am 694e2bfb: am de53051a: Do not allow untrusted_app to open tun_device

* commit '694e2bfb': Do not allow untrusted_app to open tun_device

am 694e2bfb: am de53051a: Do not allow untrusted_app to open tun_device
944c2080 · Jeff Vander Stoep · Android Git Automerger · 68e7327a · 694e2bfb · 944c2080
Commit 944c2080 authored 9 years ago by Jeff Vander Stoep Committed by Android Git Automerger 9 years ago
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -14,8 +14,12 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)

-# Device accesses.
+# TODO why does bluetooth require access to tun_device? If not,
+# remove access and tighten down neverallow rule so that appdomain is
+# not allowed to open (as opposed to just untrusted_app)
+# Device accesses. b/24744295
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
+auditallow bluetooth tun_device:chr_file rw_file_perms;

 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -29,7 +29,9 @@ bluetooth_domain(untrusted_app)
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };

-allow untrusted_app tun_device:chr_file rw_file_perms;
+# Third party vpn apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow untrusted_app tun_device:chr_file { read write getattr ioctl append };

 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
@@ -157,3 +159,6 @@ neverallow untrusted_app file_type:file link;

 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
+
+# Do not allow untrusted app to directly open tun_device
+neverallow untrusted_app tun_device:chr_file open;