diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-26 11:29:14 -0700 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-08 16:25:13 -0700 |
commit | fb04e639d80dbfaf2f7684a2e20a3dcc98c58f3b (patch) | |
tree | 48623f02b3c030b2893f983da08852617c1a4537 | |
parent | 8797d7f10a4b70b3872976fe6117df3894f8afbd (diff) | |
download | android_external_sepolicy-stable/cm-13.0-ZNH2KB.tar.gz android_external_sepolicy-stable/cm-13.0-ZNH2KB.tar.bz2 android_external_sepolicy-stable/cm-13.0-ZNH2KB.zip |
Further restrict socket ioctls available to appsstable/cm-13.0-ZNH2KB
Restrict unix_dgram_socket and unix_stream_socket to a whitelist
for all domains. Remove ioctl permission for netlink_selinux_socket and
netlink_route_socket for netdomain.
Bug: 28171804
Bug: 27424603
Ticket: CYNGNOS-3020
Change-Id: I650639115b8179964ae690a39e4766ead0032d2e
(cherry picked from commit ce6d5e008aae91a793aaa471c20cd8d347f68faf)
(cherry picked from commit 03c73ca60976e066e2b28c7ec021f458843c0b24)
-rw-r--r-- | domain.te | 1 | ||||
-rw-r--r-- | ioctl_macros | 10 | ||||
-rw-r--r-- | isolated_app.te | 2 | ||||
-rw-r--r-- | net.te | 2 | ||||
-rw-r--r-- | te_macros | 2 | ||||
-rw-r--r-- | untrusted_app.te | 2 |
6 files changed, 15 insertions, 4 deletions
@@ -35,6 +35,7 @@ allow domain self:lnk_file r_file_perms; allow domain self:{ fifo_file file } rw_file_perms; allow domain self:unix_dgram_socket { create_socket_perms sendto }; allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow domain domain:{ unix_dgram_socket unix_stream_socket } unpriv_unix_sock_ioctls; # Inherit or receive open files from others. allow domain init:fd use; diff --git a/ioctl_macros b/ioctl_macros index 6012568..e0ecbf0 100644 --- a/ioctl_macros +++ b/ioctl_macros @@ -13,3 +13,13 @@ define(`unpriv_sock_ioctls', ` # commonly used TTY ioctls 0x5411 0x5451 }') + +define(`TCGETS', `0x00005401') +define(`TIOCOUTQ', `0x00005411') +define(`TIOCGWINSZ', `0x00005413') +define(`TIOCSWINSZ', `0x00005414') +define(`FIONREAD', `0x0000541b') +define(`FIOCLEX', `0x00005451') + +# commonly used ioctls on unix sockets +define(`unpriv_unix_sock_ioctls', `{ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }') diff --git a/isolated_app.te b/isolated_app.te index 330f0af..535e5de 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -19,7 +19,7 @@ allow isolated_app activity_service:service_manager find; allow isolated_app display_service:service_manager find; # only allow unprivileged socket ioctl commands -allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow isolated_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; ##### ##### Neverallow @@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind; allow netdomain port_type:udp_socket name_bind; allow netdomain port_type:tcp_socket name_bind; # See changes to the routing table. -allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) @@ -202,7 +202,7 @@ allow $1 self:capability2 block_suspend; define(`selinux_check_access', ` allow $1 selinuxfs:file rw_file_perms; allow $1 kernel:security compute_av; -allow $1 self:netlink_selinux_socket *; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; ') ##################################### diff --git a/untrusted_app.te b/untrusted_app.te index fb76317..a17943f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -102,7 +102,7 @@ allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; # only allow unprivileged socket ioctl commands -allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow untrusted_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; # Allow GMS core to access perfprofd output, which is stored # in /data/misc/perfprofd/. GMS core will need to list all |