allow apps tun_device ioctl TUNGETIFF;

Commit 619c1ef2 ("tun_device: enforce ioctl restrictions") completely removed the ability of untrusted apps to issue ioctl calls to tun_device. It turns out that this was too aggressive. Wireshark apparently uses the TUNGETIFF ioctl. Fixes the following denial: audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android Test: policy compiles. Change-Id: I71bb494036ea692781c00af37580748ab39d1332

allow apps tun_device ioctl TUNGETIFF;
Commit 619c1ef2 ("tun_device: enforce ioctl restrictions") completely removed the ability of untrusted apps to issue ioctl calls to tun_device. It turns out that this was too aggressive. Wireshark apparently uses the TUNGETIFF ioctl. Fixes the following denial: audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android Test: policy compiles. Change-Id: I71bb494036ea692781c00af37580748ab39d1332
3b2df198 · Nick Kralevich · 7ef01c34 · 3b2df198 · 3b2df198
Commit 3b2df198 authored 6 years ago by Nick Kralevich
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,12 +123,10 @@ neverallow { all_untrusted_apps -mediaprovider } {
 # No untrusted component should be touching /dev/fuse
 neverallow all_untrusted_apps fuse_device:chr_file *;

-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
 neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
  SIOCGIFHWADDR

--- a/public/app.te
+++ b/public/app.te
@@ -337,7 +337,8 @@ allow appdomain runas_exec:file getattr;

 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;

 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.