From 424517721cb71bc842cc37d82e8b61a6a4a6e00a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 28 Sep 2018 10:55:14 -0700
Subject: [PATCH] Remove access to /proc/net/{tcp,udp}

Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
---
 private/compat/26.0/26.0.cil | 2 +-
 private/compat/27.0/27.0.cil | 2 +-
 private/compat/28.0/28.0.cil | 2 +-
 private/dumpstate.te         | 1 +
 private/genfs_contexts       | 4 ++--
 private/shell.te             | 3 +++
 public/app.te                | 5 +++++
 public/file.te               | 2 +-
 8 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index dd605969f..187712ec5 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -504,7 +504,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 155cf4234..f792f3eb5 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1218,7 +1218,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 5d47d23a7..18f5b01a1 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1399,7 +1399,7 @@
 (typeattributeset proc_mounts_28_0 (proc_mounts))
 (typeattributeset proc_net_28_0
   ( proc_net
-    proc_net_vpn))
+    proc_net_tcp_udp))
 (typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
 (typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
 (typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b3db3d423..d1fbacccf 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -42,3 +42,4 @@ allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 dontaudit dumpstate perfprofd:binder call;
 dontaudit dumpstate update_engine:binder call;
+allow dumpstate proc_net_tcp_udp:file r_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 410e7c65d..f87c08696 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,8 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
-genfscon proc /net/udp u:object_r:proc_net_vpn:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/shell.te b/private/shell.te
index 7b52a02ef..ee5b73cac 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -57,3 +57,6 @@ binder_call(shell, bufferhubd);
 
 # Allow shell to use atrace HAL
 hal_client_domain(shell, hal_atrace)
+
+# For hostside tests such as CTS listening ports test.
+allow shell proc_net_tcp_udp:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index 62a63cdf1..5a8215211 100644
--- a/public/app.te
+++ b/public/app.te
@@ -577,3 +577,8 @@ neverallow appdomain proc_uid_concurrent_policy_time:file *;
 
 # Apps cannot access proc_uid_cpupower
 neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
diff --git a/public/file.te b/public/file.te
index e567a6560..755bb98e0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -36,7 +36,7 @@ type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
 type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_vpn, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;
-- 
GitLab