5bca3e860d
Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.
Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913 4952 4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
01-02 19:07:16.938 5791 5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0
Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
54 lines
1.9 KiB
Text
54 lines
1.9 KiB
Text
# only HALs responsible for network hardware should have privileged
|
|
# network capabilities
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_bluetooth_server
|
|
-hal_wifi_server
|
|
-hal_wifi_hostapd_server
|
|
-hal_wifi_supplicant_server
|
|
-rild
|
|
} self:global_capability_class_set { net_admin net_raw };
|
|
|
|
# Unless a HAL's job is to communicate over the network, or control network
|
|
# hardware, it should not be using network sockets.
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_tetheroffload_server
|
|
-hal_wifi_server
|
|
-hal_wifi_hostapd_server
|
|
-hal_wifi_supplicant_server
|
|
-rild
|
|
} domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
|
|
###
|
|
# HALs are defined as an attribute and so a given domain could hypothetically
|
|
# have multiple HALs in it (or even all of them) with the subsequent policy of
|
|
# the domain comprised of the union of all the HALs.
|
|
#
|
|
# This is a problem because
|
|
# 1) Security sensitive components should only be accessed by specific HALs.
|
|
# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
|
|
# the platform.
|
|
# 3) The platform cannot reason about defense in depth if there are
|
|
# monolithic domains etc.
|
|
#
|
|
# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
|
|
# its OK for them to share a process its not OK with them to share processes
|
|
# with other hals.
|
|
#
|
|
# The following neverallow rules, in conjuntion with CTS tests, assert that
|
|
# these security principles are adhered to.
|
|
#
|
|
# Do not allow a hal to exec another process without a domain transition.
|
|
# TODO remove exemptions.
|
|
neverallow {
|
|
halserverdomain
|
|
-hal_dumpstate_server
|
|
-rild
|
|
} { file_type fs_type }:file execute_no_trans;
|
|
# Do not allow a process other than init to transition into a HAL domain.
|
|
neverallow { domain -init } halserverdomain:process transition;
|
|
# Only allow transitioning to a domain by running its executable. Do not
|
|
# allow transitioning into a HAL domain by use of seclabel in an
|
|
# init.*.rc script.
|
|
neverallow * halserverdomain:process dyntransition;
|