141 lines
6.8 KiB
Diff
141 lines
6.8 KiB
Diff
From c91936195fbf52215dc5ca774ca081d4e931e391 Mon Sep 17 00:00:00 2001
|
|
From: Jeff Vander Stoep <jeffv@google.com>
|
|
Date: Thu, 21 Jun 2018 16:57:58 -0700
|
|
Subject: [PATCH 14/26] Update socket ioctl restrictions
|
|
|
|
Grant access to icmp_socket to netdomain. This was previously
|
|
labeled as rawip_socket which apps are allowed to use. Neverallow
|
|
all other new socket types for apps.
|
|
|
|
Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
|
|
to icmp_socket. To pass neverallow tests, we need to define
|
|
which IOCTLs are allowed (and disallowed).
|
|
|
|
Note that this does not change behavior on devices with
|
|
kernel versions <=4.9. However, it is necessary (although not
|
|
sufficient) to pass CTS on kernel version 4.14.
|
|
|
|
Bug: 126141696
|
|
[change_type ] feature_bugfix
|
|
[tag_product ] specific
|
|
Test: Grant icmp_socket in net.te and build.
|
|
|
|
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
|
|
(Cherry picked from commit 0597ade15ccb3415b41fa86052545007396b4810)
|
|
---
|
|
prebuilts/api/28.0/private/app_neverallows.te | 8 ++++++--
|
|
prebuilts/api/28.0/private/net.te | 2 +-
|
|
prebuilts/api/28.0/public/domain.te | 2 +-
|
|
private/app_neverallows.te | 8 ++++++--
|
|
private/net.te | 2 +-
|
|
public/domain.te | 2 +-
|
|
6 files changed, 16 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
|
|
index 804bcada..cc78f0b7 100644
|
|
--- a/prebuilts/api/28.0/private/app_neverallows.te
|
|
+++ b/prebuilts/api/28.0/private/app_neverallows.te
|
|
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
|
|
|
|
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
|
# ioctl permission, or 3. disallow the socket class.
|
|
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
|
neverallow all_untrusted_apps *:{
|
|
socket netlink_socket packet_socket key_socket appletalk_socket
|
|
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
|
|
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
|
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
|
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
|
- netlink_rdma_socket netlink_crypto_socket
|
|
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
|
|
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
|
|
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
|
|
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
|
|
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
|
|
} *;
|
|
|
|
# Do not allow untrusted apps access to /cache
|
|
diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te
|
|
index f16daf94..8bf8c921 100644
|
|
--- a/prebuilts/api/28.0/private/net.te
|
|
+++ b/prebuilts/api/28.0/private/net.te
|
|
@@ -4,7 +4,7 @@
|
|
|
|
# Use network sockets.
|
|
allow netdomain self:tcp_socket create_stream_socket_perms;
|
|
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
|
|
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
|
|
# Connect to ports.
|
|
allow netdomain port_type:tcp_socket name_connect;
|
|
# Bind to ports.
|
|
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
|
|
index 42a26cf2..9d3645eb 100644
|
|
--- a/prebuilts/api/28.0/public/domain.te
|
|
+++ b/prebuilts/api/28.0/public/domain.te
|
|
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
|
|
# defaults for all processes. Note that granting this whitelist to domain does
|
|
# not grant the ioctl permission on these socket types. That must be granted
|
|
# separately.
|
|
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
|
|
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
# default whitelist for unix sockets.
|
|
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
|
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
|
|
index 804bcada..cc78f0b7 100644
|
|
--- a/private/app_neverallows.te
|
|
+++ b/private/app_neverallows.te
|
|
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
|
|
|
|
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
|
# ioctl permission, or 3. disallow the socket class.
|
|
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
|
neverallow all_untrusted_apps *:{
|
|
socket netlink_socket packet_socket key_socket appletalk_socket
|
|
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
|
|
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
|
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
|
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
|
- netlink_rdma_socket netlink_crypto_socket
|
|
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
|
|
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
|
|
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
|
|
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
|
|
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
|
|
} *;
|
|
|
|
# Do not allow untrusted apps access to /cache
|
|
diff --git a/private/net.te b/private/net.te
|
|
index f16daf94..8bf8c921 100644
|
|
--- a/private/net.te
|
|
+++ b/private/net.te
|
|
@@ -4,7 +4,7 @@
|
|
|
|
# Use network sockets.
|
|
allow netdomain self:tcp_socket create_stream_socket_perms;
|
|
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
|
|
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
|
|
# Connect to ports.
|
|
allow netdomain port_type:tcp_socket name_connect;
|
|
# Bind to ports.
|
|
diff --git a/public/domain.te b/public/domain.te
|
|
index 42a26cf2..9d3645eb 100644
|
|
--- a/public/domain.te
|
|
+++ b/public/domain.te
|
|
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
|
|
# defaults for all processes. Note that granting this whitelist to domain does
|
|
# not grant the ioctl permission on these socket types. That must be granted
|
|
# separately.
|
|
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
|
|
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
# default whitelist for unix sockets.
|
|
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
|
--
|
|
2.17.1
|
|
|