PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

restrict app access to socket ioctls

Browse Source 
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
This commit is contained in:
Jeff Vander Stoep 2015-06-05 15:28:55 -07:00 committed by Jeffrey Vander Stoep
parent 20d0ad0ed8
commit de9b5301a1
4 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Android.mk
View File

@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
policy_capabilities \ policy_capabilities \
te_macros \ te_macros \
attributes \ attributes \
ioctl_macros \
*.te \ *.te \
roles \ roles \
users \ users \

11
ioctl_macros Normal file
View File

@ -0,0 +1,11 @@
# socket ioctls allowed to unprivileged apps
define(`unpriv_sock_ioctls', `
{
# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
0x8900-0x8926 0x8928-0x89ff
# all wireless extensions ioctls except get/set essid
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
0x8B00-0x8B09 0x8B1C-0x8BFF
# commonly used TTY ioctls
0x5411 0x5451
}')

3
isolated_app.te
View File

@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
service_manager_local_audit_domain(isolated_app) service_manager_local_audit_domain(isolated_app)
# only allow unprivileged socket ioctl commands
allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
##### #####
##### Neverallow ##### Neverallow
##### #####

13
untrusted_app.te
View File

@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# limit untrusted_apps access to MAC address ioctl # only allow unprivileged socket ioctl commands
# MAC address is SIOCGIFHWADDR 0x8927 allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
# from include/uapi/linux/sockios.h
# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
# Other general 0x89** ioctls should continue to be allowed.
# 0x8B00 from wireless extensions driver and is used by chrome to
# determine if wifi is present
# from include/uapi/linux/wireless.h:
# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
# Allow GMS core to access perfprofd output, which is stored # Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all # in /data/misc/perfprofd/. GMS core will need to list all