From 0597ade15ccb3415b41fa86052545007396b4810 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 21 Jun 2018 16:57:58 -0700
Subject: [PATCH] Update socket ioctl restrictions

Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.

Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).

Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.

Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
---
 private/app_neverallows.te | 8 ++++++--
 private/net.te             | 3 ++-
 public/domain.te           | 2 +-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf582789f..5c4aa4093 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
 
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow all_untrusted_apps *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
 } *;
 
 # Do not allow untrusted apps access to /cache
diff --git a/private/net.te b/private/net.te
index f16daf94c..2e6ced377 100644
--- a/private/net.te
+++ b/private/net.te
@@ -4,7 +4,8 @@
 
 # Use network sockets.
 allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
diff --git a/public/domain.te b/public/domain.te
index 9dc3c184d..3d35fabf0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
 # defaults for all processes. Note that granting this whitelist to domain does
 # not grant the ioctl permission on these socket types. That must be granted
 # separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default whitelist for unix sockets.
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
-- 
GitLab