Google Git
Sign in
android / platform / external / sepolicy / bb1ece4^! / .
commitbb1ece494ffb160690e045fb383c93140f471a77[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Wed Jan 06 10:09:02 2016 -0800
committerJeff Vander Stoep <jeffv@google.com>Wed Jan 06 10:22:05 2016 -0800
tree29fefd7a1863d7bcddaea19924826228934beb36
parentca76be74f2c6fb3ca8433f505aaa0c941c132f3f [diff]
app: expand socket ioctl restrictions to all apps

Exempt bluetooth which has net_admin capability.

Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.

Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1

diff --git a/app.te b/app.te
index 48aebbf..fef3c3a 100644
--- a/app.te
+++ b/app.te

@@ -205,6 +205,9 @@
 
 allow appdomain console_device:chr_file { read write };
 
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### CTS-specific rules
 ###

diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f..6b9450a 100644
--- a/isolated_app.te
+++ b/isolated_app.te

@@ -18,9 +18,6 @@
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.

diff --git a/priv_app.te b/priv_app.te
index 4a25787..27551d0 100644
--- a/priv_app.te
+++ b/priv_app.te

@@ -77,6 +77,9 @@
 allow priv_app sysfs_zram:dir search;
 allow priv_app sysfs_zram:file r_file_perms;
 
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
 ###
 ### neverallow rules
 ###

diff --git a/untrusted_app.te b/untrusted_app.te
index 9e41873..3f9d39c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -87,9 +87,6 @@
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.