Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
sepolicy
Manage
Activity
Members
Plan
Wiki
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Package Registry
Model registry
Operate
Terraform modules
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
CodeLinaro
public-release-test
platform
system
sepolicy
Commits
5a23b162
Commit
5a23b162
authored
9 years ago
by
Jeff Vander Stoep
Committed by
Android (Google) Code Review
9 years ago
Browse files
Options
Downloads
Plain Diff
Merge "restrict app access to socket ioctls" into mnc-dev
parents
dc496c2b
de9b5301
No related branches found
No related tags found
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
Android.mk
+1
-0
1 addition, 0 deletions
Android.mk
ioctl_macros
+11
-0
11 additions, 0 deletions
ioctl_macros
isolated_app.te
+3
-0
3 additions, 0 deletions
isolated_app.te
untrusted_app.te
+2
-11
2 additions, 11 deletions
untrusted_app.te
with
17 additions
and
11 deletions
Android.mk
+
1
−
0
View file @
5a23b162
...
...
@@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \
policy_capabilities
\
te_macros
\
attributes
\
ioctl_macros
\
*
.te
\
roles
\
users
\
...
...
This diff is collapsed.
Click to expand it.
ioctl_macros
0 → 100644
+
11
−
0
View file @
5a23b162
# socket ioctls allowed to unprivileged apps
define(`unpriv_sock_ioctls', `
{
# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
0x8900-0x8926 0x8928-0x89ff
# all wireless extensions ioctls except get/set essid
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
0x8B00-0x8B09 0x8B1C-0x8BFF
# commonly used TTY ioctls
0x5411 0x5451
}')
This diff is collapsed.
Click to expand it.
isolated_app.te
+
3
−
0
View file @
5a23b162
...
...
@@ -20,6 +20,9 @@ allow isolated_app display_service:service_manager find;
service_manager_local_audit_domain(isolated_app)
# only allow unprivileged socket ioctl commands
allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
#####
##### Neverallow
#####
...
...
This diff is collapsed.
Click to expand it.
untrusted_app.te
+
2
−
11
View file @
5a23b162
...
...
@@ -97,17 +97,8 @@ allow untrusted_app persistent_data_block_service:service_manager find;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# limit untrusted_apps access to MAC address ioctl
# MAC address is SIOCGIFHWADDR 0x8927
# from include/uapi/linux/sockios.h
# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
# Other general 0x89** ioctls should continue to be allowed.
# 0x8B00 from wireless extensions driver and is used by chrome to
# determine if wifi is present
# from include/uapi/linux/wireless.h:
# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
# only allow unprivileged socket ioctl commands
allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
