restrict app access to socket ioctls

Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c

restrict app access to socket ioctls
de9b5301 · Jeff Vander Stoep · Jeffrey Vander Stoep · 20d0ad0e · de9b5301 · de9b5301
Commit de9b5301 authored 9 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 9 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
                        policy_capabilities \
                        te_macros \
                        attributes \
+                        ioctl_macros \
                        *.te \
                        roles \
                        users \

--- a/ioctl_macros
+++ b/ioctl_macros
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
+0x8900-0x8926 0x8928-0x89ff
+# all wireless extensions ioctls except get/set essid
+# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+0x8B00-0x8B09 0x8B1C-0x8BFF
+# commonly used TTY ioctls
+0x5411 0x5451
+}')
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
 service_manager_local_audit_domain(isolated_app)
+# only allow unprivileged socket ioctl commands
+allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
 #####
 ##### Neverallow
 #####

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-# limit untrusted_apps access to MAC address ioctl
+# only allow unprivileged socket ioctl commands
-# MAC address is SIOCGIFHWADDR 0x8927
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
-# from include/uapi/linux/sockios.h
-# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
-# Other general 0x89** ioctls should continue to be allowed.
-# 0x8B00 from wireless extensions driver and is used by chrome to
-# determine if wifi is present
-# from include/uapi/linux/wireless.h:
-# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
-auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all