Skip to content
Snippets Groups Projects
Commit ef0b7b1a authored by Jeffrey Vander Stoep's avatar Jeffrey Vander Stoep Committed by Android (Google) Code Review
Browse files

Merge "app: expand socket ioctl restrictions to all apps"

parents 3873c31f bb1ece49
No related branches found
No related tags found
No related merge requests found
...@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app }) ...@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app })
allow appdomain console_device:chr_file { read write }; allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
### ###
### CTS-specific rules ### CTS-specific rules
### ###
......
...@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock }; ...@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find; allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find; allow isolated_app display_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Google Breakpad (crash reporter for Chrome) relies on ptrace # Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter # functionality. Without the ability to ptrace, the crash reporter
# tool is broken. # tool is broken.
......
...@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write }; ...@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write };
allow priv_app sysfs_zram:dir search; allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms; allow priv_app sysfs_zram:file r_file_perms;
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
### ###
### neverallow rules ### neverallow rules
### ###
......
...@@ -80,9 +80,6 @@ allow untrusted_app radio_service:service_manager find; ...@@ -80,9 +80,6 @@ allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find; allow untrusted_app app_api_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Allow GMS core to access perfprofd output, which is stored # Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all # in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one. # data stored in that directory to process them one by one.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment