From 07c3a5a5222c8c0306cd62575f7f9279f7ca6093 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 22 Nov 2016 14:22:43 -0800
Subject: [PATCH] Move to ioctl whitelisting for /dev/pts/* files

In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
---
 public/domain.te    | 10 ++++++++++
 public/ioctl_macros | 10 ++++++++--
 public/te_macros    |  5 +++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 7c15ebc72..c78af0756 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
   ioctl unpriv_unix_sock_ioctls;
 
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 ###
 ### neverallow rules
@@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 122e1f0df..e8cc08683 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
 
 # commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
 
 # commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
+  TIOCSPGRP TIOCGPGRP
+}')
 
 # point to point ioctls
 define(`ppp_ioctls', `{
diff --git a/public/te_macros b/public/te_macros
index df171f010..61f8d7174 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -259,6 +259,11 @@ type $1_devpts, fs_type;
 type_transition $1 devpts:chr_file $1_devpts;
 # Allow use of the pty after creation.
 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
 # allowed to everyone via domain.te.
 ')
-- 
GitLab