From af609b2f3ced2e468ee97e5eccd87c8bb5d27c0d Mon Sep 17 00:00:00 2001 From: Bram Bonne Date: Tue, 17 May 2022 14:22:02 +0200 Subject: [PATCH] Enforce MAC address restrictions for priv apps. Bug: 230733237 Test: atest NetlinkSocketTest NetworkInterfaceTest bionic-unit-tests-static CtsSelinuxTargetSdkCurrentTestCases CtsSelinuxTargetSdk29TestCases CtsSelinuxTargetSdk27TestCases Change-Id: I1d66ae7849e950612f3b6693216ec8c84e942640 --- private/app_neverallows.te | 1 + private/net.te | 1 + 2 files changed, 2 insertions(+) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 304f5a209..f71636756 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -127,6 +127,7 @@ neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write }; # Disallow sending RTM_GETLINK messages on netlink sockets. neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv }; +neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv }; # Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets. neverallow { diff --git a/private/net.te b/private/net.te index 25bd538b9..c2bac0386 100644 --- a/private/net.te +++ b/private/net.te @@ -12,6 +12,7 @@ allow { netdomain -ephemeral_app -mediaprovider + -priv_app -sdk_sandbox -untrusted_app_all } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };