Merge "Disallow access to proc_net for ephemeral_app"

2e7fa9d8 · Chad Brubaker · Gerrit Code Review · d3266558 · c4a938e7 · 2e7fa9d8
Commit 2e7fa9d8 authored 8 years ago by Chad Brubaker Committed by Gerrit Code Review 8 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -133,7 +133,7 @@ userdebug_or_eng(`
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;

--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@ neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 # Directly access external storage
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;