From 087318957f26e921d62f2e234fc14bff3c59030e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 10 Apr 2018 12:47:48 -0700
Subject: [PATCH] Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
---
private/compat/26.0/26.0.cil | 1 +
private/compat/27.0/27.0.cil | 1 +
private/genfs_contexts | 2 ++
private/mdnsd.te | 2 +-
private/netutils_wrapper.te | 2 +-
private/platform_app.te | 7 +++++
private/priv_app.te | 22 ++++++++++++++++
private/storaged.te | 5 +++-
private/system_app.te | 7 +++++
private/system_server.te | 2 +-
private/untrusted_app_25.te | 6 +++++
private/untrusted_app_27.te | 6 +++++
private/untrusted_app_all.te | 12 +++++++++
private/zygote.te | 5 +++-
public/app.te | 49 +++++++++++++++++++----------------
public/attributes | 7 +++++
public/clatd.te | 5 +++-
public/dhcp.te | 2 +-
public/domain.te | 2 +-
public/dumpstate.te | 2 +-
public/file.te | 3 ++-
public/hal_telephony.te | 2 +-
public/hal_wifi.te | 2 +-
public/hal_wifi_hostapd.te | 2 +-
public/hal_wifi_offload.te | 2 +-
public/hal_wifi_supplicant.te | 2 +-
public/init.te | 4 +--
public/logd.te | 5 +++-
public/netd.te | 4 +--
public/ppp.te | 2 +-
public/preopt2cachename.te | 5 +++-
public/shell.te | 2 +-
public/vendor_init.te | 4 +--
public/vold.te | 6 ++++-
public/wificond.te | 2 +-
35 files changed, 144 insertions(+), 50 deletions(-)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a78b6572f..ef5017cdc 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -499,6 +499,7 @@
(typeattributeset proc_modules_26_0 (proc_modules))
(typeattributeset proc_net_26_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 2ccf70918..e1b30a5a2 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1213,6 +1213,7 @@
(typeattributeset proc_modules_27_0 (proc_modules))
(typeattributeset proc_net_27_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
(typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3d2528d31..86ddac11e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 96259e298..943f9794c 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -9,4 +9,4 @@ init_daemon_domain(mdnsd)
net_domain(mdnsd)
# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d861..77747e8c5 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -6,7 +6,7 @@ r_dir_file(netutils_wrapper, system_file);
allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
allow netutils_wrapper self:global_capability_class_set net_admin;
diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e145..97d3035cf 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -45,6 +45,13 @@ allow platform_app {
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 0841c41f6..d671af8fe 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -85,6 +85,28 @@ allow priv_app {
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+ auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)
diff --git a/private/storaged.te b/private/storaged.te
index 8ad872f61..663de004f 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,10 @@ type storaged_exec, exec_type, file_type;
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+ auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
r_dir_file(storaged, domain)
# Read /proc/uid_io/stats
diff --git a/private/system_app.te b/private/system_app.te
index b2f83764f..f8b00502d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -105,6 +105,13 @@ allow system_app keystore:keystore_key {
user_changed
};
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 79260b24d..f5aafe364 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -726,7 +726,7 @@ r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_loadavg
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index ba2c1e1c7..09207e254 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -40,3 +40,9 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c776287..22a9343f2 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,3 +26,9 @@ app_domain(untrusted_app_27)
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6cf166827..926a49b8b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -138,3 +138,15 @@ dontaudit untrusted_app_all net_dns_prop:file read;
dontaudit untrusted_app_all proc_stat:file read;
dontaudit untrusted_app_all proc_vmstat:file read;
dontaudit untrusted_app_all proc_uptime:file read;
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+ auditallow untrusted_app_all {
+ proc_net_type
+ -proc_net_vpn
+ }:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/zygote.te b/private/zygote.te
index ab707f155..b4aa462ef 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -93,7 +93,10 @@ allow zygote storage_file:dir { search mounton };
allow zygote zygote_exec:file rx_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+ auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Root fs.
r_dir_file(zygote, rootfs)
diff --git a/public/app.te b/public/app.te
index 2a32695ae..8c8935a83 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,30 +174,33 @@ userdebug_or_eng(`
allow appdomain heapdump_data_file:file append;
')
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
r_dir_file({
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} qtaguid_device:chr_file r_file_perms;
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
diff --git a/public/attributes b/public/attributes
index 159d28e4e..f53075230 100644
--- a/public/attributes
+++ b/public/attributes
@@ -39,6 +39,13 @@ attribute vendor_file_type;
# All types used for procfs files.
attribute proc_type;
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
# All types used for sysfs files.
attribute sysfs_type;
diff --git a/public/clatd.te b/public/clatd.te
index ee44abf7c..53d6582c1 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -4,7 +4,10 @@ type clatd_exec, exec_type, file_type;
net_domain(clatd)
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Access objects inherited from netd.
allow clatd netd:fd use;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1f1ef2b48..6ed983260 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -15,7 +15,7 @@ not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
allow dhcp toolbox_exec:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
diff --git a/public/domain.te b/public/domain.te
index 89e58ed1e..981783d33 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -23,7 +23,7 @@ allow domain self:process {
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6cece1d76..049155c37 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -161,7 +161,7 @@ allow dumpstate {
proc_cmdline
proc_meminfo
proc_modules
- proc_net
+ proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
diff --git a/public/file.te b/public/file.te
index 6e755e49d..dd7fdeb63 100644
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@ type proc_meminfo, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 31859aa51..8456c1537 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -39,7 +39,7 @@ allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perm
# Access to wake locks
wakelock_use(hal_telephony_server)
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
r_dir_file(hal_telephony_server, sysfs_type)
r_dir_file(hal_telephony_server, system_file)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 78823d002..7c5f57871 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@ binder_call(hal_wifi_server, hal_wifi_client)
add_hwservice(hal_wifi_server, hal_wifi_hwservice)
allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
set_prop(hal_wifi, wifi_prop)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 03a554674..73bf037b1 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -10,7 +10,7 @@ allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_r
allow hal_wifi_hostapd_server sysfs_net:dir search;
# Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dc0cf5a73..f74ed05ff 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@ binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d3265..3d617661f 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@ allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
diff --git a/public/init.te b/public/init.te
index 254d8e080..769db3c72 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,7 @@ allow init kernel:system syslog_mod;
allow init self:global_capability2_class_set syslog;
# init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
allow init {
proc_cmdline
@@ -293,7 +293,7 @@ allow init {
proc_hostname
proc_hung_task
proc_extra_free_kbytes
- proc_net
+ proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory
diff --git a/public/logd.te b/public/logd.te
index 817a7059f..23318b0f9 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@ type logd_exec, exec_type, file_type;
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+ auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
diff --git a/public/netd.te b/public/netd.te
index 545ad7c1a..433761c70 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@ allow netd proc_qtaguid_ctrl:file rw_file_perms;
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 9340dee87..8d79477c2 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@ type ppp_exec, exec_type, file_type;
net_domain(ppp)
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
allow ppp mtp:socket rw_socket_perms;
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 49df64725..514100fdc 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@ allow preopt2cachename cppreopts:fd use;
allow preopt2cachename cppreopts:fifo_file { getattr read write };
# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/public/shell.te b/public/shell.te
index c5033ecfc..e76b34b94 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -112,7 +112,7 @@ hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a13f6913..ec4aaf52f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -123,8 +123,8 @@ allow vendor_init {
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
-allow vendor_init proc_net:file w_file_perms;
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
diff --git a/public/vold.te b/public/vold.te
index 95847cf64..b41484623 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@ allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+ auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
diff --git a/public/wificond.te b/public/wificond.te
index 1f0936e79..f84f25037 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -20,7 +20,7 @@ allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;
--
GitLab