Merge "Enforce one HAL per domain." am: d32665584b
am: 35823ad03e
Change-Id: I53b1c43e6ca7c4978c082092a9015313e2c53eea
This commit is contained in:
commit
5499a78f82
1 changed files with 33 additions and 0 deletions
|
@ -17,3 +17,36 @@ neverallow {
|
|||
-hal_wifi_supplicant_server
|
||||
-rild
|
||||
} domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
###
|
||||
# HALs are defined as an attribute and so a given domain could hypothetically
|
||||
# have multiple HALs in it (or even all of them) with the subsequent policy of
|
||||
# the domain comprised of the union of all the HALs.
|
||||
#
|
||||
# This is a problem because
|
||||
# 1) Security sensitive components should only be accessed by specific HALs.
|
||||
# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
|
||||
# the platform.
|
||||
# 3) The platform cannot reason about defense in depth if there are
|
||||
# monolithic domains etc.
|
||||
#
|
||||
# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
|
||||
# its OK for them to share a process its not OK with them to share processes
|
||||
# with other hals.
|
||||
#
|
||||
# The following neverallow rules, in conjuntion with CTS tests, assert that
|
||||
# these security principles are adhered to.
|
||||
#
|
||||
# Do not allow a hal to exec another process without a domain transition.
|
||||
# TODO remove exemptions.
|
||||
neverallow {
|
||||
halserverdomain
|
||||
-hal_dumpstate_server
|
||||
-rild
|
||||
} { file_type fs_type }:file execute_no_trans;
|
||||
# Do not allow a process other than init to transition into a HAL domain.
|
||||
neverallow { domain -init } halserverdomain:process transition;
|
||||
# Only allow transitioning to a domain by running its executable. Do not
|
||||
# allow transitioning into a HAL domain by use of seclabel in an
|
||||
# init.*.rc script.
|
||||
neverallow * halserverdomain:process dyntransition;
|
||||
|
|
Loading…
Reference in a new issue