Skip to content
Snippets Groups Projects
Commit 89e379e9 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Jeffrey Vander Stoep
Browse files

shell: Reduce socket ioctl perms 

Only allow shell to access the same subset of ioctl commands as
untrusted_app. This reduces the attack surface of the kernel
available to a local attacker.

Bug: 26324307
Bug: 26267358
Change-Id: Ib8ecb9546af5fb480d2622149d4e00ec50cd4cde
parent e97bd887
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 6 additions and 1 deletion
shell.te
+ 6
1
View file @ 89e379e9
...@@ -119,10 +119,12 @@ allow shell bootchart_data_file:file create_file_perms; ...@@ -119,10 +119,12 @@ allow shell bootchart_data_file:file create_file_perms;
# Make sure strace works for the non-privileged shell user # Make sure strace works for the non-privileged shell user
allow shell self:process ptrace; allow shell self:process ptrace;
# Allow access to ion memory allocation device. # Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms; allow shell ion_device:chr_file rw_file_perms;
# Whitelist access to socket ioctls
allowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
### ###
### Neverallow rules ### Neverallow rules
### ###
...@@ -134,3 +136,6 @@ allow shell ion_device:chr_file rw_file_perms; ...@@ -134,3 +136,6 @@ allow shell ion_device:chr_file rw_file_perms;
# bugs, so we want to ensure the shell user never has this # bugs, so we want to ensure the shell user never has this
# capability. # capability.
neverallow shell file_type:file link; neverallow shell file_type:file link;
# Do not allow privileged socket ioctl commands
neverallowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment