allow apps tun_device ioctl TUNGETIFF; (3b2df198) · Commits · CodeLinaro / public-release-test / platform / system / sepolicy

Commit 3b2df198 authored 6 years ago by Nick Kralevich

allow apps tun_device ioctl TUNGETIFF;

Commit 619c1ef2 ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332

parent 7ef01c34

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 6 additions and 7 deletions

Please register or to comment