tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Move to ioctl whitelisting for /dev/pts/* files"

Browse source
This commit is contained in:
Treehugger Robot 2016-11-26 00:23:49 +00:00 committed by Gerrit Code Review
commit d1228f2e70
3 changed files with 23 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
public/domain.te
View file

@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
# Restrict PTYs to only whitelisted ioctls.
# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
###
### neverallow rules
@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

10
public/ioctl_macros
View file

@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
}')
# commonly used ioctls on unix sockets
define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
define(`unpriv_unix_sock_ioctls', `{
TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
}')
# commonly used TTY ioctls
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
define(`ppp_ioctls', `{

5
public/te_macros
View file

@ -259,6 +259,11 @@ type $1_devpts, fs_type;
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')