enable ioctl filtering on other filesystem types

ebc3a1a3 enabled ioctl filtering on normal files and directories. However, no per-ioctl permissions were enforced for symbolic links, named pipes ("mkfifo"), or named sockets. Start enforcing fine-grain ioctl restrictions for symbolic links, named pipes, and named sockets. Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from being usable on nonsensical filesystem objects and provide a layer of defense for kernel bugs. Test: Device boots and no obvious problem. Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc

enable ioctl filtering on other filesystem types
ebc3a1a3 enabled ioctl filtering on normal files and directories. However, no per-ioctl permissions were enforced for symbolic links, named pipes ("mkfifo"), or named sockets. Start enforcing fine-grain ioctl restrictions for symbolic links, named pipes, and named sockets. Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from being usable on nonsensical filesystem objects and provide a layer of defense for kernel bugs. Test: Device boots and no obvious problem. Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc
6695c50d · Nick Kralevich · ae079b88 · 6695c50d
Commit 6695c50d authored 6 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -292,8 +292,9 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };

 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required