restrict app access to socket ioctls
Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
This commit is contained in:
parent
20d0ad0ed8
commit
de9b5301a1
@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
|
|||||||
policy_capabilities \
|
policy_capabilities \
|
||||||
te_macros \
|
te_macros \
|
||||||
attributes \
|
attributes \
|
||||||
|
ioctl_macros \
|
||||||
*.te \
|
*.te \
|
||||||
roles \
|
roles \
|
||||||
users \
|
users \
|
||||||
|
11
ioctl_macros
Normal file
11
ioctl_macros
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# socket ioctls allowed to unprivileged apps
|
||||||
|
define(`unpriv_sock_ioctls', `
|
||||||
|
{
|
||||||
|
# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
|
||||||
|
0x8900-0x8926 0x8928-0x89ff
|
||||||
|
# all wireless extensions ioctls except get/set essid
|
||||||
|
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
|
||||||
|
0x8B00-0x8B09 0x8B1C-0x8BFF
|
||||||
|
# commonly used TTY ioctls
|
||||||
|
0x5411 0x5451
|
||||||
|
}')
|
@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
|
|||||||
|
|
||||||
service_manager_local_audit_domain(isolated_app)
|
service_manager_local_audit_domain(isolated_app)
|
||||||
|
|
||||||
|
# only allow unprivileged socket ioctl commands
|
||||||
|
allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
|
||||||
|
|
||||||
#####
|
#####
|
||||||
##### Neverallow
|
##### Neverallow
|
||||||
#####
|
#####
|
||||||
|
@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
|
|||||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||||
|
|
||||||
# limit untrusted_apps access to MAC address ioctl
|
# only allow unprivileged socket ioctl commands
|
||||||
# MAC address is SIOCGIFHWADDR 0x8927
|
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
|
||||||
# from include/uapi/linux/sockios.h
|
|
||||||
# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
|
|
||||||
# Other general 0x89** ioctls should continue to be allowed.
|
|
||||||
# 0x8B00 from wireless extensions driver and is used by chrome to
|
|
||||||
# determine if wifi is present
|
|
||||||
# from include/uapi/linux/wireless.h:
|
|
||||||
# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
|
|
||||||
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
|
|
||||||
auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
|
|
||||||
|
|
||||||
# Allow GMS core to access perfprofd output, which is stored
|
# Allow GMS core to access perfprofd output, which is stored
|
||||||
# in /data/misc/perfprofd/. GMS core will need to list all
|
# in /data/misc/perfprofd/. GMS core will need to list all
|
||||||
|
Loading…
Reference in New Issue
Block a user