app: expand socket ioctl restrictions to all apps
Exempt bluetooth which has net_admin capability.
Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.
Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1
diff --git a/app.te b/app.te
index 48aebbf..fef3c3a 100644
--- a/app.te
+++ b/app.te
@@ -205,6 +205,9 @@
allow appdomain console_device:chr_file { read write };
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
###
### CTS-specific rules
###
diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f..6b9450a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
-# only allow unprivileged socket ioctl commands
-allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
diff --git a/priv_app.te b/priv_app.te
index 4a25787..27551d0 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -77,6 +77,9 @@
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
###
### neverallow rules
###
diff --git a/untrusted_app.te b/untrusted_app.te
index 9e41873..3f9d39c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,9 +87,6 @@
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
-# only allow unprivileged socket ioctl commands
-allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one.