Deny untrusted app ioctl access to MAC addr

MAC address access is no longer allowed via the java API. Deny access from native code. Bug: 17787238 Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf

Deny untrusted app ioctl access to MAC addr
86f30cb1 · Jeff Vander Stoep · 4286019c · 86f30cb1
Commit 86f30cb1 authored 9 years ago by Jeff Vander Stoep
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,6 +93,17 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+# limit untrusted_apps access to MAC address ioctl
+# MAC address is SIOCGIFHWADDR 0x8927
+# from include/uapi/linux/sockios.h
+# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
+# Other general 0x89** ioctls should continue to be allowed.
+# 0x8B00 from wireless extensions driver and is used by chrome to
+# determine if wifi is present
+# from include/uapi/linux/wireless.h:
+# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8900-0x8926 0x8928-0x89ff 0x8b00 };
 ###
 ### neverallow rules
 ###