Do not allow apps to access network address file

Bug: 18068520 Bug: 21852542 Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff

Do not allow apps to access network address file
Bug: 18068520 Bug: 21852542 Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff
2dabf174 · Jeff Vander Stoep · 1a6e29e2 · 2dabf174 · 2dabf174 · 2dabf174
Commit 2dabf174 authored 9 years ago by Jeff Vander Stoep
--- a/file.te
+++ b/file.te
@@ -21,6 +21,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller

--- a/system_server.te
+++ b/system_server.te
@@ -417,6 +417,9 @@ allow system_server sdcard_type:dir { getattr search };
 # Traverse into expanded storage
 allow system_server mnt_expand_file:dir r_dir_perms;

+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -142,3 +142,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;