audio/mediaserver: Restrict to unprivileged socket ioctls

Neverallow access to privileged commands. Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55

audio/mediaserver: Restrict to unprivileged socket ioctls
Neverallow access to privileged commands. Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55
0fd910ec · Jeff Vander Stoep · ef0b7b1a · 0fd910ec · 0fd910ec
Commit 0fd910ec authored 9 years ago by Jeff Vander Stoep
--- a/audioserver.te
+++ b/audioserver.te
@@ -110,6 +110,9 @@ allow audioserver drmserver:drmservice {
    pread
 };

+# only allow unprivileged socket ioctl commands
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow audioserver drmserver:drmservice {
 # audioserver should never execute any executable without a
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -110,6 +110,9 @@ allow mediaserver drmserver:drmservice {
    pread
 };

+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow mediaserver drmserver:drmservice {
 # mediaserver should never execute any executable without a
 # domain transition
 neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;