Enforce ioctl command whitelisting on all sockets
Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I7573fdb24f9c53ad169bce2aeab1baac8b2a11ea
This commit is contained in:
parent
96b92e3361
commit
165b4ae091
|
@ -0,0 +1,7 @@
|
|||
# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
|
||||
define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
|
||||
define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
|
||||
define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
|
||||
define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
|
||||
define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
|
||||
define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
|
|
@ -0,0 +1,8 @@
|
|||
define(`msm_sock_ipc_ioctls', `{
|
||||
IPC_ROUTER_IOCTL_GET_VERSION
|
||||
IPC_ROUTER_IOCTL_GET_MTU
|
||||
IPC_ROUTER_IOCTL_LOOKUP_SERVER
|
||||
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
|
||||
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
|
||||
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
|
||||
}')
|
|
@ -5,3 +5,4 @@ type irsc_util_exec, exec_type, file_type;
|
|||
init_daemon_domain(irsc_util)
|
||||
|
||||
allow irsc_util self:socket create_socket_perms;
|
||||
allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
|
|
@ -6,4 +6,4 @@ unix_socket_send(mediaserver, mpdecision, mpdecision)
|
|||
|
||||
# Permit mediaserver to create sockets with no specific SELinux class.
|
||||
# TODO: Investigate the specific type of socket.
|
||||
allow mediaserver self:socket create_socket_perms;
|
||||
allow mediaserver self:socket create_socket_perms_no_ioctl;
|
||||
|
|
|
@ -11,11 +11,12 @@ allow netmgrd self:capability { setuid setgid net_admin net_raw };
|
|||
# Support modprobe??
|
||||
dontaudit netmgrd self:capability sys_module;
|
||||
|
||||
allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
|
||||
allow netmgrd self:udp_socket { create ioctl };
|
||||
allow netmgrd self:netlink_socket create_socket_perms;
|
||||
allow netmgrd self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
|
||||
allow netmgrd self:packet_socket create_socket_perms;
|
||||
allow netmgrd self:rawip_socket create_socket_perms;
|
||||
allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow netmgrd self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
||||
allow netmgrd self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow netmgrd self:rawip_socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Talk to qmuxd (qmux_radio)
|
||||
qmux_socket(netmgrd)
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
allow priv_app device:dir r_dir_perms;
|
||||
allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID };
|
||||
|
|
|
@ -1 +1,6 @@
|
|||
qmux_socket(rild)
|
||||
|
||||
# whitelist qualcomm specific ioctls
|
||||
allow rild self:socket ioctl;
|
||||
allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;
|
||||
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
|
|
@ -20,6 +20,7 @@ allow rmt shared_log_device:chr_file rw_file_perms;
|
|||
|
||||
allow rmt self:socket create_socket_perms;
|
||||
allow rmt cgroup:dir { create add_name };
|
||||
allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
# Wake lock access
|
||||
wakelock_use(rmt)
|
||||
|
|
|
@ -10,6 +10,7 @@ allow thermald self:capability dac_override;
|
|||
auditallow thermald self:capability dac_override;
|
||||
|
||||
allow thermald self:socket create_socket_perms;
|
||||
allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;
|
||||
|
||||
# CPU hotplug uevent
|
||||
allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
|
||||
|
|
Loading…
Reference in New Issue