From 86f30cb16a8aa2ea337b1c36071bfa833f798c96 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 5 May 2015 15:43:15 -0700
Subject: [PATCH] Deny untrusted app ioctl access to MAC addr

MAC address access is no longer allowed via the java API. Deny access
from native code.

Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
---
 untrusted_app.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79bd..215898f63 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,6 +93,17 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# limit untrusted_apps access to MAC address ioctl
+# MAC address is SIOCGIFHWADDR 0x8927
+# from include/uapi/linux/sockios.h
+# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
+# Other general 0x89** ioctls should continue to be allowed.
+# 0x8B00 from wireless extensions driver and is used by chrome to
+# determine if wifi is present
+# from include/uapi/linux/wireless.h:
+# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8900-0x8926 0x8928-0x89ff 0x8b00 };
+
 ###
 ### neverallow rules
 ###
-- 
GitLab