diff options
| author | Nick Kralevich <nnk@google.com> | 2016-05-05 13:37:55 -0700 |
|---|---|---|
| committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-07-07 11:08:00 -0700 |
| commit | 7ef1cb3e6a10cbba717ad388901ea75eecb7dc80 (patch) | |
| tree | 5e3838b7514da8307abf9311fc3e2904a6e9ae14 | |
| parent | b80ec18ba6f4716f088f831e7f2bca4f3199986b (diff) | |
| download | android_external_sepolicy-7ef1cb3e6a10cbba717ad388901ea75eecb7dc80.tar.gz android_external_sepolicy-7ef1cb3e6a10cbba717ad388901ea75eecb7dc80.tar.bz2 android_external_sepolicy-7ef1cb3e6a10cbba717ad388901ea75eecb7dc80.zip | |
Remove generic socket access from untrusted processes
SELinux defines various classes for various socket types, including
tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket
classes not known to the SELinux kernel code get lumped into the generic
"socket" class. In particular, this includes the AF_MSM_IPC socket
class.
Bluetooth using apps were granted access to this generic socket class at
one point in 2012. In 1601132086b054adc70e7f8f38ed24574c90bc37,
a TODO was added indicating that this access was likely unnecessary. In
cb835a2852997dde0be2941173f8c879ebbef157, an auditallow was added to
test to see if this rule was actually used, and in master branch
d0113ae0aed1a455834f26ec847b6ca8610e3b16, this rule was completely
deleted.
Revoke access to the generic socket class for isolated_app,
untrusted_app, and shell for older Android releases. This is
conceptually a backport of d0113ae0aed1a455834f26ec847b6ca8610e3b16, but
affecting fewer domains to avoid potential breakage.
Add a neverallow rule asserting that this rule isn't present for the
untrusted domains. Contrary to our usual conventions, the neverallow
rule is placed in bluetooth.te, to avoid merge conflicts and simplify
patching.
Bug: 28612709
Bug: 25768265
Ticket: CYNGNOS-3020
Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51
(cherry picked from commit 31c17cd4de87639f673c2073d72b87c0736e28fc)
| -rw-r--r-- | bluetooth.te | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/bluetooth.te b/bluetooth.te index f77bd0d..8c8ecb1 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -23,7 +23,8 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms # TODO: This should no longer be needed with bluedroid for bluetooth # but may be getting used for other non-bluetooth sockets that has no # specific class defined. Consider taking to specific domains. -allow bluetoothdomain self:socket create_socket_perms; +allow { bluetoothdomain -untrusted_app -isolated_app -shell } self:socket create_socket_perms; +neverallow { untrusted_app isolated_app shell } { untrusted_app isolated_app shell }:socket *; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; |