Enforce ioctl command whitelisting on all sockets
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
diff --git a/netd.te b/netd.te
index 515ad4f..976c43d 100644
--- a/netd.te
+++ b/netd.te
@@ -4,6 +4,8 @@
init_daemon_domain(netd)
net_domain(netd)
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
allow netd system_server:fd use;
@@ -17,13 +19,13 @@
# for netd to operate.
dontaudit netd self:capability fsetid;
-allow netd self:netlink_kobject_uevent_socket create_socket_perms;
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms;
-allow netd self:netlink_socket create_socket_perms;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms;
-allow netd self:netlink_netfilter_socket create_socket_perms;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;