From bb1ece494ffb160690e045fb383c93140f471a77 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 6 Jan 2016 10:09:02 -0800
Subject: [PATCH] app: expand socket ioctl restrictions to all apps

Exempt bluetooth which has net_admin capability.

Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.

Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1
---
 app.te           | 3 +++
 isolated_app.te  | 3 ---
 priv_app.te      | 3 +++
 untrusted_app.te | 3 ---
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app.te b/app.te
index 48aebbf0a..fef3c3a95 100644
--- a/app.te
+++ b/app.te
@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app })
 
 allow appdomain console_device:chr_file { read write };
 
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f57..6b9450a40 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
diff --git a/priv_app.te b/priv_app.te
index 4a25787ab..27551d0dc 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write };
 allow priv_app sysfs_zram:dir search;
 allow priv_app sysfs_zram:file r_file_perms;
 
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
 ###
 ### neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 9e418731c..3f9d39ced 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,9 +87,6 @@ allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.
-- 
GitLab