1# only HALs responsible for network hardware should have privileged
2# network capabilities
3neverallow {
4  halserverdomain
5  -hal_bluetooth_server
6  -hal_wifi_server
7  -hal_wifi_hostapd_server
8  -hal_wifi_supplicant_server
9  -hal_telephony_server
10} self:global_capability_class_set { net_admin net_raw };
11
12# Unless a HAL's job is to communicate over the network, or control network
13# hardware, it should not be using network sockets.
14# NOTE: HALs for automotive devices have an exemption from this rule because in
15# a car it is common to have external modules and HALs need to communicate to
16# those modules using network.  Using this exemption for non-automotive builds
17# will result in CTS failure.
18neverallow {
19  halserverdomain
20  -hal_automotive_socket_exemption
21  -hal_tetheroffload_server
22  -hal_wifi_server
23  -hal_wifi_hostapd_server
24  -hal_wifi_supplicant_server
25  -hal_telephony_server
26} domain:{ tcp_socket udp_socket rawip_socket } *;
27
28###
29# HALs are defined as an attribute and so a given domain could hypothetically
30# have multiple HALs in it (or even all of them) with the subsequent policy of
31# the domain comprised of the union of all the HALs.
32#
33# This is a problem because
34# 1) Security sensitive components should only be accessed by specific HALs.
35# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
36#    the platform.
37# 3) The platform cannot reason about defense in depth if there are
38#    monolithic domains etc.
39#
40# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
41# its OK for them to share a process its not OK with them to share processes
42# with other hals.
43#
44# The following neverallow rules, in conjuntion with CTS tests, assert that
45# these security principles are adhered to.
46#
47# Do not allow a hal to exec another process without a domain transition.
48# TODO remove exemptions.
49neverallow {
50  halserverdomain
51  -hal_dumpstate_server
52  -hal_telephony_server
53} { file_type fs_type }:file execute_no_trans;
54# Do not allow a process other than init to transition into a HAL domain.
55neverallow { domain -init } halserverdomain:process transition;
56# Only allow transitioning to a domain by running its executable. Do not
57# allow transitioning into a HAL domain by use of seclabel in an
58# init.*.rc script.
59neverallow * halserverdomain:process dyntransition;
60