From e555f4b971c6bb34633dd2edbe3dd950a052ec41 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Thu, 3 Dec 2015 15:56:04 -0800 Subject: [PATCH] Further restrict access to tun_device Remove bluetooth's access to tun_device. Auditallow rule demonstrates that it's not used. Strengthen the neverallow on opening tun_device to include all Apps. Bug: 24744295 Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1 --- app.te | 3 +++ bluetooth.te | 7 +------ untrusted_app.te | 3 --- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/app.te b/app.te index bc4246586..94dcfc5bd 100644 --- a/app.te +++ b/app.te @@ -396,3 +396,6 @@ neverallow appdomain { security_file tmpfs }:lnk_file no_w_file_perms; + +# Do not allow Apps to directly open tun_device +neverallow appdomain tun_device:chr_file open; diff --git a/bluetooth.te b/bluetooth.te index 826856c27..c50975765 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -16,12 +16,7 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms; # bluetooth factory file accesses. r_dir_file(bluetooth, bluetooth_efs_file) -# TODO why does bluetooth require access to tun_device? If not, -# remove access and tighten down neverallow rule so that appdomain is -# not allowed to open (as opposed to just untrusted_app) -# Device accesses. b/24744295 -allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms; -auditallow bluetooth tun_device:chr_file rw_file_perms; +allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; diff --git a/untrusted_app.te b/untrusted_app.te index 0e715469b..df9c67751 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -145,9 +145,6 @@ neverallow untrusted_app file_type:file link; # Do not allow untrusted_app to access network MAC address file neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; -# Do not allow untrusted app to directly open tun_device -neverallow untrusted_app tun_device:chr_file open; - # Do not allow untrusted_app access to /cache neverallow untrusted_app cache_file:dir ~{ r_dir_perms }; neverallow untrusted_app cache_file:file ~{ read getattr };