From 8d9eb644dc8ad07b7e61fedcd41c0b77ee240566 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 22 Feb 2016 12:31:57 -0800
Subject: [PATCH] ioctls: move commonly used tty ioctls to macro

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7
---
 app.te            | 3 ++-
 audioserver.te    | 3 ++-
 ioctl_macros      | 5 +++--
 mediadrmserver.te | 3 ++-
 mediaserver.te    | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/app.te b/app.te
index 438e01f46..5927eb94e 100644
--- a/app.te
+++ b/app.te
@@ -212,7 +212,8 @@ use_keystore({ appdomain -isolated_app })
 allow appdomain console_device:chr_file { read write };
 
 # only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
diff --git a/audioserver.te b/audioserver.te
index eeed98565..f53b82445 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@ allow audioserver drmserver:drmservice {
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules
diff --git a/ioctl_macros b/ioctl_macros
index 73458798f..466870e8e 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@ SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
 SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
 SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
 SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
 }')
 
 # socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 # Dev private ioctl i.e. hardware specific ioctls
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5eccea..bd2264db8 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@ allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules
diff --git a/mediaserver.te b/mediaserver.te
index a30506040..7aa6ec7e0 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@ allow mediaserver drmserver:drmservice {
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules
-- 
GitLab