1# only HALs responsible for network hardware should have privileged 2# network capabilities 3neverallow { 4 halserverdomain 5 -hal_bluetooth_server 6 -hal_can_controller_server 7 -hal_wifi_server 8 -hal_wifi_hostapd_server 9 -hal_wifi_supplicant_server 10 -hal_telephony_server 11 -hal_uwb_server 12 # TODO(b/196225233): Remove hal_uwb_vendor_server 13 -hal_uwb_vendor_server 14 -hal_nlinterceptor_server 15} self:global_capability_class_set { net_admin net_raw }; 16 17# Unless a HAL's job is to communicate over the network, or control network 18# hardware, it should not be using network sockets. 19# NOTE: HALs for automotive devices have an exemption from this rule because in 20# a car it is common to have external modules and HALs need to communicate to 21# those modules using network. Using this exemption for non-automotive builds 22# will result in CTS failure. 23neverallow { 24 halserverdomain 25 -hal_automotive_socket_exemption 26 -hal_can_controller_server 27 -hal_tetheroffload_server 28 -hal_wifi_server 29 -hal_wifi_hostapd_server 30 -hal_wifi_supplicant_server 31 -hal_telephony_server 32 -hal_uwb_server 33 # TODO(b/196225233): Remove hal_uwb_vendor_server 34 -hal_uwb_vendor_server 35 -hal_nlinterceptor_server 36 -hal_bluetooth_server 37} domain:{ udp_socket rawip_socket } *; 38 39neverallow { 40 halserverdomain 41 -hal_automotive_socket_exemption 42 -hal_can_controller_server 43 -hal_tetheroffload_server 44 -hal_wifi_server 45 -hal_wifi_hostapd_server 46 -hal_wifi_supplicant_server 47 -hal_telephony_server 48 -hal_nlinterceptor_server 49 -hal_bluetooth_server 50} { 51 domain 52 userdebug_or_eng(`-su') 53}:tcp_socket *; 54 55# The UWB HAL is not actually a networking HAL but may need to bring up and down 56# interfaces. Restrict it to only these networking operations. 57neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw }; 58 59# Subset of socket_class_set likely to be usable for communication or accessible through net_admin. 60# udp_socket is required to use interface ioctls. 61neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; 62 63### 64# HALs are defined as an attribute and so a given domain could hypothetically 65# have multiple HALs in it (or even all of them) with the subsequent policy of 66# the domain comprised of the union of all the HALs. 67# 68# This is a problem because 69# 1) Security sensitive components should only be accessed by specific HALs. 70# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in 71# the platform. 72# 3) The platform cannot reason about defense in depth if there are 73# monolithic domains etc. 74# 75# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while 76# its OK for them to share a process its not OK with them to share processes 77# with other hals. 78# 79# The following neverallow rules, in conjuntion with CTS tests, assert that 80# these security principles are adhered to. 81# 82# Do not allow a hal to exec another process without a domain transition. 83# TODO remove exemptions. 84neverallow { 85 halserverdomain 86 -hal_dumpstate_server 87 -hal_telephony_server 88} { 89 file_type 90 fs_type 91 # May invoke shell commands via /system/bin/sh 92 -shell_exec 93 -toolbox_exec 94}:file execute_no_trans; 95# Do not allow a process other than init to transition into a HAL domain. 96neverallow { domain -init } halserverdomain:process transition; 97# Only allow transitioning to a domain by running its executable. Do not 98# allow transitioning into a HAL domain by use of seclabel in an 99# init.*.rc script. 100neverallow * halserverdomain:process dyntransition; 101