw }; 16 17# Unless a HAL's job is to communicate over the network, or control network 18# hardware, it should not be using network sockets. 19# NOTE: HALs for automotive devices have an exemption from this rule because in 20# a car it is common to have external modules and HALs need to communicate to 21# those modules using network. Using this exemption for non-automotive builds 22# will result in CTS failure. 23neverallow { 24 halserverdomain 25 -hal_automotive_socket_exemption 26 -hal_can_controller_server 27 -hal_tetheroffload_server 28 -hal_wifi_server 29 -hal_wifi_hostapd_server 30 -hal_wifi_supplicant_server 31 -hal_telephony_server 32 -hal_uwb_server 33 # TODO(b/196225233): Remove hal_uwb_vendor_server 34 -hal_uwb_vendor_server 35 -hal_nlinterceptor_server 36} domain:{ udp_socket rawip_socket } *; 37 38neverallow { 39 halserverdomain 40 -hal_automotive_socket_exemption 41 -hal_can_controller_server 42 -hal_tetheroffload_server 43 -hal_wifi_server 44 -hal_wifi_hostapd_server 45 -hal_wifi_supplicant_server 46 -hal_telephony_server 47 -hal_nlinterceptor_server 48} { 49 domain 50 userdebug_or_eng(`-su') 51}:tcp_socket *; 52 53# The UWB HAL is not actually a networking HAL but may need to bring up and down 54# interfaces. Restrict it to only these networking operations. 55neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw }; 56 57# Subset of socket_class_set likely to be usable for communication or accessible through net_admin. 58# udp_socket is required to use interface ioctls. 59neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; 60 61### 62# HALs are defined as an attribute and so a given domain could hypothetically 63# have multiple HALs in it (or even all of them) with the subsequent policy of 64# the domain comprised of the union of all the HALs. 65# 66# This is a problem because 67# 1) Security sensitive components should only be accessed by specific HALs. 68# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in 69# the platform. 70# 3) The platform cannot reason about defense in depth if there are 71# monolithic domains etc. 72# 73# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while 74# its OK for them to share a process its not OK with them to share processes 75# with other hals. 76# 77# The following neverallow rules, in conjuntion with CTS tests, assert that 78# these security principles are adhered to. 79# 80# Do not allow a hal to exec another process without a domain transition. 81# TODO remove exemptions. 82neverallow { 83 halserverdomain 84 -hal_dumpstate_server 85 -hal_telephony_server 86} { 87 file_type 88 fs_type 89 # May invoke shell commands via /system/bin/sh 90 -shell_exec 91 -toolbox_exec 92}:file execute_no_trans; 93# Do not allow a process other than init to transition into a HAL domain. 94neverallow { domain -init } halserverdomain:process transition; 95# Only allow transitioning to a domain by running its executable. Do not 96# allow transitioning into a HAL domain by use of seclabel in an 97# init.*.rc script. 98neverallow * halserverdomain:process dyntransition; 99