DO NOT MERGE: Further restrict access to socket ioctl commands am: 57531cac am: c0ce53cc

am: f290a2dd * commit 'f290a2dd': DO NOT MERGE: Further restrict access to socket ioctl commands

DO NOT MERGE: Further restrict access to socket ioctl commands am: 57531cac am: c0ce53cc
am: f290a2dd * commit 'f290a2dd': DO NOT MERGE: Further restrict access to socket ioctl commands
d76ccadb · Jeff Vander Stoep · android-build-merger · 4fc1397d · f290a2dd · d76ccadb
Commit d76ccadb authored 9 years ago by Jeff Vander Stoep Committed by android-build-merger 9 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

ioctl_macros ioctl_macros +9 -5

shell.te shell.te +3 -0

No files found.
--- a/ioctl_macros
+++ b/ioctl_macros
 # socket ioctls allowed to unprivileged apps
 define(`unpriv_sock_ioctls', `
 {
-# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
-0x8900-0x8926 0x8928-0x89ff
-# all wireless extensions ioctls except get/set essid
-# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
+# all socket ioctls except:
+# 1) the Mac address SIOCGIFHWADDR 0x8927
+# 2) device private SIOCDEVPRIVATE-SIOCDEVPRIVLAST 0x89F0-0x89FF
+# 3) protocol private SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST 0x89E0-0x89EF
+0x8900-0x8926 0x8928-0x89DF
+# all wireless extensions ioctls except:
+# 1) get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+# 2) device private ioctls SIOCIWFIRSTPRIV-SIOCIWLASTPRIV 0x8BE0-0x8BFF
+0x8B00-0x8B09 0x8B1C-0x8BDF
 # commonly used TTY ioctls
 0x5411 0x5451
 }')
--- a/shell.te
+++ b/shell.te
@@ -77,6 +77,9 @@ allow shell domain:process getattr;
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;

+# only allow unprivileged socket ioctl commands
+allow shell self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+
 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion