Enforce ioctl command whitelisting on all socketsHEAD master main

Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I7cc2021596c8452a518b8213eea8b41141f2f14d
author: Jeff Vander Stoep <jeffv@google.com> 2016-09-11 09:50:24 -0700
committer: Lee Campbell <leecam@google.com> 2016-09-11 16:13:30 -0700
commit: 7fb9fa17195bc1f232056185fec713c7cdbb008b (patch)
tree: 56604e1888ecc1b1e32d812a6299d7d5113a80b1
parent: 7c138b7ad6bb22a141613cd86c1170fa60833879 (diff)
download: qcom-7fb9fa17195bc1f232056185fec713c7cdbb008b.tar.gz
4 files changed, 17 insertions, 0 deletions
diff --git a/soc/msm8916/prebuilts/sepolicy/ioctl_defines b/soc/msm8916/prebuilts/sepolicy/ioctl_defines
new file mode 100644
index 0000000..93a833d
--- /dev/null
+++ b/soc/msm8916/prebuilts/sepolicy/ioctl_defines
@@ -0,0 +1,7 @@
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
diff --git a/soc/msm8916/prebuilts/sepolicy/ioctl_macros b/soc/msm8916/prebuilts/sepolicy/ioctl_macros
new file mode 100644
index 0000000..dd9a2e8
--- /dev/null
+++ b/soc/msm8916/prebuilts/sepolicy/ioctl_macros
@@ -0,0 +1,8 @@
+define(`msm_sock_ipc_ioctls', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')
diff --git a/soc/msm8916/prebuilts/sepolicy/qseecomd.te b/soc/msm8916/prebuilts/sepolicy/qseecomd.te
index 3e483f1..fdb1614 100644
--- a/soc/msm8916/prebuilts/sepolicy/qseecomd.te
+++ b/soc/msm8916/prebuilts/sepolicy/qseecomd.te
@@ -80,6 +80,7 @@ r_dir_file(tee, system_file)
 # Provide tee ability to access QMUXD/IPCRouter for QMI.
 qmux_socket(tee)
 allow tee self:socket create_socket_perms;
+allowxperm tee self:socket ioctl msm_sock_ipc_ioctls;
 
 # Provide tee ability to run executables in rootfs for MDTP.
 allow tee rootfs:file x_file_perms;
diff --git a/soc/msm8916/prebuilts/sepolicy/rmt.te b/soc/msm8916/prebuilts/sepolicy/rmt.te
index 305c4b2..db462c9 100644
--- a/soc/msm8916/prebuilts/sepolicy/rmt.te
+++ b/soc/msm8916/prebuilts/sepolicy/rmt.te
@@ -20,6 +20,7 @@ allow rmt uio_device:chr_file rw_file_perms;
 allow rmt mmc_block_device:blk_file r_file_perms;
 
 allow rmt self:socket create_socket_perms;
+allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls;
 
 allow rmt root_block_device:blk_file r_file_perms;
 allow rmt modem_block_device:blk_file rw_file_perms;
author	Jeff Vander Stoep <jeffv@google.com>	2016-09-11 09:50:24 -0700
committer	Lee Campbell <leecam@google.com>	2016-09-11 16:13:30 -0700
commit	7fb9fa17195bc1f232056185fec713c7cdbb008b (patch)
tree	56604e1888ecc1b1e32d812a6299d7d5113a80b1
parent	7c138b7ad6bb22a141613cd86c1170fa60833879 (diff)
download	qcom-7fb9fa17195bc1f232056185fec713c7cdbb008b.tar.gz