Remove generic socket access from untrusted processes

SELinux defines various classes for various socket types, including tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket classes not known to the SELinux kernel code get lumped into the generic "socket" class. In particular, this includes the AF_MSM_IPC socket class. Bluetooth using apps were granted access to this generic socket class at one point in 2012. In 16011320, a TODO was added indicating that this access was likely unnecessary. In cb835a28, an auditallow was added to test to see if this rule was actually used, and in master branch d0113ae0, this rule was completely deleted. Revoke access to the generic socket class for isolated_app, untrusted_app, and shell for older Android releases. This is conceptually a backport of d0113ae0, but affecting fewer domains to avoid potential breakage. Add a neverallow rule asserting that this rule isn't present for the untrusted domains. Contrary to our usual conventions, the neverallow rule is placed in bluetooth.te, to avoid merge conflicts and simplify patching. Bug: 28612709 Bug: 25768265 Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51

Remove generic socket access from untrusted processes
SELinux defines various classes for various socket types, including tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket classes not known to the SELinux kernel code get lumped into the generic "socket" class. In particular, this includes the AF_MSM_IPC socket class. Bluetooth using apps were granted access to this generic socket class at one point in 2012. In 16011320, a TODO was added indicating that this access was likely unnecessary. In cb835a28, an auditallow was added to test to see if this rule was actually used, and in master branch d0113ae0, this rule was completely deleted. Revoke access to the generic socket class for isolated_app, untrusted_app, and shell for older Android releases. This is conceptually a backport of d0113ae0, but affecting fewer domains to avoid potential breakage. Add a neverallow rule asserting that this rule isn't present for the untrusted domains. Contrary to our usual conventions, the neverallow rule is placed in bluetooth.te, to avoid merge conflicts and simplify patching. Bug: 28612709 Bug: 25768265 Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51
abf0663e · Nick Kralevich · The Android Automerger · 556bb0f5 · abf0663e
Commit abf0663e authored 9 years ago by Nick Kralevich Committed by The Android Automerger 9 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

bluetooth.te bluetooth.te +2 -1

No files found.
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -23,7 +23,8 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms
 # TODO: This should no longer be needed with bluedroid for bluetooth
 # but may be getting used for other non-bluetooth sockets that has no
 # specific class defined.  Consider taking to specific domains.
-allow bluetoothdomain self:socket create_socket_perms;
+allow { bluetoothdomain -untrusted_app -isolated_app -shell } self:socket create_socket_perms;
+neverallow { untrusted_app isolated_app shell } { untrusted_app isolated_app shell }:socket *;

 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;