Enforce one HAL per domain.

HALs are intended to be limited responsibility and thus limited permission. In order to enforce this, place limitations on: 1. What processes may transition into a HAL - currently only init 2. What methods may be used to transition into a HAL - no using seclabel 3. When HALs exec - only allow exec with a domain transition. Bug: 36376258 Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules are compile time assertions, so building is a sufficient test. Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131

Enforce one HAL per domain.
HALs are intended to be limited responsibility and thus limited permission. In order to enforce this, place limitations on: 1. What processes may transition into a HAL - currently only init 2. What methods may be used to transition into a HAL - no using seclabel 3. When HALs exec - only allow exec with a domain transition. Bug: 36376258 Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules are compile time assertions, so building is a sufficient test. Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131
84b96a6b · Jeff Vander Stoep · 00a03d42 · 84b96a6b
Commit 84b96a6b authored 8 years ago by Jeff Vander Stoep
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,3 +17,36 @@ neverallow {
  -hal_wifi_supplicant_server
  -rild
 } domain:{ tcp_socket udp_socket rawip_socket } *;
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+#    the platform.
+# 3) The platform cannot reason about defense in depth if there are
+#    monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+  halserverdomain
+  -hal_dumpstate_server
+  -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;