diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2016-09-11 09:50:24 -0700 |
---|---|---|
committer | Lee Campbell <leecam@google.com> | 2016-09-11 16:13:30 -0700 |
commit | 7fb9fa17195bc1f232056185fec713c7cdbb008b (patch) | |
tree | 56604e1888ecc1b1e32d812a6299d7d5113a80b1 | |
parent | 7c138b7ad6bb22a141613cd86c1170fa60833879 (diff) | |
download | qcom-master.tar.gz |
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I7cc2021596c8452a518b8213eea8b41141f2f14d
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/ioctl_defines | 7 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/ioctl_macros | 8 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/qseecomd.te | 1 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/rmt.te | 1 |
4 files changed, 17 insertions, 0 deletions
diff --git a/soc/msm8916/prebuilts/sepolicy/ioctl_defines b/soc/msm8916/prebuilts/sepolicy/ioctl_defines new file mode 100644 index 0000000..93a833d --- /dev/null +++ b/soc/msm8916/prebuilts/sepolicy/ioctl_defines @@ -0,0 +1,7 @@ +# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h +define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300') +define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301') +define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302') +define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303') +define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304') +define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305') diff --git a/soc/msm8916/prebuilts/sepolicy/ioctl_macros b/soc/msm8916/prebuilts/sepolicy/ioctl_macros new file mode 100644 index 0000000..dd9a2e8 --- /dev/null +++ b/soc/msm8916/prebuilts/sepolicy/ioctl_macros @@ -0,0 +1,8 @@ +define(`msm_sock_ipc_ioctls', `{ +IPC_ROUTER_IOCTL_GET_VERSION +IPC_ROUTER_IOCTL_GET_MTU +IPC_ROUTER_IOCTL_LOOKUP_SERVER +IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE +IPC_ROUTER_IOCTL_BIND_CONTROL_PORT +IPC_ROUTER_IOCTL_CONFIG_SEC_RULES +}') diff --git a/soc/msm8916/prebuilts/sepolicy/qseecomd.te b/soc/msm8916/prebuilts/sepolicy/qseecomd.te index 3e483f1..fdb1614 100644 --- a/soc/msm8916/prebuilts/sepolicy/qseecomd.te +++ b/soc/msm8916/prebuilts/sepolicy/qseecomd.te @@ -80,6 +80,7 @@ r_dir_file(tee, system_file) # Provide tee ability to access QMUXD/IPCRouter for QMI. qmux_socket(tee) allow tee self:socket create_socket_perms; +allowxperm tee self:socket ioctl msm_sock_ipc_ioctls; # Provide tee ability to run executables in rootfs for MDTP. allow tee rootfs:file x_file_perms; diff --git a/soc/msm8916/prebuilts/sepolicy/rmt.te b/soc/msm8916/prebuilts/sepolicy/rmt.te index 305c4b2..db462c9 100644 --- a/soc/msm8916/prebuilts/sepolicy/rmt.te +++ b/soc/msm8916/prebuilts/sepolicy/rmt.te @@ -20,6 +20,7 @@ allow rmt uio_device:chr_file rw_file_perms; allow rmt mmc_block_device:blk_file r_file_perms; allow rmt self:socket create_socket_perms; +allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls; allow rmt root_block_device:blk_file r_file_perms; allow rmt modem_block_device:blk_file rw_file_perms; |