restrict app access to socket ioctls
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls
Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
diff --git a/untrusted_app.te b/untrusted_app.te
index e451c5d..693a13c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -97,17 +97,8 @@
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-# limit untrusted_apps access to MAC address ioctl
-# MAC address is SIOCGIFHWADDR 0x8927
-# from include/uapi/linux/sockios.h
-# #define SIOCGIFHWADDR 0x8927 /* Get hardware address */
-# Other general 0x89** ioctls should continue to be allowed.
-# 0x8B00 from wireless extensions driver and is used by chrome to
-# determine if wifi is present
-# from include/uapi/linux/wireless.h:
-# #define SIOCSIWCOMMIT 0x8B00 /* Commit pending changes to driver */
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x5411 0x5451 0x8900-0x8926 0x8928-0x89ff 0x8b00-0x8bff };
-auditallow untrusted_app self:{ rawip_socket tcp_socket udp_socket } { 0x8b00-0x8bff };
+# only allow unprivileged socket ioctl commands
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all