From 32333536032bf1d133e56fe4156175b76b7a1779 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 15 Apr 2016 10:54:40 -0700
Subject: [PATCH] Further restrict socket ioctls available to apps

(cherry picked from commit 6ba383c575985d56752e006d6e65ba7a49abd52e)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
---
 domain.te        |  1 +
 ioctl_macros     |  3 +++
 isolated_app.te  | 14 ++++++++++++--
 net.te           |  2 +-
 te_macros        |  2 +-
 untrusted_app.te | 13 ++++++++++++-
 6 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/domain.te b/domain.te
index 9001773b5..bb9b225bd 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@ r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
 
 # Inherit or receive open files from others.
 allow domain init:fd use;
diff --git a/ioctl_macros b/ioctl_macros
index 12326f823..2b5db3175 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -40,5 +40,8 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
 
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
+
 # commonly used TTY ioctls
 define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/isolated_app.te b/isolated_app.te
index 6497cf162..a1c371c83 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -57,6 +57,16 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
diff --git a/net.te b/net.te
index 6aa12f23a..4616eb170 100644
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/te_macros b/te_macros
index 4d18973f4..488ef9bbe 100644
--- a/te_macros
+++ b/te_macros
@@ -221,7 +221,7 @@ allow $1 self:capability2 block_suspend;
 define(`selinux_check_access', `
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
 
 #####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index d4d90ccf6..a6051a8b2 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -151,8 +151,19 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
 
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-- 
GitLab