Further restrict socket ioctls available to apps

Restrict unix_dgram_socket and unix_stream_socket to a whitelist
for all domains. Remove ioctl permission for netlink_selinux_socket and
netlink_route_socket for netdomain.

Bug: 28171804
Bug: 27424603
Change-Id: I650639115b8179964ae690a39e4766ead0032d2e

6 files changed, 15 insertions, 4 deletions

diff --git a/domain.te b/domain.te
index 0f6c6da..23460c9 100644
--- a/domain.te
+++ b/domain.te
@@ -35,6 +35,7 @@ allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow domain domain:{ unix_dgram_socket unix_stream_socket } unpriv_unix_sock_ioctls;
 
 # Inherit or receive open files from others.
 allow domain init:fd use;
diff --git a/ioctl_macros b/ioctl_macros
index 6012568..e0ecbf0 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -13,3 +13,13 @@ define(`unpriv_sock_ioctls', `
 # commonly used TTY ioctls
 0x5411 0x5451
 }')
+
+define(`TCGETS', `0x00005401')
+define(`TIOCOUTQ', `0x00005411')
+define(`TIOCGWINSZ', `0x00005413')
+define(`TIOCSWINSZ', `0x00005414')
+define(`FIONREAD', `0x0000541b')
+define(`FIOCLEX', `0x00005451')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
diff --git a/isolated_app.te b/isolated_app.te
index 330f0af..535e5de 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -19,7 +19,7 @@ allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
 # only allow unprivileged socket ioctl commands
-allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+allow isolated_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
 
 #####
 ##### Neverallow
diff --git a/net.te b/net.te
index 6aa12f2..4616eb1 100644
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/te_macros b/te_macros
index 70b1883..cae44e1 100644
--- a/te_macros
+++ b/te_macros
@@ -202,7 +202,7 @@ allow $1 self:capability2 block_suspend;
 define(`selinux_check_access', `
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
 
 #####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index fb76317..a17943f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -102,7 +102,7 @@ allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
 # only allow unprivileged socket ioctl commands
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+allow untrusted_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
 
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all