diff options
| author | Jeff Vander Stoep <jeffv@google.com> | 2015-05-05 15:43:15 -0700 |
|---|---|---|
| committer | Jeff Vander Stoep <jeffv@google.com> | 2015-05-05 16:08:54 -0700 |
| commit | 86f30cb16a8aa2ea337b1c36071bfa833f798c96 (patch) | |
| tree | 7e7e647577475fd8597aa2b00b3b5098c03bb184 /untrusted_app.te | |
| parent | 4286019c38f1e8e3e85664533679a2aede879f9b (diff) | |
| download | android_external_sepolicy-86f30cb16a8aa2ea337b1c36071bfa833f798c96.tar.gz android_external_sepolicy-86f30cb16a8aa2ea337b1c36071bfa833f798c96.tar.bz2 android_external_sepolicy-86f30cb16a8aa2ea337b1c36071bfa833f798c96.zip | |
Deny untrusted app ioctl access to MAC addr
MAC address access is no longer allowed via the java API. Deny access
from native code.
Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
Diffstat (limited to 'untrusted_app.te')
| -rw-r--r-- | untrusted_app.te | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index 5ad8c79..215898f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -93,6 +93,17 @@ allow untrusted_app persistent_data_block_service:service_manager find; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; +# limit untrusted_apps access to MAC address ioctl +# MAC address is SIOCGIFHWADDR 0x8927 +# from include/uapi/linux/sockios.h +# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */ +# Other general 0x89** ioctls should continue to be allowed. +# 0x8B00 from wireless extensions driver and is used by chrome to +# determine if wifi is present +# from include/uapi/linux/wireless.h: +# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */ +allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8900-0x8926 0x8928-0x89ff 0x8b00 }; + ### ### neverallow rules ### |