From 8f08456a94b629875a3792dac68c1dd5ac7cd5f5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 2 Oct 2018 21:43:20 -0700
Subject: [PATCH] isolated_apps: no socket create

Isolated apps provide a very strict security guarantee, including the
inability to create networking sockets like TCP / UDP sockets. Add an
SELinux neverallow assertion to test for this and prevent regressions.

Test: policy compiles.
Change-Id: I2618abb17375707eb1048e89faa46f57d33e1df4
---
 private/isolated_app.te | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 26cb12277..85e80a5fa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -117,3 +117,24 @@ neverallow isolated_app {
   -sysfs_devices_system_cpu
   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
 }:file no_rw_file_perms;
+
+# No creation of sockets families other than AF_UNIX sockets.
+# List taken from system/sepolicy/public/global_macros - socket_class_set
+# excluding unix_stream_socket and unix_dgram_socket.
+# Many of these are socket families which have never and will never
+# be compiled into the Android kernel.
+neverallow isolated_app self:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+  key_socket appletalk_socket netlink_route_socket
+  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+  netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
+  netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
+  netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
+  netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
+  rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
+  ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
+  qipcrtr_socket smc_socket
+} create;
-- 
GitLab