From a194d3757aae59ac59ee62a3b2a6d60be48b4cbb Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 16 Nov 2018 02:48:03 -0800
Subject: [PATCH] Tighten up handling of new classes

1b1d133be5350989cbd6c09e4f000e146f9ab7ae added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
---
 private/app_neverallows.te | 2 +-
 private/isolated_app.te    | 2 +-
 private/webview_zygote.te  | 1 +
 public/global_macros       | 2 +-
 public/su.te               | 2 +-
 5 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 79437bd88..30acf8729 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -93,7 +93,7 @@ neverallow all_untrusted_apps *:{
   ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
   atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
-  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
 # Do not allow untrusted apps access to /cache
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 1b56c5cf8..37594887f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -133,5 +133,5 @@ neverallow isolated_app self:{
   rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
   ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
-  qipcrtr_socket smc_socket
+  qipcrtr_socket smc_socket xdp_socket
 } create;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 75f70ac70..a3a4c463f 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -132,6 +132,7 @@ neverallow webview_zygote domain:{
   pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
   rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
   alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+  xdp_socket
 } *;
 
 # Do not allow access to Bluetooth-related system properties.
diff --git a/public/global_macros b/public/global_macros
index 00f9fb310..962bca95e 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -10,7 +10,7 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
 define(`dir_file_class_set', `{ dir file_class_set }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
diff --git a/public/su.te b/public/su.te
index dad9c4948..4a401b86b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -21,7 +21,7 @@ userdebug_or_eng(`
   dontaudit su kernel:security *;
   dontaudit su { kernel file_type }:system *;
   dontaudit su self:memprotect *;
-  dontaudit su domain:process *;
+  dontaudit su domain:{ process process2 } *;
   dontaudit su domain:fd *;
   dontaudit su domain:dir *;
   dontaudit su domain:lnk_file *;
-- 
GitLab