# only HALs responsible for network hardware should have privileged # network capabilities neverallow { halserverdomain -hal_bluetooth_server -hal_can_controller_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_uwb_server } self:global_capability_class_set { net_admin net_raw }; # Unless a HAL's job is to communicate over the network, or control network # hardware, it should not be using network sockets. # NOTE: HALs for automotive devices have an exemption from this rule because in # a car it is common to have external modules and HALs need to communicate to # those modules using network. Using this exemption for non-automotive builds # will result in CTS failure. neverallow { halserverdomain -hal_automotive_socket_exemption -hal_can_controller_server -hal_tetheroffload_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_uwb_server } domain:{ udp_socket rawip_socket } *; neverallow { halserverdomain -hal_automotive_socket_exemption -hal_can_controller_server -hal_tetheroffload_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_uwb_server } { domain userdebug_or_eng(`-su') }:tcp_socket *; # The UWB HAL is not actually a networking HAL but may need to bring up and down # interfaces. Restrict it to only these networking operations. neverallow hal_uwb_server self:global_capability_class_set { net_raw }; # Subset of socket_class_set likely to be usable for communication or accessible through net_admin. # udp_socket is required to use interface ioctls. neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; ### # HALs are defined as an attribute and so a given domain could hypothetically # have multiple HALs in it (or even all of them) with the subsequent policy of # the domain comprised of the union of all the HALs. # # This is a problem because # 1) Security sensitive components should only be accessed by specific HALs. # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in # the platform. # 3) The platform cannot reason about defense in depth if there are # monolithic domains etc. # # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while # its OK for them to share a process its not OK with them to share processes # with other hals. # # The following neverallow rules, in conjuntion with CTS tests, assert that # these security principles are adhered to. # # Do not allow a hal to exec another process without a domain transition. # TODO remove exemptions. neverallow { halserverdomain -hal_dumpstate_server -hal_telephony_server } { file_type fs_type }:file execute_no_trans; # Do not allow a process other than init to transition into a HAL domain. neverallow { domain -init } halserverdomain:process transition; # Only allow transitioning to a domain by running its executable. Do not # allow transitioning into a HAL domain by use of seclabel in an # init.*.rc script. neverallow * halserverdomain:process dyntransition;