restrict app access to socket ioctls
Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
This commit is contained in:
parent
20d0ad0ed8
commit
de9b5301a1
@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
|
||||
policy_capabilities \
|
||||
te_macros \
|
||||
attributes \
|
||||
ioctl_macros \
|
||||
*.te \
|
||||
roles \
|
||||
users \
|
||||
|
11
ioctl_macros
Normal file
11
ioctl_macros
Normal file
@ -0,0 +1,11 @@
|
||||
# socket ioctls allowed to unprivileged apps
|
||||
define(`unpriv_sock_ioctls', `
|
||||
{
|
||||
# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
|
||||
0x8900-0x8926 0x8928-0x89ff
|
||||
# all wireless extensions ioctls except get/set essid
|
||||
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
|
||||
0x8B00-0x8B09 0x8B1C-0x8BFF
|
||||
# commonly used TTY ioctls
|
||||
0x5411 0x5451
|
||||
}')
|
@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(isolated_app)
|
||||
|
||||
# only allow unprivileged socket ioctl commands
|
||||
allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
|
||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||
|
||||
# limit untrusted_apps access to MAC address ioctl
|
||||
# MAC address is SIOCGIFHWADDR 0x8927
|
||||
# from include/uapi/linux/sockios.h
|
||||
# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
|
||||
# Other general 0x89** ioctls should continue to be allowed.
|
||||
# 0x8B00 from wireless extensions driver and is used by chrome to
|
||||
# determine if wifi is present
|
||||
# from include/uapi/linux/wireless.h:
|
||||
# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
|
||||
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
|
||||
auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
|
||||
# only allow unprivileged socket ioctl commands
|
||||
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
|
||||
|
||||
# Allow GMS core to access perfprofd output, which is stored
|
||||
# in /data/misc/perfprofd/. GMS core will need to list all
|
||||
|
Loading…
Reference in New Issue
Block a user