diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-01-12 18:57:10 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-01-12 18:57:10 +0000 |
commit | d76ccadb97b94277c65a9f1660ae763bce250132 (patch) | |
tree | b16e90e35a0383ea30d2da778fc51cdeefe02990 | |
parent | 4fc1397d973c5f3c75e6033b8d328c2781dcaa8b (diff) | |
parent | f290a2ddd08e9b27fbded7a999238b2ae4517bf5 (diff) | |
download | android_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.tar.gz android_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.tar.bz2 android_external_sepolicy-d76ccadb97b94277c65a9f1660ae763bce250132.zip |
DO NOT MERGE: Further restrict access to socket ioctl commands am: 57531cacb4 am: c0ce53cc8d
am: f290a2ddd0
* commit 'f290a2ddd08e9b27fbded7a999238b2ae4517bf5':
DO NOT MERGE: Further restrict access to socket ioctl commands
-rw-r--r-- | ioctl_macros | 14 | ||||
-rw-r--r-- | shell.te | 3 |
2 files changed, 12 insertions, 5 deletions
diff --git a/ioctl_macros b/ioctl_macros index e71e0ce..6012568 100644 --- a/ioctl_macros +++ b/ioctl_macros @@ -1,11 +1,15 @@ # socket ioctls allowed to unprivileged apps define(`unpriv_sock_ioctls', ` { -# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927 -0x8900-0x8926 0x8928-0x89ff -# all wireless extensions ioctls except get/set essid -# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B -0x8B00-0x8B09 0x8B1C-0x8BFF +# all socket ioctls except: +# 1) the Mac address SIOCGIFHWADDR 0x8927 +# 2) device private SIOCDEVPRIVATE-SIOCDEVPRIVLAST 0x89F0-0x89FF +# 3) protocol private SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST 0x89E0-0x89EF +0x8900-0x8926 0x8928-0x89DF +# all wireless extensions ioctls except: +# 1) get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B +# 2) device private ioctls SIOCIWFIRSTPRIV-SIOCIWLASTPRIV 0x8BE0-0x8BFF +0x8B00-0x8B09 0x8B1C-0x8BDF # commonly used TTY ioctls 0x5411 0x5451 }') @@ -77,6 +77,9 @@ allow shell domain:process getattr; allow shell bootchart_data_file:dir rw_dir_perms; allow shell bootchart_data_file:file create_file_perms; +# only allow unprivileged socket ioctl commands +allow shell self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; + # Do not allow shell to hard link to any files. # In particular, if shell hard links to app data # files, installd will not be able to guarantee the deletion |