untrusted_app: disallow bind RTM_ROUTE socket
Bug: 141455849 Change-Id: I27a8735626a5c3c8aad49e8a68de166f3a10cfde Test: CtsSelinuxTargetSdkCurrentTestCases Test: atest bionic-unit-tests-static Test: atest NetworkInterfaceTest
This commit is contained in:
parent
5f11b2e0ed
commit
b38a1d8804
@ -118,7 +118,7 @@ neverallow {
|
||||
-untrusted_app_25
|
||||
-untrusted_app_27
|
||||
-untrusted_app_29
|
||||
} domain:netlink_route_socket { nlmsg_readpriv };
|
||||
} domain:netlink_route_socket { bind nlmsg_readpriv };
|
||||
|
||||
# Do not allow untrusted apps access to /cache
|
||||
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
||||
|
@ -18,7 +18,7 @@ allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket
|
||||
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
|
||||
# See changes to the routing table.
|
||||
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
|
||||
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
|
||||
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
|
||||
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
|
||||
# to avoid app-compat breakage.
|
||||
@ -27,7 +27,7 @@ allow {
|
||||
-ephemeral_app
|
||||
-mediaprovider
|
||||
-untrusted_app_all
|
||||
} self:netlink_route_socket { nlmsg_readpriv };
|
||||
} self:netlink_route_socket { bind nlmsg_readpriv };
|
||||
|
||||
# Talks to netd via dnsproxyd socket.
|
||||
unix_socket_connect(netdomain, dnsproxyd, netd)
|
||||
|
Loading…
Reference in New Issue
Block a user