Deny untrusted app ioctl access to MAC addr MAC address access is no longer allowed via the java API. Deny access from native code. Bug: 17787238 Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf

commit: 86f30cb16a8aa2ea337b1c36071bfa833f798c96 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Tue May 05 15:43:15 2015 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Tue May 05 16:08:54 2015 -0700
tree: 7e7e647577475fd8597aa2b00b3b5098c03bb184
parent: 4286019c38f1e8e3e85664533679a2aede879f9b [diff]
diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79..215898f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -93,6 +93,17 @@
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# limit untrusted_apps access to MAC address ioctl
+# MAC address is SIOCGIFHWADDR 0x8927
+# from include/uapi/linux/sockios.h
+# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
+# Other general 0x89** ioctls should continue to be allowed.
+# 0x8B00 from wireless extensions driver and is used by chrome to
+# determine if wifi is present
+# from include/uapi/linux/wireless.h:
+# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8900-0x8926 0x8928-0x89ff 0x8b00 };
+
 ###
 ### neverallow rules
 ###
commit	86f30cb16a8aa2ea337b1c36071bfa833f798c96	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Tue May 05 15:43:15 2015 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Tue May 05 16:08:54 2015 -0700
tree	7e7e647577475fd8597aa2b00b3b5098c03bb184
parent	4286019c38f1e8e3e85664533679a2aede879f9b [diff]