From de9b5301a14abf388589b06e819bb001d69e0cf1 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 5 Jun 2015 15:28:55 -0700
Subject: [PATCH] restrict app access to socket ioctls

Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
---
 Android.mk       |  1 +
 ioctl_macros     | 11 +++++++++++
 isolated_app.te  |  3 +++
 untrusted_app.te | 13 ++-----------
 4 files changed, 17 insertions(+), 11 deletions(-)
 create mode 100644 ioctl_macros

diff --git a/Android.mk b/Android.mk
index f3da45015..1b903bd75 100644
--- a/Android.mk
+++ b/Android.mk
@@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
                         policy_capabilities \
                         te_macros \
                         attributes \
+                        ioctl_macros \
                         *.te \
                         roles \
                         users \
diff --git a/ioctl_macros b/ioctl_macros
new file mode 100644
index 000000000..e71e0ce5a
--- /dev/null
+++ b/ioctl_macros
@@ -0,0 +1,11 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
+0x8900-0x8926 0x8928-0x89ff
+# all wireless extensions ioctls except get/set essid
+# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+0x8B00-0x8B09 0x8B1C-0x8BFF
+# commonly used TTY ioctls
+0x5411 0x5451
+}')
diff --git a/isolated_app.te b/isolated_app.te
index 1cede96cb..b50bb783c 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
 
 service_manager_local_audit_domain(isolated_app)
 
+# only allow unprivileged socket ioctl commands
+allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+
 #####
 ##### Neverallow
 #####
diff --git a/untrusted_app.te b/untrusted_app.te
index e451c5d6b..693a13cd6 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
-# limit untrusted_apps access to MAC address ioctl
-# MAC address is SIOCGIFHWADDR 0x8927
-# from include/uapi/linux/sockios.h
-# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
-# Other general 0x89** ioctls should continue to be allowed.
-# 0x8B00 from wireless extensions driver and is used by chrome to
-# determine if wifi is present
-# from include/uapi/linux/wireless.h:
-# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
-auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
+# only allow unprivileged socket ioctl commands
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
 
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
-- 
GitLab