Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / da8e03da6c99349d6e7d75e665fbb833eb5da373^1..da8e03da6c99349d6e7d75e665fbb833eb5da373 / .
commitda8e03da6c99349d6e7d75e665fbb833eb5da373[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Oct 17 14:34:58 2018 -0700
committerandroid-build-merger <android-build-merger@google.com>Wed Oct 17 14:34:58 2018 -0700
treefa92209ce7559d008e7a488ce30f62323ab66872
parentf00935a550fb108c66ac2239dacd3dc6d6f0850a [diff]
parent5a7b82062ceb22f12978aa55d6054363fd39f00d [diff]
Merge "more ioctl work"
am: 5a7b82062c

Change-Id: I753b83b0f59aa5ecec568ffb3cd11d88de99011c

diff --git a/public/domain.te b/public/domain.te
index 680d5e4..2bdc53c 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -298,7 +298,7 @@
 allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default whitelist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
   ioctl unpriv_unix_sock_ioctls;
 
 # Restrict PTYs to only whitelisted ioctls.
@@ -309,8 +309,8 @@
 
 # All domains must clearly enumerate what ioctls they use
 # on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets)
-allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
 
 # Allow a process to make a determination whether a file descriptor
 # for a plain file is a tty. Note that granting this whitelist to domain
@@ -351,8 +351,9 @@
 ### neverallow rules
 ###
 
-# All socket ioctls must be restricted to a whitelist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to a whitelist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
 
 # b/68014825 and https://android-review.googlesource.com/516535
 # rfc6093 says that processes should not use the TCP urgent mechanism

diff --git a/public/ioctl_macros b/public/ioctl_macros
index f7081d5..5cbfae5 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros

@@ -43,14 +43,14 @@
 
 # commonly used ioctls on unix sockets
 define(`unpriv_unix_sock_ioctls', `{
-  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+  TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
 }')
 
 # commonly used TTY ioctls
 # merge with unpriv_unix_sock_ioctls?
 define(`unpriv_tty_ioctls', `{
-  TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
-  TCFLSH TIOCSPGRP TIOCGPGRP
+  TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
+  TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
 }')
 
 # point to point ioctls