Further restrict socket ioctls available to apps
Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
This commit is contained in:
Jeff Vander Stoep
parent
bce921c6f6
commit
6ba383c575
6 changed files with 30 additions and 5 deletions
|
|
@ -28,6 +28,7 @@ r_dir_file(domain, self)
|
|||
allow domain self:{ fifo_file file } rw_file_perms;
|
||||
allow domain self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
|
||||
|
||||
# Inherit or receive open files from others.
|
||||
allow domain init:fd use;
|
||||
|
|
|
|||
|
|
@ -40,5 +40,8 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
|
|||
SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
|
||||
}')
|
||||
|
||||
# commonly used ioctls on unix sockets
|
||||
define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
|
||||
|
||||
# commonly used TTY ioctls
|
||||
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
|
||||
|
|
|
|||
|
|
@ -63,6 +63,16 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
|||
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
|
||||
neverallow isolated_app cache_file:file ~{ read getattr };
|
||||
|
||||
# do not allow privileged socket ioctl commands
|
||||
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
||||
# ioctl permission, or 3. disallow the socket class.
|
||||
neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
|
||||
neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
||||
neverallow isolated_app *:{
|
||||
socket netlink_socket packet_socket key_socket appletalk_socket
|
||||
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
|
||||
netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
|
||||
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
||||
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
||||
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
||||
netlink_rdma_socket netlink_crypto_socket
|
||||
} *;
|
||||
|
|
|
|||
2
net.te
2
net.te
|
|
@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
|
|||
allow netdomain port_type:udp_socket name_bind;
|
||||
allow netdomain port_type:tcp_socket name_bind;
|
||||
# See changes to the routing table.
|
||||
allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
|
||||
|
||||
# Talks to netd via dnsproxyd socket.
|
||||
unix_socket_connect(netdomain, dnsproxyd, netd)
|
||||
|
|
|
|||
|
|
@ -221,7 +221,7 @@ allow $1 self:capability2 block_suspend;
|
|||
define(`selinux_check_access', `
|
||||
allow $1 selinuxfs:file rw_file_perms;
|
||||
allow $1 kernel:security compute_av;
|
||||
allow $1 self:netlink_selinux_socket *;
|
||||
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
|
||||
')
|
||||
|
||||
#####################################
|
||||
|
|
|
|||
|
|
@ -149,8 +149,19 @@ neverallow untrusted_app file_type:file link;
|
|||
# Do not allow untrusted_app to access network MAC address file
|
||||
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
|
||||
|
||||
# do not allow privileged socket ioctl commands
|
||||
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
|
||||
# ioctl permission, or 3. disallow the socket class.
|
||||
neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
|
||||
neverallow untrusted_app *:{
|
||||
socket netlink_socket packet_socket key_socket appletalk_socket
|
||||
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
|
||||
netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
|
||||
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
|
||||
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
|
||||
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
|
||||
netlink_rdma_socket netlink_crypto_socket
|
||||
} *;
|
||||
|
||||
# Do not allow untrusted_app access to /cache
|
||||
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
|
||||
|
|
|
|||
Loading…
Reference in a new issue