aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Vander Stoep <jeffv@google.com>2016-01-12 18:57:10 +0000
committerandroid-build-merger <android-build-merger@google.com>2016-01-12 18:57:10 +0000
commitd76ccadb97b94277c65a9f1660ae763bce250132 (patch)
treeb16e90e35a0383ea30d2da778fc51cdeefe02990
parent4fc1397d973c5f3c75e6033b8d328c2781dcaa8b (diff)
parentf290a2ddd08e9b27fbded7a999238b2ae4517bf5 (diff)
downloadandroid_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.tar.gz
android_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.tar.bz2
android_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.zip
DO NOT MERGE: Further restrict access to socket ioctl commands am: 57531cacb4 am: c0ce53cc8d
am: f290a2ddd0 * commit 'f290a2ddd08e9b27fbded7a999238b2ae4517bf5': DO NOT MERGE: Further restrict access to socket ioctl commands
Diffstat
-rw-r--r--ioctl_macros14
-rw-r--r--shell.te3
2 files changed, 12 insertions, 5 deletions
diff --git a/ioctl_macros b/ioctl_macros
index e71e0ce..6012568 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -1,11 +1,15 @@
# socket ioctls allowed to unprivileged apps
define(`unpriv_sock_ioctls', `
{
-# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
-0x8900-0x8926 0x8928-0x89ff
-# all wireless extensions ioctls except get/set essid
-# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
+# all socket ioctls except:
+# 1) the Mac address SIOCGIFHWADDR 0x8927
+# 2) device private SIOCDEVPRIVATE-SIOCDEVPRIVLAST 0x89F0-0x89FF
+# 3) protocol private SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST 0x89E0-0x89EF
+0x8900-0x8926 0x8928-0x89DF
+# all wireless extensions ioctls except:
+# 1) get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+# 2) device private ioctls SIOCIWFIRSTPRIV-SIOCIWLASTPRIV 0x8BE0-0x8BFF
+0x8B00-0x8B09 0x8B1C-0x8BDF
# commonly used TTY ioctls
0x5411 0x5451
}')
diff --git a/shell.te b/shell.te
index 1be9eec..4b4093d 100644
--- a/shell.te
+++ b/shell.te
@@ -77,6 +77,9 @@ allow shell domain:process getattr;
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
+# only allow unprivileged socket ioctl commands
+allow shell self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 01:54:02 +0000