Further restrict socket ioctls available to apps

(cherry picked from commit 6ba383c5) Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

Further restrict socket ioctls available to apps
(cherry picked from commit 6ba383c5) Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
32333536 · Jeff Vander Stoep · Jeffrey Vander Stoep · 7da9b2af · 32333536 · 32333536
Commit 32333536 authored 8 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 8 years ago
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@ r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
 # Inherit or receive open files from others.
 allow domain init:fd use;

--- a/ioctl_macros
+++ b/ioctl_macros
@@ -40,5 +40,8 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
 # commonly used TTY ioctls
 define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -57,6 +57,16 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)

--- a/te_macros
+++ b/te_macros
@@ -221,7 +221,7 @@ allow $1 self:capability2 block_suspend;
 define(`selinux_check_access', `
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
 #####################################

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -151,8 +151,19 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };