tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/ioctl_macros

77 lines
3.4 KiB
Text
Raw Normal View History

restrict app access to socket ioctls Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
2015-06-06 00:28:55 +02:00
# socket ioctls allowed to unprivileged apps
define(`unpriv_sock_ioctls', `
{
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
# Socket ioctls for gathering information about the interface
Add SIOCGSTAMP SIOCGSTAMPNS to unpriv_sock_ioctls Per "man socket": SIOCGSTAMP Return a struct timeval with the receive timestamp of the last packet passed to the user. This is useful for accurate round trip time measurements. See setitimer(2) for a description of struct timeval. This ioctl should only be used if the socket option SO_TIMESTAMP is not set on the socket. Otherwise, it returns the timestamp of the last packet that was received while SO_TIMESTAMP was not set, or it fails if no such packet has been received, (i.e., ioctl(2) returns -1 with errno set to ENOENT). Addresses the following denial: avc: denied { ioctl } for comm=6E6574776F726B5F74687265616420 path="socket:[42934]" dev="sockfs" ino=42934 ioctlcmd=8906 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=0 Bug: 29333189 Change-Id: I916a695fa362cf1cf6759629c7f6101e9f657e7d
2016-06-14 12:57:02 +02:00
SIOCGSTAMP SIOCGSTAMPNS
define SIOCGIFDSTADDR as unprivileged ioctl Move from privileged macro to unprivileged. Bug: 28164785 Change-Id: Ide39dc0009871c209249a41e574e84009ac47380
2016-04-13 19:09:11 +02:00
SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
add SIOCGIFINDEX to list of unprivileged socket ioctls Addresses avc: denied { ioctl } for path="socket:[69748]" dev="sockfs" ino=69748 ioctlcmd=8933 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket Change-Id: Iee3821ade9dc044fa03705902923ed18c91425dd
2016-01-08 22:37:53 +01:00
SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
# Wireless extension ioctls. Primarily get functions.
SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
restrict app access to socket ioctls Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
2015-06-06 00:28:55 +02:00
}')
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-07 17:30:43 +01:00
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
# socket ioctls never allowed to unprivileged apps
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-07 17:30:43 +01:00
define(`priv_sock_ioctls', `
{
disallow unprivileged access to rmnet Enforce via neverallow rule by adding WAN_IOC_ADD_FLT_RULE and WAN_IOC_ADD_FLT_RULE_INDEX to neverallow macro. Bug: 26324307 Change-Id: I5350d9339e45ddeefd5423c3fe9a0ea14fe877b2
2016-01-05 17:01:53 +01:00
# qualcomm rmnet ioctls
WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
# socket ioctls
define SIOCGIFDSTADDR as unprivileged ioctl Move from privileged macro to unprivileged. Bug: 28164785 Change-Id: Ide39dc0009871c209249a41e574e84009ac47380
2016-04-13 19:09:11 +02:00
SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
add SIOCGIFINDEX to list of unprivileged socket ioctls Addresses avc: denied { ioctl } for path="socket:[69748]" dev="sockfs" ino=69748 ioctlcmd=8933 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket Change-Id: Iee3821ade9dc044fa03705902923ed18c91425dd
2016-01-08 22:37:53 +01:00
SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-17 06:12:17 +02:00
SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
Reduce socket ioctl perms Reduce the socket ioctl commands available to untrusted/isolated apps. Neverallow accessing sensitive information or setting of network parameters. Neverallow access to device private ioctls i.e. device specific customizations as these are a common source of driver bugs. Define common ioctl commands in ioctl_defines. Bug: 26267358 Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d
2015-12-22 19:39:34 +01:00
SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
# device and protocol specific ioctls
SIOCDEVPRIVATE-SIOCDEVPRIVLAST
SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
# Wireless extension ioctls
SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
# Dev private ioctl i.e. hardware specific ioctls
SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-07 17:30:43 +01:00
}')
ioctls: move commonly used tty ioctls to macro Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls use of unpriv_tty_ioctls Bug: 26990688 Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7
2016-02-22 21:31:57 +01:00
Further restrict socket ioctls available to apps (cherry picked from commit 6ba383c575985d56752e006d6e65ba7a49abd52e) Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
2016-04-15 19:54:40 +02:00
# commonly used ioctls on unix sockets
Move to ioctl whitelisting for /dev/pts/* files In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 23:22:43 +01:00
define(`unpriv_unix_sock_ioctls', `{
more ioctl work Add a neverallow rule requiring fine-grain ioctl filtering for most file and socket object classes. Only chr_file and blk_file are excluded. The goal is to ensure that any file descriptor which supports ioctl commands uses a whitelist. Further refine the list of file / socket objects which require ioctl filtering. The previous ioctl filtering did not cover the following: 1) ioctls on /proc/PID files 2) ioctls on directories in /dev 3) PDX unix domain sockets Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX are alternate, uncommon ways to set the O_CLOEXEC flag on a file descriptor, which is a harmless operation. Test: device boots and no problems. Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618
2018-10-17 20:04:06 +02:00
TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
Move to ioctl whitelisting for /dev/pts/* files In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 23:22:43 +01:00
}')
Further restrict socket ioctls available to apps (cherry picked from commit 6ba383c575985d56752e006d6e65ba7a49abd52e) Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
2016-04-15 19:54:40 +02:00
ioctls: move commonly used tty ioctls to macro Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls use of unpriv_tty_ioctls Bug: 26990688 Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7
2016-02-22 21:31:57 +01:00
# commonly used TTY ioctls
Move to ioctl whitelisting for /dev/pts/* files In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 23:22:43 +01:00
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
Add TCSETSF to unpriv_tty_ioctls. This allows calling tcsetattr() with TCSAFLUSH, in addition to TCSANOW and TCSADRAIN. Fixes: 172740382 Test: manual Change-Id: Idd2e9e0db2e0210df515f46d9d0323c6b517dd39
2020-11-08 05:23:08 +01:00
TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
Move to ioctl whitelisting for /dev/pts/* files In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 23:22:43 +01:00
}')
Define and group ppp socket ioctls Needed for legacy VPN access. Note that ioctl whitelisting only uses the type and command fields of the ioctl so only the last two bytes are necessary, thus 0x40047438 and 0x7438 are treated the same. Bug: 30154346 Change-Id: I45bdc77ab666e05707729a114d933900655ba48b
2016-07-15 20:56:35 +02:00
# point to point ioctls
define(`ppp_ioctls', `{
PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
sepolicy: restrict BINDER_FREEZE to system_server BINDER_FREEZE is used to block ipc transactions to frozen processes, so only system_server must be allowed to use it. Bug: 143717177 Test: manually verified that attempts to use BINDER_FREEZE by processes other than system_server receive a sepolicy denial Test: verified that system_server can enable/disable the freezer in binder Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889
2020-09-03 21:07:33 +02:00
# unprivileged binder ioctls
define(`unpriv_binder_ioctls', `{
BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes BINDER_ENABLE_ONEWAY_SPAM_DETECTION is used to enable/disable oneway spamming detection in binder driver, and can be set per-proc. Bug: 181190340 Change-Id: Id799b19ee5a74b458e286dc29122c140a047bdad
2021-04-20 07:55:33 +02:00
BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
sepolicy: restrict BINDER_FREEZE to system_server BINDER_FREEZE is used to block ipc transactions to frozen processes, so only system_server must be allowed to use it. Bug: 143717177 Test: manually verified that attempts to use BINDER_FREEZE by processes other than system_server receive a sepolicy denial Test: verified that system_server can enable/disable the freezer in binder Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889
2020-09-03 21:07:33 +02:00
}')
Reference in a new issue Copy permalink