From 2dc4acf33b78284f514fe9a6c5102cc783c4309f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 27 Sep 2013 09:44:32 -0400
Subject: [PATCH] Isolate untrusted app ptys from other domains.

Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 te_macros        | 14 ++++++++++++++
 untrusted_app.te |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index 931393824..9f885bf4f 100644
--- a/te_macros
+++ b/te_macros
@@ -306,6 +306,20 @@ allow $1 klog_device:chr_file { create open write unlink };
 allow $1 device:dir { write add_name remove_name };
 ')
 
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
 #####################################
 # Non system_app application set
 #
diff --git a/untrusted_app.te b/untrusted_app.te
index c91543ed8..80f60da60 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -38,7 +38,7 @@ allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-allow untrusted_app devpts:chr_file rw_file_perms;
+create_pty(untrusted_app)
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
-- 
GitLab