PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
00a03d424f
android_system_sepolicy/public/hal_neverallows.te
Jeff Vander Stoep f9be765d66 Restrict HAL network access to HALS that manage network hardware 
Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df
2017-03-13 21:35:48 -07:00

20 lines
519 B
Plaintext
Raw Blame History

# only HALs responsible for network hardware should have privileged
# network capabilities
neverallow {
halserverdomain
-hal_bluetooth_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} self:capability { net_admin net_raw };
# Unless a HAL's job is to manage network hardware, it should not be
# using network sockets.
neverallow {
halserverdomain
-hal_gnss # TODO b/36085168 b/35757613
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
Reference in New Issue View Git Blame Copy Permalink