Move to ioctl whitelisting for /dev/pts/* files

In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
2016-11-22 14:22:43 -08:00 · 2016-11-22 14:22:43 -08:00 · 07c3a5a522
commit 07c3a5a522
parent 11dc03e5a2
3 changed files with 23 additions and 2 deletions
--- a/public/domain.te
+++ b/public/domain.te
@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
  ioctl unpriv_unix_sock_ioctls;

+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

 ###
 ### neverallow rules
@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };

+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')

 # commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')

 # commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
+  TIOCSPGRP TIOCGPGRP
+}')

 # point to point ioctls
 define(`ppp_ioctls', `{
--- a/public/te_macros
+++ b/public/te_macros
@ -259,6 +259,11 @@ type $1_devpts, fs_type;
 type_transition $1 devpts:chr_file $1_devpts;
 # Allow use of the pty after creation.
 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
 # allowed to everyone via domain.te.
 ')