From 89e379e9a94ddcfc5f47a299c89f9a931d73e41c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 5 Jan 2016 07:42:16 -0800
Subject: [PATCH] shell: Reduce socket ioctl perms

Only allow shell to access the same subset of ioctl commands as
untrusted_app. This reduces the attack surface of the kernel
available to a local attacker.

Bug: 26324307
Bug: 26267358
Change-Id: Ib8ecb9546af5fb480d2622149d4e00ec50cd4cde
---
 shell.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/shell.te b/shell.te
index 1ae7169e5..46656c293 100644
--- a/shell.te
+++ b/shell.te
@@ -119,10 +119,12 @@ allow shell bootchart_data_file:file create_file_perms;
 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;
 
-
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 
+# Whitelist access to socket ioctls
+allowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### Neverallow rules
 ###
@@ -134,3 +136,6 @@ allow shell ion_device:chr_file rw_file_perms;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-- 
GitLab