diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-26 11:29:14 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2016-05-27 11:30:05 -0700 |
commit | 556bb0f55324e8839d7b735a0de9bc31028e839e (patch) | |
tree | a754574a8f3a79e925cbf14673e314ba9f32f3e0 | |
parent | 489e0b567f902f36e38a1b888105da043677b621 (diff) | |
download | android_external_sepolicy-556bb0f55324e8839d7b735a0de9bc31028e839e.tar.gz android_external_sepolicy-556bb0f55324e8839d7b735a0de9bc31028e839e.tar.bz2 android_external_sepolicy-556bb0f55324e8839d7b735a0de9bc31028e839e.zip |
Further restrict socket ioctls available to apps
Restrict unix_dgram_socket and unix_stream_socket to a whitelist
for all domains. Remove ioctl permission for netlink_selinux_socket and
netlink_route_socket for netdomain.
Bug: 28171804
Bug: 27424603
Change-Id: I650639115b8179964ae690a39e4766ead0032d2e
-rw-r--r-- | domain.te | 1 | ||||
-rw-r--r-- | ioctl_macros | 10 | ||||
-rw-r--r-- | isolated_app.te | 2 | ||||
-rw-r--r-- | net.te | 2 | ||||
-rw-r--r-- | te_macros | 2 | ||||
-rw-r--r-- | untrusted_app.te | 2 |
6 files changed, 15 insertions, 4 deletions
@@ -35,6 +35,7 @@ allow domain self:lnk_file r_file_perms; allow domain self:{ fifo_file file } rw_file_perms; allow domain self:unix_dgram_socket { create_socket_perms sendto }; allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow domain domain:{ unix_dgram_socket unix_stream_socket } unpriv_unix_sock_ioctls; # Inherit or receive open files from others. allow domain init:fd use; diff --git a/ioctl_macros b/ioctl_macros index 6012568..e0ecbf0 100644 --- a/ioctl_macros +++ b/ioctl_macros @@ -13,3 +13,13 @@ define(`unpriv_sock_ioctls', ` # commonly used TTY ioctls 0x5411 0x5451 }') + +define(`TCGETS', `0x00005401') +define(`TIOCOUTQ', `0x00005411') +define(`TIOCGWINSZ', `0x00005413') +define(`TIOCSWINSZ', `0x00005414') +define(`FIONREAD', `0x0000541b') +define(`FIOCLEX', `0x00005451') + +# commonly used ioctls on unix sockets +define(`unpriv_unix_sock_ioctls', `{ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }') diff --git a/isolated_app.te b/isolated_app.te index 330f0af..535e5de 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -19,7 +19,7 @@ allow isolated_app activity_service:service_manager find; allow isolated_app display_service:service_manager find; # only allow unprivileged socket ioctl commands -allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow isolated_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; ##### ##### Neverallow @@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind; allow netdomain port_type:udp_socket name_bind; allow netdomain port_type:tcp_socket name_bind; # See changes to the routing table. -allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) @@ -202,7 +202,7 @@ allow $1 self:capability2 block_suspend; define(`selinux_check_access', ` allow $1 selinuxfs:file rw_file_perms; allow $1 kernel:security compute_av; -allow $1 self:netlink_selinux_socket *; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; ') ##################################### diff --git a/untrusted_app.te b/untrusted_app.te index fb76317..a17943f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -102,7 +102,7 @@ allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; # only allow unprivileged socket ioctl commands -allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; +allow untrusted_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; # Allow GMS core to access perfprofd output, which is stored # in /data/misc/perfprofd/. GMS core will need to list all |