Enforce ioctl command whitelisting on all sockets
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: Ia259325a6032547035652f4bff0348e03b400870
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 434dc0d..78bb2bb 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -11,6 +11,7 @@
allow cnd self:capability { setuid setgid net_raw };
allow cnd self:socket create_socket_perms;
+allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
allow cnd self:udp_socket create_socket_perms;
allow cnd sysfs_msm_subsys:dir r_dir_perms;
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 4f5d231..4b20d87 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -15,9 +15,10 @@
allow ims ims_socket:sock_file write;
allow ims self:socket create_socket_perms;
+allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
allow ims self:udp_socket create_socket_perms;
-allow ims self:netlink_socket create_socket_perms;
-allow ims self:netlink_route_socket { create_socket_perms nlmsg_write nlmsg_read };
+allow ims self:netlink_socket create_socket_perms_no_ioctl;
+allow ims self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
allow ims sysfs_msm_subsys:dir r_dir_perms;
allow ims sysfs_msm_subsys:lnk_file r_file_perms;
diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines
new file mode 100644
index 0000000..93a833d
--- /dev/null
+++ b/sepolicy/ioctl_defines
@@ -0,0 +1,7 @@
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
new file mode 100644
index 0000000..dd9a2e8
--- /dev/null
+++ b/sepolicy/ioctl_macros
@@ -0,0 +1,8 @@
+define(`msm_sock_ipc_ioctls', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')
diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te
index 66feedd..f2fb7a3 100644
--- a/sepolicy/irsc_util.te
+++ b/sepolicy/irsc_util.te
@@ -4,3 +4,4 @@
init_daemon_domain(irsc_util);
allow irsc_util self:socket create_socket_perms;
+allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/location.te b/sepolicy/location.te
index 6bed40d..ae24d54 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -9,6 +9,7 @@
allow location self:capability { setuid setgid net_raw };
allow location self:socket create_socket_perms;
+allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
binder_use(location)
binder_call(location, system_server)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 34c93de..9e135e1 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -6,15 +6,18 @@
init_daemon_domain(netmgrd)
net_domain(netmgrd)
+allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
+
allow netmgrd self:capability { setuid setgid net_admin net_raw };
dontaudit netmgrd self:capability setpcap;
set_prop(netmgrd, net_radio_prop)
-allow netmgrd self:netlink_socket create_socket_perms;
+allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow netmgrd self:netlink_route_socket nlmsg_write;
-allow netmgrd self:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read};
+allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read};
allow netmgrd self:socket create_socket_perms;
+allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
allow netmgrd netd_socket:sock_file w_file_perms;
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
diff --git a/sepolicy/oem_qmi_server.te b/sepolicy/oem_qmi_server.te
index fae61e2..f5ef8c9 100644
--- a/sepolicy/oem_qmi_server.te
+++ b/sepolicy/oem_qmi_server.te
@@ -11,6 +11,7 @@
allow oem_qmi_server sysfs_msm_subsys:lnk_file rw_file_perms;
allow oem_qmi_server self:socket create_socket_perms;
+allowxperm oem_qmi_server self:socket ioctl msm_sock_ipc_ioctls;
# Access device /dev/diag
userdebug_or_eng(`
diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te
index ac4b2bb..05bc266 100644
--- a/sepolicy/peripheral_manager.te
+++ b/sepolicy/peripheral_manager.te
@@ -17,3 +17,4 @@
allow per_mgr self:capability net_raw;
allow per_mgr self:socket create_socket_perms;
+allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/qti.te b/sepolicy/qti.te
index b1536dd..39f80a0 100644
--- a/sepolicy/qti.te
+++ b/sepolicy/qti.te
@@ -7,6 +7,7 @@
allow qti sysfs_msm_subsys:lnk_file r_file_perms;
allow qti self:socket create_socket_perms;
+allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;
allow qti dpl_device:chr_file rw_file_perms;
allow qti rmnet_device:chr_file rw_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 26fe0a9..ff99a9d 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -18,3 +18,7 @@
allow rild audioserver_service:service_manager find;
allow rild mediaserver_service:service_manager find;
allow rild per_mgr_service:service_manager find;
+
+# allow rild to use qualcomm's socket ipc ioctls
+allow rild self:socket ioctl;
+allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index 71d6bf7..e57e1ac 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -13,6 +13,7 @@
allow rmt uio_device:chr_file rw_file_perms;
allow rmt self:socket create_socket_perms;
+allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls;
allow rmt root_block_device:blk_file r_file_perms;
allow rmt modem_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te
index 835f7f4..df974cc 100644
--- a/sepolicy/thermald.te
+++ b/sepolicy/thermald.te
@@ -7,6 +7,7 @@
allow thermald thermal_engine_device:chr_file rw_file_perms;
allow thermald self:socket create_socket_perms;
+allowxperm thermald self:socket ioctl msm_sock_ipc_ioctls;
type_transition thermald socket_device:sock_file thermald_socket;
allow thermald thermald_socket:sock_file create_file_perms;
diff --git a/sepolicy/time.te b/sepolicy/time.te
index dc1c7e3..e1048d9 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -16,6 +16,7 @@
allow time sysfs_msm_subsys:lnk_file r_file_perms;
allow time self:socket create_socket_perms;
+allowxperm time self:socket ioctl msm_sock_ipc_ioctls;
userdebug_or_eng(`
allow time shared_log_device:chr_file rw_file_perms;