Enforce ioctl command whitelisting on all sockets
Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I076c22d68887572ea255e221695594ad8cfa6101
diff --git a/sepolicy/apmanager.te b/sepolicy/apmanager.te
index a4e8260..5b54402 100644
--- a/sepolicy/apmanager.te
+++ b/sepolicy/apmanager.te
@@ -21,7 +21,7 @@
allow apmanager self:capability { setuid fsetid kill net_admin net_bind_service net_raw setgid sys_module dac_override };
allow apmanager self:netlink_route_socket { write getattr nlmsg_write read bind create nlmsg_read };
allow apmanager self:netlink_socket { write getattr setopt read bind create };
-allow apmanager self:netlink_generic_socket create_socket_perms;
+allow apmanager self:netlink_generic_socket create_socket_perms_no_ioctl;
allow apmanager self:packet_socket { write ioctl setopt read bind create };
allow apmanager apmanager_data_file:dir create_dir_perms;
allow apmanager apmanager_data_file:file create_file_perms;
diff --git a/sepolicy/avahi.te b/sepolicy/avahi.te
index a9f7015..24fb0b0 100644
--- a/sepolicy/avahi.te
+++ b/sepolicy/avahi.te
@@ -8,4 +8,4 @@
# Allow crash_reporter access to core dump files.
allow_crash_reporter(avahi)
-allow avahi self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow avahi self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/sepolicy/bluetoothtbd.te b/sepolicy/bluetoothtbd.te
index a65e2c0..9f5f01f 100644
--- a/sepolicy/bluetoothtbd.te
+++ b/sepolicy/bluetoothtbd.te
@@ -26,7 +26,7 @@
allow bluetoothtbd self:capability net_admin;
allow bluetoothtbd self:capability2 wake_alarm;
-allow bluetoothtbd self:socket create_socket_perms;
+allow bluetoothtbd self:socket create_socket_perms_no_ioctl;
# Allow crash_reporter access to core dump files.
allow_crash_reporter(bluetoothtbd)
diff --git a/sepolicy/firewalld.te b/sepolicy/firewalld.te
index 3175cd1..1c7fd48 100644
--- a/sepolicy/firewalld.te
+++ b/sepolicy/firewalld.te
@@ -10,6 +10,7 @@
allow firewalld self:capability { net_admin net_raw };
allow firewalld self:rawip_socket create_socket_perms;
+allowxperm firewalld self:rawip_socket ioctl priv_sock_ioctls;
allow firewalld system_file:file rx_file_perms;
diff --git a/sepolicy/shill.te b/sepolicy/shill.te
index 2829485..345c28e 100644
--- a/sepolicy/shill.te
+++ b/sepolicy/shill.te
@@ -16,10 +16,10 @@
# Following permissions are needed for shill.
allow shill dbus_daemon:unix_stream_socket connectto;
-allow shill self:packet_socket create_socket_perms;
-allow shill self:netlink_socket create_socket_perms;
-allow shill self:netlink_route_socket { rw_socket_perms nlmsg_write };
-allow shill self:netlink_generic_socket create_socket_perms;
+allow shill self:packet_socket create_socket_perms_no_ioctl;
+allow shill self:netlink_socket create_socket_perms_no_ioctl;
+allow shill self:netlink_route_socket { rw_socket_perms_no_ioctl nlmsg_write };
+allow shill self:netlink_generic_socket create_socket_perms_no_ioctl;
allow shill proc_net:file w_file_perms;
allow shill sysfs:file w_file_perms;
allow shill wifi_sysfs_entry:file rw_file_perms;
diff --git a/sepolicy/wifi_setup.te b/sepolicy/wifi_setup.te
index 3323507..a361096 100644
--- a/sepolicy/wifi_setup.te
+++ b/sepolicy/wifi_setup.te
@@ -18,6 +18,7 @@
# Permissions for WiFi driver initialization.
allow wifi_setup self:capability { net_admin net_raw };
allow wifi_setup self:udp_socket create_socket_perms;
+allowxperm wifi_setup self:udp_socket ioctl priv_sock_ioctls;
allow wifi_setup sysfs:file w_file_perms;
allow wifi_setup wifi_device:chr_file rw_file_perms;
allow wifi_setup wifi_sysfs_entry:file rw_file_perms;
