From 3a0ce49b8623299ac7458306b30bda6adda12383 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 7 Dec 2015 08:30:43 -0800
Subject: [PATCH] Migrate to upstream policy version 30

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
---
 Android.mk       |  2 +-
 ioctl_macros     | 11 ++++++++++-
 isolated_app.te  |  7 +++++++
 untrusted_app.te |  6 ++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/Android.mk b/Android.mk
index 102b2b188..91d630301 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@ include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 29
+POLICYVERS ?= 30
 
 MLS_SENS=1
 MLS_CATS=1024
diff --git a/ioctl_macros b/ioctl_macros
index e71e0ce5a..c1af6b4cd 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -5,7 +5,16 @@ define(`unpriv_sock_ioctls', `
 0x8900-0x8926 0x8928-0x89ff
 # all wireless extensions ioctls except get/set essid
 # IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
+0x8B00-0x8B19 0x8B1C-0x8BFF
 # commonly used TTY ioctls
 0x5411 0x5451
 }')
+
+# socket ioctls never allowed to unprivileged appss
+define(`priv_sock_ioctls', `
+{
+# Mac address SIOCGIFHWADDR
+0x8927
+# get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+0x8B1A-0x8B1B
+}')
diff --git a/isolated_app.te b/isolated_app.te
index 2cf557895..1e40a7f57 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,6 +18,9 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
+# only allow unprivileged socket ioctl commands
+allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
@@ -47,3 +50,7 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
 # Do not allow isolated_app access to /cache
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
+
+# do not allow privileged socket ioctl commands
+neverallowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/untrusted_app.te b/untrusted_app.te
index 8487b8206..255022b35 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,6 +87,9 @@ allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
+# only allow unprivileged socket ioctl commands
+allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.
@@ -148,6 +151,9 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
+# do not allow privileged socket ioctl commands
+neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
 neverallow untrusted_app cache_file:file ~{ read getattr };
-- 
GitLab