From 642b80427ec2e95eb13cf03a74d814f240813e71 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 21 Sep 2014 23:35:24 -0700
Subject: [PATCH] relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets

Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.

Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.

Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.

No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.

Bug: 17525863
Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
---
 app.te           | 6 +++++-
 untrusted_app.te | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index e7a40d2b7..1fb53e68e 100644
--- a/app.te
+++ b/app.te
@@ -221,9 +221,13 @@ neverallow appdomain
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
-        netlink_kobject_uevent_socket
     } *;
 
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain self:netlink_kobject_uevent_socket { write append };
+
 # Sockets under /dev/socket that are not specifically typed.
 neverallow appdomain socket_device:sock_file write;
 
diff --git a/untrusted_app.te b/untrusted_app.te
index ea20e5627..7e67ea8c1 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,6 +81,9 @@ auditallow untrusted_app {
 ### neverallow rules
 ###
 
+# Receive or send uevent messages.
+neverallow untrusted_app self:netlink_kobject_uevent_socket *;
+
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;
-- 
GitLab