Start the process of locking down proc/net

Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457

private/compat/26.0/26.0.cil

@@ -499,6 +499,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))

private/compat/27.0/27.0.cil

@@ -1213,6 +1213,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))

private/genfs_contexts

@@ -17,6 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

private/mdnsd.te

@@ -9,4 +9,4 @@ init_daemon_domain(mdnsd)
 net_domain(mdnsd)
 
 # Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)

private/netutils_wrapper.te

@@ -6,7 +6,7 @@ r_dir_file(netutils_wrapper, system_file);
 allow netutils_wrapper self:global_capability_class_set net_raw;
 
 allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
 allow netutils_wrapper self:global_capability_class_set net_admin;

private/platform_app.te

@@ -45,6 +45,13 @@ allow platform_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;

private/priv_app.te

@@ -85,6 +85,28 @@ allow priv_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+  auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
 allow priv_app sysfs_type:dir search;
 # Read access to /sys/class/net/wlan*/address
 r_dir_file(priv_app, sysfs_net)

private/storaged.te

@@ -5,7 +5,10 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 r_dir_file(storaged, domain)
 
 # Read /proc/uid_io/stats

private/system_app.te

@@ -105,6 +105,13 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 # settings app reads /proc/version
 allow system_app {
   proc_version

private/system_server.te

@@ -726,7 +726,7 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_loadavg

private/untrusted_app_25.te

@@ -40,3 +40,9 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;

private/untrusted_app_27.te

@@ -26,3 +26,9 @@ app_domain(untrusted_app_27)
 untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;

private/untrusted_app_all.te

@@ -138,3 +138,15 @@ dontaudit untrusted_app_all net_dns_prop:file read;
 dontaudit untrusted_app_all proc_stat:file read;
 dontaudit untrusted_app_all proc_vmstat:file read;
 dontaudit untrusted_app_all proc_uptime:file read;
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+  auditallow untrusted_app_all {
+    proc_net_type
+    -proc_net_vpn
+  }:{ dir file lnk_file } { getattr open read };
+')

private/zygote.te

@@ -93,7 +93,10 @@ allow zygote storage_file:dir { search mounton };
 allow zygote zygote_exec:file rx_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Root fs.
 r_dir_file(zygote, rootfs)

public/app.te

@@ -174,30 +174,33 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
 r_dir_file({
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} qtaguid_device:chr_file r_file_perms;
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -platform_app
+  -priv_app
+  -shell
+  -system_app
+  -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+  auditallow {
+    appdomain
+    -ephemeral_app
+    -isolated_app
+    -platform_app
+    -priv_app
+    -shell
+    -system_app
+    -untrusted_app_all
+  } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.

public/attributes

@@ -39,6 +39,13 @@ attribute vendor_file_type;
 # All types used for procfs files.
 attribute proc_type;
 
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
 # All types used for sysfs files.
 attribute sysfs_type;
 

public/clatd.te

@@ -4,7 +4,10 @@ type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
 
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Access objects inherited from netd.
 allow clatd netd:fd use;

public/dhcp.te

@@ -15,7 +15,7 @@ not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 allow dhcp toolbox_exec:file rx_file_perms;
 
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
 
 set_prop(dhcp, dhcp_prop)
 set_prop(dhcp, pan_result_prop)

public/domain.te

@@ -23,7 +23,7 @@ allow domain self:process {
 };
 allow domain self:fd use;
 allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };

public/dumpstate.te

@@ -161,7 +161,7 @@ allow dumpstate {
   proc_cmdline
   proc_meminfo
   proc_modules
-  proc_net
+  proc_net_type
   proc_pipe_conf
   proc_pagetypeinfo
   proc_qtaguid_ctrl