add map permission to rw_socket_perms

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). system/sepolicy commit 4397f082 added the map permission to common file macros, to ensure that file access would continue working even in the presence of a newer kernel. However, that change did not affect socket access. Certain socket classes, such as AF_NETLINK and AF_PACKET, also support mmap operations. This change adds the map permission to rw_socket_perms, to ensure continued support for newer kernels. This technically allows mmap even in cases where the socket family doesn't support it (such as TCP and UDP sockets), but granting it is harmless in those cases. In particular, this fixes a bug in clatd, where the following error would occur: 10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064 10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied Test: policy compiles Bug: 117791876 Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b

add map permission to rw_socket_perms
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). system/sepolicy commit 4397f082 added the map permission to common file macros, to ensure that file access would continue working even in the presence of a newer kernel. However, that change did not affect socket access. Certain socket classes, such as AF_NETLINK and AF_PACKET, also support mmap operations. This change adds the map permission to rw_socket_perms, to ensure continued support for newer kernels. This technically allows mmap even in cases where the socket family doesn't support it (such as TCP and UDP sockets), but granting it is harmless in those cases. In particular, this fixes a bug in clatd, where the following error would occur: 10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064 10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied Test: policy compiles Bug: 117791876 Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
9c22895c · Nick Kralevich · 52fb3edb · 9c22895c
Commit 9c22895c authored 6 years ago by Nick Kralevich
--- a/public/global_macros
+++ b/public/global_macros
@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')

 #####################################
 # Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
 define(`create_socket_perms', `{ create rw_socket_perms }')
 define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
 define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')