1*e4a36f41SAndroid Build Coastguard Worker# HwBinder IPC from client to server 2*e4a36f41SAndroid Build Coastguard Workerbinder_call(hal_configstore_client, hal_configstore_server) 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerhal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# hal_configstore runs with a strict seccomp filter. Use crash_dump's 7*e4a36f41SAndroid Build Coastguard Worker# fallback path to collect crash data. 8*e4a36f41SAndroid Build Coastguard Workercrash_dump_fallback(hal_configstore_server) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker### 11*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 12*e4a36f41SAndroid Build Coastguard Worker### 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Should never execute an executable without a domain transition 15*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server { file_type fs_type }:file execute_no_trans; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Should never need network access. Disallow sockets except for 18*e4a36f41SAndroid Build Coastguard Worker# for unix stream/dgram sockets used for logging/debugging. 19*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server domain:{ 20*e4a36f41SAndroid Build Coastguard Worker rawip_socket tcp_socket udp_socket 21*e4a36f41SAndroid Build Coastguard Worker netlink_route_socket netlink_selinux_socket 22*e4a36f41SAndroid Build Coastguard Worker socket netlink_socket packet_socket key_socket appletalk_socket 23*e4a36f41SAndroid Build Coastguard Worker netlink_tcpdiag_socket netlink_nflog_socket 24*e4a36f41SAndroid Build Coastguard Worker netlink_xfrm_socket netlink_audit_socket 25*e4a36f41SAndroid Build Coastguard Worker netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 26*e4a36f41SAndroid Build Coastguard Worker netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 27*e4a36f41SAndroid Build Coastguard Worker netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 28*e4a36f41SAndroid Build Coastguard Worker netlink_rdma_socket netlink_crypto_socket 29*e4a36f41SAndroid Build Coastguard Worker} *; 30*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server { 31*e4a36f41SAndroid Build Coastguard Worker domain 32*e4a36f41SAndroid Build Coastguard Worker -hal_configstore_server 33*e4a36f41SAndroid Build Coastguard Worker -logd 34*e4a36f41SAndroid Build Coastguard Worker -prng_seeder 35*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-su') 36*e4a36f41SAndroid Build Coastguard Worker -tombstoned 37*e4a36f41SAndroid Build Coastguard Worker}:{ unix_dgram_socket unix_stream_socket } *; 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# Should never need access to anything on /data 40*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server { 41*e4a36f41SAndroid Build Coastguard Worker data_file_type 42*e4a36f41SAndroid Build Coastguard Worker -anr_data_file # for crash dump collection 43*e4a36f41SAndroid Build Coastguard Worker -tombstone_data_file # for crash dump collection 44*e4a36f41SAndroid Build Coastguard Worker with_native_coverage(`-method_trace_data_file') 45*e4a36f41SAndroid Build Coastguard Worker}:{ file fifo_file sock_file } *; 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Worker# Should never need sdcard access 48*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server { 49*e4a36f41SAndroid Build Coastguard Worker sdcard_type 50*e4a36f41SAndroid Build Coastguard Worker fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness 51*e4a36f41SAndroid Build Coastguard Worker}:dir ~getattr; 52*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server { 53*e4a36f41SAndroid Build Coastguard Worker sdcard_type 54*e4a36f41SAndroid Build Coastguard Worker fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness 55*e4a36f41SAndroid Build Coastguard Worker}:file *; 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker# Do not permit access to service_manager and vndservice_manager 58*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server *:service_manager *; 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Worker# No privileged capabilities 61*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server self:capability_class_set *; 62*e4a36f41SAndroid Build Coastguard Worker 63*e4a36f41SAndroid Build Coastguard Worker# No ptracing other processes 64*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server *:process ptrace; 65*e4a36f41SAndroid Build Coastguard Worker 66*e4a36f41SAndroid Build Coastguard Worker# no relabeling 67*e4a36f41SAndroid Build Coastguard Workerneverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto }; 68