From 6695c50dee20a766abd47d9c0c51aeed3df3b937 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 10 Oct 2018 09:55:32 -0700
Subject: [PATCH] enable ioctl filtering on other filesystem types

ebc3a1a34ce914654fcc4edf9a2d26bf5fa76260 enabled ioctl filtering on
normal files and directories. However, no per-ioctl permissions were
enforced for symbolic links, named pipes ("mkfifo"), or
named sockets.

Start enforcing fine-grain ioctl restrictions for symbolic links, named
pipes, and named sockets.

Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from
being usable on nonsensical filesystem objects and provide a layer of
defense for kernel bugs.

Test: Device boots and no obvious problem.
Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc
---
 public/domain.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index db0c8cbb7..e9bdb6dec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -292,8 +292,9 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
 
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
-- 
GitLab