Merge "Further restrict socket ioctls available to apps" into nyc-dev

domain.te

@@ -28,6 +28,7 @@ r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
 
 # Inherit or receive open files from others.
 allow domain init:fd use;

ioctl_macros

@@ -40,5 +40,8 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
 
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
+
 # commonly used TTY ioctls
 define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')

isolated_app.te

@@ -63,6 +63,16 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;

net.te

@@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)

te_macros

@@ -221,7 +221,7 @@ allow $1 self:capability2 block_suspend;
 define(`selinux_check_access', `
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
 
 #####################################

untrusted_app.te

@@ -151,8 +151,19 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
 
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };