Enforce ioctl command whitelisting on all sockets

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I7573fdb24f9c53ad169bce2aeab1baac8b2a11ea

sepolicy/ioctl_defines

@@ -0,0 +1,7 @@
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')

sepolicy/ioctl_macros

@@ -0,0 +1,8 @@
+define(`msm_sock_ipc_ioctls', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')

sepolicy/irsc_util.te

@@ -5,3 +5,4 @@ type irsc_util_exec, exec_type, file_type;
 init_daemon_domain(irsc_util)
 
 allow irsc_util self:socket create_socket_perms;
+allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;

sepolicy/mediaserver.te

@@ -6,4 +6,4 @@ unix_socket_send(mediaserver, mpdecision, mpdecision)
 
 # Permit mediaserver to create sockets with no specific SELinux class.
 # TODO: Investigate the specific type of socket.
-allow mediaserver self:socket create_socket_perms;
+allow mediaserver self:socket create_socket_perms_no_ioctl;

sepolicy/netmgrd.te

@@ -11,11 +11,12 @@ allow netmgrd self:capability { setuid setgid net_admin net_raw };
 # Support modprobe??
 dontaudit netmgrd self:capability sys_module;
 
+allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 allow netmgrd self:udp_socket { create ioctl };
-allow netmgrd self:netlink_socket create_socket_perms;
-allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
-allow netmgrd self:packet_socket create_socket_perms;
-allow netmgrd self:rawip_socket create_socket_perms;
+allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
+allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netmgrd self:packet_socket create_socket_perms_no_ioctl;
+allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
 
 # Talk to qmuxd (qmux_radio)
 qmux_socket(netmgrd)

sepolicy/priv_app.te

@@ -1 +1,2 @@
 allow priv_app device:dir r_dir_perms;
+allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID };

sepolicy/rild.te

@@ -1 +1,6 @@
 qmux_socket(rild)
+
+# whitelist qualcomm specific ioctls
+allow rild self:socket ioctl;
+allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;
+allowxperm rild self:udp_socket ioctl priv_sock_ioctls;

sepolicy/rmt.te

@@ -20,6 +20,7 @@ allow rmt shared_log_device:chr_file rw_file_perms;
 
 allow rmt self:socket create_socket_perms;
 allow rmt cgroup:dir { create add_name };
+allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls;
 
 # Wake lock access
 wakelock_use(rmt)

sepolicy/thermald.te

@@ -10,6 +10,7 @@ allow thermald self:capability dac_override;
 auditallow thermald self:capability dac_override;
 
 allow thermald self:socket create_socket_perms;
+allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;
 
 # CPU hotplug uevent
 allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };