Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3b2df198d1f06ea40ce386a2d17128afd100dbe0^! / .
commit3b2df198d1f06ea40ce386a2d17128afd100dbe0[log] [tgz]
authorNick Kralevich <nnk@google.com>Thu Nov 15 06:14:07 2018 -0800
committerNick Kralevich <nnk@google.com>Thu Nov 15 06:14:07 2018 -0800
tree4961930ba8091e972484c3134b143b3983df2538
parent7ef01c34ed87ea81986d2669c77b59777523381f [diff]
allow apps tun_device ioctl TUNGETIFF;

Commit 619c1ef2ac581fe6a3d628ee013fc3ec36b8dc07 ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab080c2..79437bd 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -123,12 +123,10 @@
 # No untrusted component should be touching /dev/fuse
 neverallow all_untrusted_apps fuse_device:chr_file *;
 
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
 neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
   SIOCGIFHWADDR

diff --git a/public/app.te b/public/app.te
index 96b8c07..8b62967 100644
--- a/public/app.te
+++ b/public/app.te

@@ -337,7 +337,8 @@
 
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.