Skip to content
Snippets Groups Projects
Commit d1228f2e authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Move to ioctl whitelisting for /dev/pts/* files"

parents e6a20295 07c3a5a5
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
public/domain.te
+ 10
0
View file @ d1228f2e
...@@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } ...@@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls; ioctl unpriv_unix_sock_ioctls;
# Restrict PTYs to only whitelisted ioctls.
# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
### ###
### neverallow rules ### neverallow rules
...@@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ...@@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
# All socket ioctls must be restricted to a whitelist. # All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 }; neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init or recovery to create unlabeled files. # Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
......
public/ioctl_macros
+ 8
2
View file @ d1228f2e
...@@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV ...@@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
}') }')
# commonly used ioctls on unix sockets # commonly used ioctls on unix sockets
define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }') define(`unpriv_unix_sock_ioctls', `{
TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
}')
# commonly used TTY ioctls # commonly used TTY ioctls
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }') # merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls # point to point ioctls
define(`ppp_ioctls', `{ define(`ppp_ioctls', `{
......
public/te_macros
+ 5
0
View file @ d1228f2e
...@@ -259,6 +259,11 @@ type $1_devpts, fs_type; ...@@ -259,6 +259,11 @@ type $1_devpts, fs_type;
type_transition $1 devpts:chr_file $1_devpts; type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation. # Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl }; allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te. # allowed to everyone via domain.te.
') ')
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment