ioctls: move commonly used tty ioctls to macro
Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls
Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7
diff --git a/app.te b/app.te
index 438e01f..5927eb9 100644
--- a/app.te
+++ b/app.te
@@ -212,7 +212,8 @@
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
diff --git a/audioserver.te b/audioserver.te
index eeed985..f53b824 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@
};
# only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
###
### neverallow rules
diff --git a/ioctl_macros b/ioctl_macros
index 7345879..466870e 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@
SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
}')
# socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@
# Dev private ioctl i.e. hardware specific ioctls
SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
}')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5ecc..bd2264d 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@
allow mediadrmserver mediaserver_service:service_manager { add find };
# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
###
### neverallow rules
diff --git a/mediaserver.te b/mediaserver.te
index a305060..7aa6ec7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@
};
# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
###
### neverallow rules