From 87f3802a8edcb1ee9668417b118844132a207df0 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 28 Jan 2015 17:46:30 -0800 Subject: [PATCH] appdomain: relax netlink_socket neverallow rule Relax the neverallow netlink restrictions for app domains. In particular, some non-AOSP app domains may use netlink sockets to communicate with a kernel driver. Continue to neverallow generic netlink sockets for untrusted_app. The intention here is that only app domains which explicitly need this functionality should be able to request it. This change does not add or remove any SELinux rules. Rather, it just changes SELinux compile time assertions, as well as allowing this behavior in CTS. Modify other neverallow rules to use "domain" instead of "self". Apps shouldn't be able to handle netlink sockets, even those created in other SELinux domains. (cherry picked from commit d31936f89c49bc5c54b84bd5095f3c417da14935) Change-Id: I4763cb0c9510220693c506636dbb7584712b67e2 --- app.te | 5 ++--- untrusted_app.te | 5 ++++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app.te b/app.te index 4abf5944..423be141 100644 --- a/app.te +++ b/app.te @@ -229,8 +229,7 @@ neverallow appdomain tee_device:chr_file { read write }; # Privileged netlink socket interfaces. neverallow appdomain - self:{ - netlink_socket + domain:{ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket @@ -243,7 +242,7 @@ neverallow appdomain # These messages are broadcast messages from the kernel to userspace. # Do not allow the writing of netlink messages, which has been a source # of rooting vulns in the past. -neverallow appdomain self:netlink_kobject_uevent_socket { write append }; +neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; # Sockets under /dev/socket that are not specifically typed. neverallow appdomain socket_device:sock_file write; diff --git a/untrusted_app.te b/untrusted_app.te index 2a8c170a..1142b7a8 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -69,7 +69,10 @@ allow untrusted_app cache_file:file create_file_perms; ### # Receive or send uevent messages. -neverallow untrusted_app self:netlink_kobject_uevent_socket *; +neverallow untrusted_app domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow untrusted_app domain:netlink_socket *; # Too much leaky information in debugfs. It's a security # best practice to ensure these files aren't readable.