commit 7f23ef4829e8a175eff0fde6208f917208b6375a
author Jeff Vander Stoep <jeffv@google.com> Fri Sep 24 11:52:08 2021 +0200
committer Jeff Vander Stoep <jeffv@google.com> Mon Oct 18 16:23:47 2021 +0200
tree bb1c37bc9922a46406f9db7cfc52d207b718576a
parent 5a5cf5a8831c4a5b547a13cd3117faa15d5c7e7a

priv_app: remove sysfs_net permissions bypass

Access to files in sysfs_net allows bypassing permissions gated
information. Also remove permission for priv_app
to call SIOCGIFHWADDR, which is also a permissions bypass.

Examples:
 - Information in /sys/class/net/wlan0/statistics/rx_packets should
be gated by PACKAGE_USAGE_STATS.
 - Information in /sys/class/net/wlan0/address should be gated by
LOCAL_MAC_ADDRESS or READ_PRIVILEGED_PHONE_STATE.

Bug: 166269532
Test: build, boot, verify no denials in the log
Ignore-AOSP-First: Security patches are not allowed to go into AOSP
first.

Change-Id: I1eaf6351e50450b80cd7035b61add2e832d7ddb0

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 3ceb7a3..72e1c91 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -98,16 +98,11 @@
 }:file r_file_perms;
 
 allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
 # Read access to /sys/block/zram*/mm_stat
 r_dir_file(priv_app, sysfs_zram)
 
 r_dir_file(priv_app, rootfs)
 
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
 # Allow com.android.vending to communicate with statsd.
 binder_call(priv_app, statsd)
 
@@ -260,3 +255,24 @@
 
 # Do not follow untrusted app provided symlinks
 neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;