From de53051a8282ec59fdd21667850997bc4096f8d2 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 6 Oct 2015 09:11:02 -0700
Subject: [PATCH] Do not allow untrusted_app to open tun_device

Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
---
 bluetooth.te     | 6 +++++-
 untrusted_app.te | 7 ++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index a79023dc2..6f6aea792 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -14,8 +14,12 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)
 
-# Device accesses.
+# TODO why does bluetooth require access to tun_device? If not,
+# remove access and tighten down neverallow rule so that appdomain is
+# not allowed to open (as opposed to just untrusted_app)
+# Device accesses. b/24744295
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
+auditallow bluetooth tun_device:chr_file rw_file_perms;
 
 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
diff --git a/untrusted_app.te b/untrusted_app.te
index eb518e32c..eb3005a99 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -29,7 +29,9 @@ bluetooth_domain(untrusted_app)
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
-allow untrusted_app tun_device:chr_file rw_file_perms;
+# Third party vpn apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow untrusted_app tun_device:chr_file { read write getattr ioctl append };
 
 # ASEC
 allow untrusted_app asec_apk_file:file r_file_perms;
@@ -157,3 +159,6 @@ neverallow untrusted_app file_type:file link;
 
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
+
+# Do not allow untrusted app to directly open tun_device
+neverallow untrusted_app tun_device:chr_file open;
-- 
GitLab