Merge "ioctls: move commonly used tty ioctls to macro" into nyc-dev

60185758 · Jeffrey Vander Stoep · Android (Google) Code Review · 11727c99 · 8d9eb644 · 60185758
Commit 60185758 authored 9 years ago by Jeffrey Vander Stoep Committed by Android (Google) Code Review 9 years ago
--- a/app.te
+++ b/app.te
@@ -212,7 +212,8 @@ use_keystore({ appdomain -isolated_app })
 allow appdomain console_device:chr_file { read write };

 # only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;


--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@ allow audioserver drmserver:drmservice {
 };

 # only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 ###
 ### neverallow rules

--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@ SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
 SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
 SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
 SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
 }')

 # socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 # Dev private ioctl i.e. hardware specific ioctls
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@ allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };

 # only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 ###
 ### neverallow rules

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@ allow mediaserver drmserver:drmservice {
 };

 # only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

 ###
 ### neverallow rules