37ee61f663
Since we are now creating an AOSP HAL for uwb. Rename Pixel specific internal UWB HAL from Android S to hal_uwb_vendor to avoid conflicts with the AOSP HAL sepolicy rules that are going to be added in Android T. Android S Architecture: |Apps | AOSP API | Vendor Service | Vendor HAL Interface | Vendor HAL Implementation | Vendor driver/firmware Android T Architecture: |Apps | AOSP API | AOSP Service | AOSP HAL Interface | Vendor HAL Implementation | Vendor driver/firmware Ignore-AOSP-First: Dependent changes in internal-only projects. Bug: 195308730 Test: Compiles Change-Id: I7bf4794232604372134ea299c8e2a6ba14a801d3 Merged-In: I7bf4794232604372134ea299c8e2a6ba14a801d3 (cherry picked from commit40465250e4
) (cherry picked from commit27ab309fad
)
85 lines
3.5 KiB
Text
85 lines
3.5 KiB
Text
# only HALs responsible for network hardware should have privileged
|
|
# network capabilities
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_bluetooth_server
|
|
-hal_can_controller_server
|
|
-hal_wifi_server
|
|
-hal_wifi_hostapd_server
|
|
-hal_wifi_supplicant_server
|
|
-hal_telephony_server
|
|
-hal_uwb_vendor_server
|
|
} self:global_capability_class_set { net_admin net_raw };
|
|
|
|
# Unless a HAL's job is to communicate over the network, or control network
|
|
# hardware, it should not be using network sockets.
|
|
# NOTE: HALs for automotive devices have an exemption from this rule because in
|
|
# a car it is common to have external modules and HALs need to communicate to
|
|
# those modules using network. Using this exemption for non-automotive builds
|
|
# will result in CTS failure.
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_automotive_socket_exemption
|
|
-hal_can_controller_server
|
|
-hal_tetheroffload_server
|
|
-hal_wifi_server
|
|
-hal_wifi_hostapd_server
|
|
-hal_wifi_supplicant_server
|
|
-hal_telephony_server
|
|
-hal_uwb_vendor_server
|
|
} domain:{ udp_socket rawip_socket } *;
|
|
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_automotive_socket_exemption
|
|
-hal_can_controller_server
|
|
-hal_tetheroffload_server
|
|
-hal_wifi_server
|
|
-hal_wifi_hostapd_server
|
|
-hal_wifi_supplicant_server
|
|
-hal_telephony_server
|
|
} {
|
|
domain
|
|
userdebug_or_eng(`-su')
|
|
}:tcp_socket *;
|
|
|
|
# The UWB HAL is not actually a networking HAL but may need to bring up and down
|
|
# interfaces. Restrict it to only these networking operations.
|
|
neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
|
|
|
|
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
|
|
# udp_socket is required to use interface ioctls.
|
|
neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
|
|
|
|
###
|
|
# HALs are defined as an attribute and so a given domain could hypothetically
|
|
# have multiple HALs in it (or even all of them) with the subsequent policy of
|
|
# the domain comprised of the union of all the HALs.
|
|
#
|
|
# This is a problem because
|
|
# 1) Security sensitive components should only be accessed by specific HALs.
|
|
# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
|
|
# the platform.
|
|
# 3) The platform cannot reason about defense in depth if there are
|
|
# monolithic domains etc.
|
|
#
|
|
# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
|
|
# its OK for them to share a process its not OK with them to share processes
|
|
# with other hals.
|
|
#
|
|
# The following neverallow rules, in conjuntion with CTS tests, assert that
|
|
# these security principles are adhered to.
|
|
#
|
|
# Do not allow a hal to exec another process without a domain transition.
|
|
# TODO remove exemptions.
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_dumpstate_server
|
|
-hal_telephony_server
|
|
} { file_type fs_type }:file execute_no_trans;
|
|
# Do not allow a process other than init to transition into a HAL domain.
|
|
neverallow { domain -init } halserverdomain:process transition;
|
|
# Only allow transitioning to a domain by running its executable. Do not
|
|
# allow transitioning into a HAL domain by use of seclabel in an
|
|
# init.*.rc script.
|
|
neverallow * halserverdomain:process dyntransition;
|