Merge "Update socket ioctl restrictions"

4b9a3128 · Treehugger Robot · Gerrit Code Review · 512e1c4d · 0597ade1 · 4b9a3128
Commit 4b9a3128 authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;

 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow all_untrusted_apps *:{
  socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
 } *;

 # Do not allow untrusted apps access to /cache

--- a/private/net.te
+++ b/private/net.te
@@ -4,7 +4,8 @@

 # Use network sockets.
 allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.

--- a/public/domain.te
+++ b/public/domain.te
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
 # defaults for all processes. Note that granting this whitelist to domain does
 # not grant the ioctl permission on these socket types. That must be granted
 # separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default whitelist for unix sockets.
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }