From 0fd910ecfd2101f24ca87b88bcf1bebee494c698 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 6 Jan 2016 11:32:07 -0800
Subject: [PATCH] audio/mediaserver: Restrict to unprivileged socket ioctls

Neverallow access to privileged commands.

Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55
---
 audioserver.te | 6 ++++++
 mediaserver.te | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/audioserver.te b/audioserver.te
index 28da2939b..61cb382a8 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -110,6 +110,9 @@ allow audioserver drmserver:drmservice {
     pread
 };
 
+# only allow unprivileged socket ioctl commands
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow audioserver drmserver:drmservice {
 # audioserver should never execute any executable without a
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/mediaserver.te b/mediaserver.te
index c23cda1de..cdc90d17b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -110,6 +110,9 @@ allow mediaserver drmserver:drmservice {
     pread
 };
 
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow mediaserver drmserver:drmservice {
 # mediaserver should never execute any executable without a
 # domain transition
 neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-- 
GitLab